Jump to content

Recommended Posts

Posted

Hello, I would be grateful for any help and advise.

 

I run a pc and two lap tops, i am currently using my main lap top.

 

Last week our on line bank accounts were hacked and monies sent from them to spurious accounts, we stopped this in time.

 

I have been advised that I may have a key logger.

 

Having googled this problem I have down loaded Hijackthis (as it seems to be a popular solution).

 

here are the log results... do they mean anything to you? Can you offer a solution?

 

Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 00:51:16, on 01/03/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Kontiki\KService.exe

C:\WINDOWS\system32\nvsvc32.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Genesys PC Camera Device\GenePccMon.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\PROGRA~1\MICROS~2\rapimgr.exe

C:\Program Files\My Book\WD Backup\uBBMonitor.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, Messenger, Unterhaltung, Nachrichten, Sport, Jobs, Immobilien und mehr bei MSN AT

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, Messenger, Unterhaltung, Nachrichten, Sport, Jobs, Immobilien und mehr bei MSN AT

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [GenePccMon.exe] C:\Program Files\Genesys PC Camera Device\GenePccMon.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [identityPatrol] C:\Program Files\IdentityPatrol\IdentityPatrol.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll

O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab

O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.pitchero.com/profile/ImageUploader5.cab

O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Update Service (gupdate1c98cfde1ebe9de) (gupdate1c98cfde1ebe9de) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE

O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--

End of file - 12987 bytes

  • Replies 26
  • Created
  • Last Reply

Top Posters In This Topic

Posted

Hi thingameejig and welcome to Free Pc Help,

 

Unfortunately Hjt isn't as good now as it once was, we need to get a lot more information.

 

Step 1

Please download DeFogger to your desktop.

 

Double click DeFogger to run the tool.

  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

 

Do not re-enable these drivers until otherwise instructed.

 

Step 2

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
     
    http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
     
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

 

Step 3

  • Download OTL to your desktop.
    if you have problems, try this download link:
    OTL
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check

.

 

.

http://img.photobucket.com/albums/v708/starbuck50/new/newOtl2.png


    Now copy the lines in the codebox below.
    netsvcs
    msconfig
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    CREATERESTOREPOINT
    

  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.
     
    http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png
    .
  • Click the Run Scan button.
     
    http://img.photobucket.com/albums/v708/starbuck50/runscan.png
     
  • Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.

 

In your next reply, please submit:

Gmer.Log

Both reports from OTL

 

Thanks

Member of:

UNITE

Posted

gmer results

 

gmer results

 

GMER 1.0.15.15281 - GMER - Rootkit Detector and Remover

Rootkit scan 2010-03-01 13:27:50

Windows 5.1.2600 Service Pack 3

Running: gmer.exe; Driver: C:\DOCUME~1\Stuart\LOCALS~1\Temp\ugliafog.sys

 

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB6DA26B8]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB6DA2574]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB6DA2A52]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB6DA214C]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB6DA264E]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB6DA208C]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB6DA20F0]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB6DA276E]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB6DA272E]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB6DA28AE]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB95B0360, 0x3061D7, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2156E9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED964 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E43AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E42E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E434C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E41B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\WINDOWS\system32\SearchIndexer.exe[3192] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[936] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00600002

IAT C:\WINDOWS\system32\services.exe[936] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00600000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060d01536

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060d01536@001fe43369ac 0x95 0xCF 0x25 0xEF ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060d16239

Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001060d01536 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001060d01536@001fe43369ac 0x95 0xCF 0x25 0xEF ...

Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001060d16239 (not active ControlSet)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR

Disk \Device\Harddisk0\DR0 sector 02: copy of MBR

Disk \Device\Harddisk0\DR0 sector 03: copy of MBR

Disk \Device\Harddisk0\DR0 sector 04: copy of MBR

Disk \Device\Harddisk0\DR0 sector 05: copy of MBR

Disk \Device\Harddisk0\DR0 sector 06: copy of MBR

Disk \Device\Harddisk0\DR0 sector 07: copy of MBR

Disk \Device\Harddisk0\DR0 sector 08: copy of MBR

Disk \Device\Harddisk0\DR0 sector 09: copy of MBR

Disk \Device\Harddisk0\DR0 sector 10: copy of MBR

Disk \Device\Harddisk0\DR0 sector 11: copy of MBR

Disk \Device\Harddisk0\DR0 sector 12: copy of MBR

Disk \Device\Harddisk0\DR0 sector 13: copy of MBR

Disk \Device\Harddisk0\DR0 sector 14: copy of MBR

Disk \Device\Harddisk0\DR0 sector 15: copy of MBR

Disk \Device\Harddisk0\DR0 sector 16: copy of MBR

Disk \Device\Harddisk0\DR0 sector 17: copy of MBR

Disk \Device\Harddisk0\DR0 sector 18: copy of MBR

Disk \Device\Harddisk0\DR0 sector 19: copy of MBR

Disk \Device\Harddisk0\DR0 sector 20: copy of MBR

Disk \Device\Harddisk0\DR0 sector 21: copy of MBR

Disk \Device\Harddisk0\DR0 sector 22: copy of MBR

Disk \Device\Harddisk0\DR0 sector 23: copy of MBR

Disk \Device\Harddisk0\DR0 sector 24: copy of MBR

Disk \Device\Harddisk0\DR0 sector 25: copy of MBR

Disk \Device\Harddisk0\DR0 sector 26: copy of MBR

Disk \Device\Harddisk0\DR0 sector 27: copy of MBR

Disk \Device\Harddisk0\DR0 sector 28: copy of MBR

Disk \Device\Harddisk0\DR0 sector 29: copy of MBR

Disk \Device\Harddisk0\DR0 sector 30: copy of MBR

Disk \Device\Harddisk0\DR0 sector 31: copy of MBR

Disk \Device\Harddisk0\DR0 sector 32: copy of MBR

Disk \Device\Harddisk0\DR0 sector 33: copy of MBR

Disk \Device\Harddisk0\DR0 sector 34: copy of MBR

Disk \Device\Harddisk0\DR0 sector 35: copy of MBR

Disk \Device\Harddisk0\DR0 sector 36: copy of MBR

Disk \Device\Harddisk0\DR0 sector 37: copy of MBR

Disk \Device\Harddisk0\DR0 sector 38: copy of MBR

Disk \Device\Harddisk0\DR0 sector 39: copy of MBR

Disk \Device\Harddisk0\DR0 sector 40: copy of MBR

Disk \Device\Harddisk0\DR0 sector 41: copy of MBR

Disk \Device\Harddisk0\DR0 sector 42: copy of MBR

Disk \Device\Harddisk0\DR0 sector 43: copy of MBR

Disk \Device\Harddisk0\DR0 sector 44: copy of MBR

Disk \Device\Harddisk0\DR0 sector 45: copy of MBR

Disk \Device\Harddisk0\DR0 sector 46: copy of MBR

Disk \Device\Harddisk0\DR0 sector 47: copy of MBR

Disk \Device\Harddisk0\DR0 sector 48: copy of MBR

Disk \Device\Harddisk0\DR0 sector 49: copy of MBR

Disk \Device\Harddisk0\DR0 sector 50: copy of MBR

Disk \Device\Harddisk0\DR0 sector 51: copy of MBR

Disk \Device\Harddisk0\DR0 sector 52: copy of MBR

Disk \Device\Harddisk0\DR0 sector 53: copy of MBR

Disk \Device\Harddisk0\DR0 sector 54: copy of MBR

Disk \Device\Harddisk0\DR0 sector 55: copy of MBR

Disk \Device\Harddisk0\DR0 sector 56: copy of MBR

Disk \Device\Harddisk0\DR0 sector 57: copy of MBR

Disk \Device\Harddisk0\DR0 sector 58: copy of MBR

Disk \Device\Harddisk0\DR0 sector 59: copy of MBR

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

Disk \Device\Harddisk0\DR0 sector 61: copy of MBR

Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

Posted

OTL report

 

OTL logfile created on: 01/03/2010 14:26:36 - Run 1

OTL by OldTimer - Version 3.1.32.0 Folder = C:\Documents and Settings\Stuart\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

 

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 78.00% Memory free

5.00 Gb Paging File | 4.00 Gb Available in Paging File | 87.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 232.88 Gb Total Space | 164.54 Gb Free Space | 70.66% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

 

Computer Name: EXTREMEPAD

Current User Name: Stuart

Logged in as Administrator.

 

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

 

========== Processes (SafeList) ==========

 

PRC - C:\Documents and Settings\Stuart\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)

PRC - C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)

PRC - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)

PRC - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)

PRC - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)

PRC - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe (TomTom)

PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)

PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)

PRC - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (Microsoft Corporation)

PRC - c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation)

PRC - c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (Microsoft Corporation)

PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)

PRC - C:\Program Files\Kontiki\KService.exe (Kontiki Inc.)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe (Microsoft Corporation)

PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE (HP)

PRC - C:\Program Files\Genesys PC Camera Device\GenePccMon.exe ()

PRC - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)

PRC - C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe (Nero AG)

PRC - C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)

PRC - C:\Program Files\Microsoft ActiveSync\rapimgr.exe (Microsoft Corporation)

PRC - C:\WINDOWS\system32\wbem\unsecapp.exe (Microsoft Corporation)

PRC - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)

PRC - C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)

 

 

========== Modules (SafeList) ==========

 

MOD - C:\Documents and Settings\Stuart\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\Program Files\Alwil Software\Avast4\AhJsctNs.dll (ALWIL Software)

MOD - C:\WINDOWS\AppPatch\aclayers.dll (Microsoft Corporation)

MOD - C:\WINDOWS\system32\shimeng.dll (Microsoft Corporation)

 

 

========== Win32 Services (SafeList) ==========

 

SRV - (GoogleDesktopManager-110309-193829) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)

SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)

SRV - (avast! Mail Scanner) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)

SRV - (avast! Web Scanner) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)

SRV - (aswUpdSv) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)

SRV - (TomTomHOMEService) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe (TomTom)

SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)

SRV - (QBCFMonitorService) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)

SRV - (MSSQL$MSSMLBIZ) SQL Server (MSSMLBIZ) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (Microsoft Corporation)

SRV - (SQLWriter) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation)

SRV - (SQLBrowser) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (Microsoft Corporation)

SRV - (MSSQLServerADHelper) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe (Microsoft Corporation)

SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)

SRV - (KService) -- C:\Program Files\Kontiki\KService.exe (Kontiki Inc.)

SRV - (BcmSqlStartupSvc) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe (Microsoft Corporation)

SRV - (WLSetupSvc) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation)

SRV - (usnjsvc) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe (Microsoft Corporation)

SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE (HP)

SRV - (QBFCService) -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe (Intuit Inc.)

SRV - (HP Port Resolver) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE (Hewlett-Packard Company)

SRV - (HP Status Server) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE (Hewlett-Packard Company)

 

 

========== Driver Services (SafeList) ==========

 

DRV - (aswMon2) -- C:\WINDOWS\system32\drivers\aswmon2.sys (ALWIL Software)

DRV - (aswSP) -- C:\WINDOWS\system32\drivers\aswSP.sys (ALWIL Software)

DRV - (aswFsBlk) -- C:\WINDOWS\system32\drivers\aswFsBlk.sys (ALWIL Software)

DRV - (aswTdi) -- C:\WINDOWS\system32\drivers\aswTdi.sys (ALWIL Software)

DRV - (aswRdr) -- C:\WINDOWS\system32\drivers\aswRdr.sys (ALWIL Software)

DRV - (Aavmker4) -- C:\WINDOWS\system32\drivers\aavmker4.sys (ALWIL Software)

DRV - (USBAAPL) -- C:\WINDOWS\system32\drivers\usbaapl.sys (Apple, Inc.)

DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)

DRV - (GEARAspiWDM) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys (GEAR Software Inc.)

DRV - (usb_rndisx) -- C:\WINDOWS\system32\drivers\usb8023x.sys (Microsoft Corporation)

DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)

DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)

DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)

DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)

DRV - (RTSTOR) -- C:\WINDOWS\system32\drivers\RTSTOR.sys (Realtek Semiconductor Corp.)

DRV - (DCamUSBGene) -- C:\WINDOWS\system32\drivers\USBGENE.sys (Genesys Logic, Inc.)

DRV - (s117obex) -- C:\WINDOWS\system32\drivers\s117obex.sys (MCCI Corporation)

DRV - (s117mdm) -- C:\WINDOWS\system32\drivers\s117mdm.sys (MCCI Corporation)

DRV - (s117mgmt) Sony Ericsson Device 117 USB WMC Device Management Drivers (WDM) -- C:\WINDOWS\system32\drivers\s117mgmt.sys (MCCI Corporation)

DRV - (s117unic) Sony Ericsson Device 117 USB Ethernet Emulation SEMC117 (WDM) -- C:\WINDOWS\system32\drivers\s117unic.sys (MCCI Corporation)

DRV - (s117nd5) Sony Ericsson Device 117 USB Ethernet Emulation SEMC117 (NDIS) -- C:\WINDOWS\system32\drivers\s117nd5.sys (MCCI Corporation)

DRV - (s117mdfl) -- C:\WINDOWS\system32\drivers\s117mdfl.sys (MCCI Corporation)

DRV - (s117bus) Sony Ericsson Device 117 driver (WDM) -- C:\WINDOWS\system32\drivers\s117bus.sys (MCCI Corporation)

DRV - (RTLE8023xp) -- C:\WINDOWS\system32\drivers\Rtenicxp.sys (Realtek Semiconductor Corporation )

DRV - (SynTP) -- C:\WINDOWS\system32\drivers\SynTP.sys (Synaptics, Inc.)

DRV - (AR5211) -- C:\WINDOWS\system32\drivers\ar5211.sys (Atheros Communications, Inc.)

DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)

DRV - (HSFHWAZL) -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys (Conexant Systems, Inc.)

DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)

DRV - (mdmxsdk) -- C:\WINDOWS\system32\drivers\mdmxsdk.sys (Conexant)

DRV - (UIUSys) -- C:\WINDOWS\system32\drivers\UIUSYS.SYS (Conexant Systems, Inc)

DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)

DRV - (PxHelp20) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)

DRV - (Afc) -- C:\WINDOWS\system32\drivers\afc.sys (Arcsoft, Inc.)

DRV - (StillCam) -- C:\WINDOWS\system32\drivers\serscan.sys (Microsoft Corporation)

 

 

========== Standard Registry (SafeList) ==========

 

 

========== Internet Explorer ==========

 

 

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = Bing [binary data]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

 

========== FireFox ==========

 

FF - prefs.js..browser.startup.homepage: "Sign In"

FF - prefs.js..extensions.enabledItems: en-GB@dictionaries.addons.mozilla.org:1.19

FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.5.2.20080717

 

 

FF - HKLM\software\mozilla\Firefox\extensions\\{8EFF74B6-7518-4FF3-B5AA-09FFE4CF82B3}: C:\Documents and Settings\Stuart\Local Settings\Application Data\{8EFF74B6-7518-4FF3-B5AA-09FFE4CF82B3} [2010/01/15 10:36:58 | 000,000,000 | ---D | M]

 

[2009/01/26 14:57:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stuart\Application Data\Mozilla\Extensions

[2009/01/26 14:57:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stuart\Application Data\Mozilla\Extensions\home2@tomtom.com

[2009/01/11 17:39:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stuart\Application Data\Mozilla\Firefox\Profiles\v594u440.default\extensions

[2008/11/28 08:16:45 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Stuart\Application Data\Mozilla\Firefox\Profiles\v594u440.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

[2008/04/06 21:48:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stuart\Application Data\Mozilla\Firefox\Profiles\v594u440.default\extensions\Access Privileges Test

[2008/03/26 22:20:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stuart\Application Data\Mozilla\Firefox\Profiles\v594u440.default\extensions\en-GB@dictionaries.addons.mozilla.org

[2009/01/11 18:36:40 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2007/12/19 12:57:38 | 000,310,272 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

[2008/03/24 19:21:00 | 002,889,088 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll

 

O1 HOSTS File: ([2009/08/14 10:31:37 | 000,001,090 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 127.0.0.1 208.67.70.3

O1 - Hosts: 127.0.0.1 38.99.150.167

O1 - Hosts: 127.0.0.1 38.99.150.205

O1 - Hosts: 127.0.0.1 88.255.90.60

O1 - Hosts: 127.0.0.1 opal.spod.org

O1 - Hosts: 127.0.0.1 sendspace.com

O1 - Hosts: 127.0.0.1 ad1.ny.yieldmanager.com

O1 - Hosts: 127.0.0.1 ad2.ny.yieldmanager.com

O1 - Hosts: 127.0.0.1 ny.yieldmanager.com

O1 - Hosts: 127.0.0.1 yieldmanager.com

O1 - Hosts: 127.0.0.1 193.165.167.2

O1 - Hosts: 127.0.0.1 152.66.249.135

O1 - Hosts: 192.168.1.72 HP0019BBE9D69E

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.

O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)

O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)

O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)

O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)

O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll (Microsoft Corp.)

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.

O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll (Microsoft Corp.)

O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)

O3 - HKLM\..\Toolbar: (no name) - SITEguard - No CLSID value found.

O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.

O3 - HKCU\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)

O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)

O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)

O4 - HKLM..\Run: [GenePccMon.exe] C:\Program Files\Genesys PC Camera Device\GenePccMon.exe ()

O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)

O4 - HKLM..\Run: [identityPatrol] C:\Program Files\IdentityPatrol\IdentityPatrol.exe (Identity Patrol)

O4 - HKLM..\Run: [iSUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)

O4 - HKLM..\Run: [iSUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)

O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)

O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)

O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)

O4 - HKLM..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)

O4 - HKLM..\Run: [sunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)

O4 - HKLM..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)

O4 - HKCU..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)

O4 - HKCU..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)

O4 - HKCU..\Run: [TomTomHOME.exe] C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit UK)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe (ArcSoft, Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)

O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O15 - HKCU\..Trusted Domains: localhost ([]http in Local intranet)

O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} http://upload.facebook.com/controls/FacebookPhotoUploader3.cab (Facebook Photo Uploader 4 Control)

O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} http://www.pitchero.com/profile/ImageUploader5.cab (Image Uploader Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}

Posted

OTL report continued

 

http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab (EPUImageControl Class)

O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254

O18 - Protocol\Handler\intu-res {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - C:\Program Files\Common Files\Intuit\intu-res.dll ()

O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)

O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Documents and Settings\Stuart\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Stuart\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2010/01/16 03:36:33 | 000,000,025 | -HS- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O33 - MountPoints2\{7dcf3ec0-0136-11df-8744-001060d01536}\Shell\AutoRun\command - "" = E:\InstallTomTomHOME.exe -- File not found

O33 - MountPoints2\{c8e06ce9-c4bb-11dd-858c-001060d01536}\Shell - "" = AutoRun

O33 - MountPoints2\{c8e06ce9-c4bb-11dd-858c-001060d01536}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{c8e06ce9-c4bb-11dd-858c-001060d01536}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

O35 - comfile [open] -- "%1" %*

O35 - exefile [open] -- "%1" %*

 

NetSvcs: 6to4 - File not found

NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/01/08 11:46:07 | 000,000,000 | ---D | M]

NetSvcs: Iprip - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: WmdmPmSp - File not found

 

MsConfig - State: "system.ini" - 0

MsConfig - State: "win.ini" - 0

MsConfig - State: "bootini" - 0

MsConfig - State: "services" - 0

MsConfig - State: "startup" - 0

 

CREATERESTOREPOINT

Restore point Set: OTL Restore Point (72342462038802432)

 

========== Files/Folders - Created Within 30 Days ==========

 

[2010/03/01 14:21:01 | 000,551,424 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Stuart\Desktop\OTL.exe

[2010/03/01 00:49:46 | 000,000,000 | ---D | C] -- C:\Program Files\TrendMicro

[2010/02/25 13:09:59 | 000,293,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\browserchoice.exe

[2010/02/22 22:22:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\InstallShield

[2010/02/22 22:22:47 | 000,000,000 | ---D | C] -- C:\Program Files\CA Design

[2010/02/19 21:30:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

[2010/02/19 21:26:39 | 000,017,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll

[2010/02/14 20:47:18 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes

[2010/02/14 20:44:07 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime

[2009/09/23 06:22:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft

[2009/02/13 06:44:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google

[2009/02/12 10:37:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google

[2009/01/11 11:11:38 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

[2009/01/11 11:11:38 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

[2008/02/05 15:43:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple

[2008/01/09 18:40:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe

[2006/02/19 03:28:56 | 000,012,288 | ---- | C] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\Fonts\RandFont.dll

[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

 

========== Files - Modified Within 30 Days ==========

 

[2010/03/01 14:29:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2010/03/01 14:21:05 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Stuart\Desktop\OTL.exe

[2010/03/01 14:02:40 | 000,002,519 | ---- | M] () -- C:\WINDOWS\System32\sk_bho.ini

[2010/03/01 14:02:04 | 000,013,672 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/03/01 14:00:31 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job

[2010/03/01 14:00:03 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2010/03/01 14:00:01 | 000,000,256 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job

[2010/03/01 14:00:01 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/03/01 13:59:51 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/03/01 12:17:37 | 001,002,044 | ---- | M] () -- C:\WINDOWS\System32\IDPExe.zip

[2010/03/01 12:17:37 | 000,000,076 | ---- | M] () -- C:\WINDOWS\System32\IDPVer.ini

[2010/03/01 12:17:27 | 001,669,117 | ---- | M] () -- C:\WINDOWS\System32\IDPSig.zip

[2010/03/01 12:13:34 | 012,058,624 | -H-- | M] () -- C:\Documents and Settings\Stuart\NTUSER.DAT

[2010/03/01 12:13:10 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Stuart\ntuser.ini

[2010/03/01 12:11:58 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Stuart\defogger_reenable

[2010/03/01 11:32:08 | 000,000,036 | ---- | M] () -- C:\WINDOWS\System32\10001.sks

[2010/03/01 11:32:08 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\10004.sks

[2010/03/01 11:32:08 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\10003.sks

[2010/03/01 11:32:08 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\10002.sks

[2010/03/01 09:19:27 | 000,002,380 | ---- | M] () -- C:\WINDOWS\System32\BlockedCookies

[2010/03/01 00:50:27 | 000,002,443 | ---- | M] () -- C:\Documents and Settings\Stuart\Desktop\HiJackThis.lnk

[2010/03/01 00:03:47 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{5A6F850F-0EEA-403D-B358-444B4AA78D53}.job

[2010/02/26 07:06:27 | 000,001,503 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk

[2010/02/24 07:52:48 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2010/02/23 18:49:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

[2010/02/22 22:22:53 | 000,001,824 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CADwizz Ultra.lnk

[2010/02/21 22:36:22 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm

[2010/02/21 22:36:22 | 000,000,232 | -H-- | M] () -- C:\sqmdata09.sqm

[2010/02/19 21:39:54 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini

[2010/02/19 21:26:21 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb

[2010/02/19 21:26:21 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb

[2010/02/19 00:29:07 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk

[2010/02/18 15:37:45 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm

[2010/02/18 15:37:45 | 000,000,232 | -H-- | M] () -- C:\sqmdata08.sqm

[2010/02/18 14:57:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

[2010/02/17 16:16:44 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm

[2010/02/17 16:16:44 | 000,000,232 | -H-- | M] () -- C:\sqmdata07.sqm

[2010/02/14 21:01:44 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk

[2010/02/13 14:28:01 | 000,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk

[2010/02/12 10:03:03 | 000,293,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\browserchoice.exe

[2010/02/11 16:37:08 | 000,040,827 | ---- | M] () -- C:\Documents and Settings\Stuart\My Documents\Design Solutions UK Ltd.docx

[2010/02/09 14:33:04 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm

[2010/02/09 14:33:04 | 000,000,232 | -H-- | M] () -- C:\sqmdata06.sqm

[2010/02/04 22:47:12 | 000,000,232 | -H-- | M] () -- C:\sqmdata05.sqm

[2010/02/04 22:47:11 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm

[2010/02/02 14:35:08 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm

[2010/02/02 14:35:08 | 000,000,232 | -H-- | M] () -- C:\sqmdata04.sqm

[2010/02/02 10:57:12 | 000,000,007 | ---- | M] () -- C:\WINDOWS\sbacknt.bin

[2010/02/01 22:55:07 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm

[2010/02/01 22:55:07 | 000,000,232 | -H-- | M] () -- C:\sqmdata03.sqm

[2010/02/01 20:21:41 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm

[2010/02/01 20:21:41 | 000,000,232 | -H-- | M] () -- C:\sqmdata02.sqm

[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

 

========== Files Created - No Company Name ==========

 

[2010/03/01 12:18:03 | 000,622,113 | ---- | C] () -- C:\WINDOWS\System32\IDPList.dll

[2010/03/01 12:18:03 | 000,013,772 | ---- | C] () -- C:\WINDOWS\System32\IDPImmData.dll

[2010/03/01 12:18:02 | 000,000,162 | ---- | C] () -- C:\WINDOWS\System32\IDPCritProc.dll

[2010/03/01 12:17:37 | 001,002,044 | ---- | C] () -- C:\WINDOWS\System32\IDPExe.zip

[2010/03/01 12:17:27 | 001,669,117 | ---- | C] () -- C:\WINDOWS\System32\IDPSig.zip

[2010/03/01 12:11:58 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Stuart\defogger_reenable

[2010/03/01 00:49:46 | 000,002,443 | ---- | C] () -- C:\Documents and Settings\Stuart\Desktop\HiJackThis.lnk

[2010/02/26 07:06:27 | 000,001,503 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk

[2010/02/22 22:22:53 | 000,001,824 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CADwizz Ultra.lnk

[2010/02/19 21:30:09 | 000,009,728 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/02/14 20:48:11 | 000,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk

[2010/02/13 14:28:01 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk

[2010/02/11 16:37:08 | 000,040,827 | ---- | C] () -- C:\Documents and Settings\Stuart\My Documents\Design Solutions UK Ltd.docx

[2010/01/16 02:04:05 | 000,000,042 | ---- | C] () -- C:\WINDOWS\System32\RegistryPatrolUpdates.ini

[2010/01/16 01:30:24 | 000,000,076 | ---- | C] () -- C:\WINDOWS\System32\IDPVer.ini

[2010/01/16 01:30:06 | 000,002,519 | ---- | C] () -- C:\WINDOWS\System32\sk_bho.ini

[2010/01/15 23:16:50 | 000,000,005 | ---- | C] () -- C:\Documents and Settings\Stuart\Application Data\openList.awt

[2010/01/15 23:16:50 | 000,000,005 | ---- | C] () -- C:\Documents and Settings\Stuart\Application Data\closedList.awt

[2010/01/15 15:00:43 | 000,000,089 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2010/01/15 10:33:35 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\mvhgkr.dat

[2010/01/08 21:50:22 | 000,171,080 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

[2009/08/31 14:00:22 | 000,021,504 | ---- | C] () -- C:\WINDOWS\System32\WBCustomizer.dll

[2009/08/31 14:00:21 | 000,185,344 | ---- | C] () -- C:\WINDOWS\System32\MemWarp.dll

[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll

[2009/01/09 16:52:12 | 000,162,304 | ---- | C] () -- C:\WINDOWS\System32\ztvunrar36.dll

[2009/01/09 16:52:12 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\UNRAR3.dll

[2009/01/09 16:52:12 | 000,077,312 | ---- | C] () -- C:\WINDOWS\System32\ztvunace26.dll

[2009/01/09 16:52:12 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll

[2008/03/26 20:07:12 | 000,000,221 | ---- | C] () -- C:\WINDOWS\NCLogConfig.ini

[2008/03/01 23:23:43 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\$_hpcst$.hpc

[2008/01/11 21:51:00 | 000,198,656 | ---- | C] () -- C:\Documents and Settings\Stuart\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2008/01/10 20:47:59 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini

[2008/01/10 11:27:03 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI

[2008/01/09 22:54:22 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat

[2008/01/08 23:56:56 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Stuart\Application Data\$_hpcst$.hpc

[2008/01/08 21:31:47 | 000,000,191 | ---- | C] () -- C:\WINDOWS\WinHelp.ini

[2008/01/08 21:04:17 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\Stuart\Local Settings\Application Data\fusioncache.dat

[2008/01/08 20:50:59 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll

[2008/01/08 20:50:45 | 000,000,166 | ---- | C] () -- C:\WINDOWS\System32\AddPort.ini

[2008/01/08 20:48:26 | 000,000,737 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini

[2008/01/08 20:35:50 | 000,001,400 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log

[2008/01/08 12:50:04 | 000,515,328 | R--- | C] () -- C:\WINDOWS\System32\drivers\USBGENE1.sys

[2008/01/08 12:50:04 | 000,232,704 | R--- | C] () -- C:\WINDOWS\System32\drivers\USBGENE0.sys

[2007/11/20 13:32:41 | 000,025,964 | ---- | C] () -- C:\WINDOWS\System32\IDPSigLevel.dll

[2007/11/20 13:32:40 | 005,527,385 | ---- | C] () -- C:\WINDOWS\System32\IDPRSig.dll

[2007/11/20 13:32:39 | 004,985,733 | ---- | C] () -- C:\WINDOWS\System32\IDPFSig.dll

[2007/11/20 13:32:39 | 000,343,272 | ---- | C] () -- C:\WINDOWS\System32\IDPESig.dll

[2007/11/20 13:32:39 | 000,002,380 | ---- | C] () -- C:\WINDOWS\System32\IDPBlkCoo.dll

[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini

[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini

[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini

[2007/09/06 09:55:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll

[2007/09/06 09:55:00 | 001,478,656 | ---- | C] () -- C:\WINDOWS\System32\nview.dll

[2007/09/06 09:55:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll

[2007/09/06 09:55:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll

[2006/02/28 12:00:00 | 000,755,200 | ---- | C] () -- C:\WINDOWS\System32\ir50_32.dll

[2006/02/28 12:00:00 | 000,338,432 | ---- | C] () -- C:\WINDOWS\System32\ir41_qcx.dll

[2006/02/28 12:00:00 | 000,200,192 | ---- | C] () -- C:\WINDOWS\System32\ir50_qc.dll

[2006/02/28 12:00:00 | 000,183,808 | ---- | C] () -- C:\WINDOWS\System32\ir50_qcx.dll

[2006/02/28 12:00:00 | 000,120,320 | ---- | C] () -- C:\WINDOWS\System32\ir41_qc.dll

[2001/07/07 03:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

Posted

OTL report continued

 

========== LOP Check ==========

 

[2008/03/14 00:44:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES

[2010/03/01 14:29:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kontiki

[2009/12/08 09:23:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound

[2010/01/11 09:42:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SITEguard

[2008/12/21 13:41:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sky

[2008/06/11 06:47:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sony

[2010/01/15 17:28:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!

[2010/02/26 19:58:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2010/01/14 18:09:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TomTom

[2009/03/12 10:35:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

[2009/09/10 14:11:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

[2009/04/09 17:05:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

[2010/01/15 19:37:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}

[2009/09/22 13:10:26 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}

[2009/12/08 09:23:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stuart\Application Data\NCH Swift Sound

[2009/01/09 16:52:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stuart\Application Data\Simply Super Software

[2008/02/29 00:23:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stuart\Application Data\social.im

[2008/07/04 07:10:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stuart\Application Data\Sony

[2009/01/26 14:57:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stuart\Application Data\TomTom

[2010/01/12 13:07:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stuart\Application Data\vghd

[2009/01/13 21:34:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stuart\Application Data\Windows Desktop Search

[2009/03/18 11:03:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stuart\Application Data\Windows Search

[2010/02/23 18:49:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

[2010/03/01 14:00:01 | 000,000,256 | ---- | M] () -- C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job

[2010/03/01 00:03:47 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{5A6F850F-0EEA-403D-B358-444B4AA78D53}.job

 

========== Purity Check ==========

 

 

 

========== Custom Scans ==========

 

 

< %SYSTEMDRIVE%\*.exe >

 

 

< MD5 for: AGP440.SYS >

[2006/02/28 12:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys

[2008/09/08 07:31:27 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys

[2008/09/08 07:31:27 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys

[2008/04/13 18:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys

[2008/04/13 18:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

 

< MD5 for: ATAPI.SYS >

[2006/02/28 12:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys

[2008/09/08 07:31:27 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys

[2008/09/08 07:31:27 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys

[2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys

[2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

[2006/02/28 12:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys

 

< MD5 for: EVENTLOG.DLL >

[2008/04/14 00:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll

[2008/04/14 00:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

[2006/02/28 12:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

 

< MD5 for: NETLOGON.DLL >

[2008/04/14 00:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll

[2008/04/14 00:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

[2006/02/28 12:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

 

< MD5 for: SCECLI.DLL >

[2006/02/28 12:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll

[2008/04/14 00:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll

[2008/04/14 00:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

 

< %systemroot%\*. /mp /s >

 

< %systemroot%\system32\*.dll /lockedfiles >

[2009/03/08 03:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll

[2009/03/08 03:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll

[4 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

 

< %systemroot%\Tasks\*.job /lockedfiles >

 

< %systemroot%\system32\drivers\*.sys /lockedfiles >

 

========== Alternate Data Streams ==========

 

@Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9239D250

@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9

< End of report >

Posted

Extras report

 

OTL Extras logfile created on: 01/03/2010 14:26:36 - Run 1

OTL by OldTimer - Version 3.1.32.0 Folder = C:\Documents and Settings\Stuart\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

 

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 78.00% Memory free

5.00 Gb Paging File | 4.00 Gb Available in Paging File | 87.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 232.88 Gb Total Space | 164.54 Gb Free Space | 70.66% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

 

Computer Name: EXTREMEPAD

Current User Name: Stuart

Logged in as Administrator.

 

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

 

========== Extra Registry (SafeList) ==========

 

 

========== File Associations ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.reg [@ = regfile] --

 

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = htmlfile] -- Reg Error: Key error. File not found

 

========== Shell Spawning ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [open] --

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

 

========== Security Center Settings ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

 

========== Authorized Applications List ==========

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)

"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)

"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)

"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"D:\setup\HPZNET01.EXE" = D:\setup\HPZNET01.EXE:*:Enabled:hpznet01.exe -- File not found

"D:\setup\HPONICIFS01.EXE" = D:\setup\HPONICIFS01.EXE:*:Enabled:hponicifs01.exe -- File not found

"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe -- (Hewlett-Packard Development Company, L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe -- (Hewlett-Packard Development Company, L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Development Company, L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Development Company, L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Development Company, L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe -- ()

"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe -- (Hewlett-Packard)

"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Development Company, L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)

"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Development Company, L.P.)

"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- (Hewlett-Packard)

"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )

"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Development Company, L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe -- (Hewlett-Packard Development Company, L.P.)

"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)

"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)

"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)

"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)

"C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe:*:Enabled:QuickBooks 2008 Data Manager -- (iAnywhere Solutions, Inc.)

"C:\Program Files\Nero\Nero 7\Nero Home\NeroHome.exe" = C:\Program Files\Nero\Nero 7\Nero Home\NeroHome.exe:*:Enabled:Nero Home -- (Nero AG)

"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)

"C:\Program Files\Kontiki\KService.exe" = C:\Program Files\Kontiki\KService.exe:*:Enabled:Delivery Manager Service -- (Kontiki Inc.)

"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)

"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath -- (Skype Technologies S.A.)

"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

 

 

========== HKEY_LOCAL_MACHINE Uninstall List ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour

"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis

"{0A65A3BD-54B5-4d0d-B084-7688507813F5}" = SlideShow

"{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics

"{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}" = OpenOffice.org Installer 1.0

"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime

"{15C0AF59-4877-49B6-B8C6-A61CE54515F5}" = cp_OnlineProjectsConfig

"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress

"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java 6 Update 18

"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)

"{2EAF7E61-068E-11DF-953C-005056806466}" = Google Earth

"{2F58D60D-2BFD-4467-9B4D-64E7355C329D}" = Sonic_PrimoSDK

"{2F8C106A-7DFC-45DE-8006-F9145AADF1D8}" = iPod Updater 2004-08-06

"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java 6 Update 3

"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java 6 Update 5

"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java 6 Update 7

"{33BF0960-DBA3-4187-B6CC-C969FCFA2D25}" = SkinsHP1

"{341201D4-4F61-4ADB-987E-9CCE4D83A58D}" = Windows Live Toolbar Extension (Windows Live Toolbar)

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{363790D2-DA98-41DD-9C9F-69FA36B169DE}" = PanoStandAlone

"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant

"{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel

"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support

"{3FB39BED-37C8-4E60-8E02-315B8C2B07E3}" = Genesys PC Camera Device

"{41E776A5-9B12-416D-9A12-B4F7B044EBED}" = CP_Package_Basic1

"{45B8A76B-57EC-4242-B019-066400CD8428}" = BufferChm

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4B41AE13-BA0E-4328-8E83-AD2A0BEB33EB}" = Sky Player

"{4EA684E9-5C81-4033-A696-3019EC57AC3A}" = HPProductAssistant

"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies

"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger

"{516DC482-7BEB-4E1E-BCFC-879C50D315FB}" = Amethyst CADwizz Ultra

"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder

"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)

"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features

"{5545B622-9998-4f13-9CD6-B908675BDCB2}" = QuickBooks Pro Edition 2006

"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer

"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service

"{66910000-8B30-4973-A159-6371345AFFA5}" = WebReg

"{6696D9A4-28A8-4F5A-8E9A-2E8974C8C39C}" = RandMap

"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder

"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD

"{68763C27-235D-4165-A961-FDEA228CE504}" = AiOSoftwareNPI

"{6909F917-5499-482e-9AA1-FAD06A99F231}" = Toolbox

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com

"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder

"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{736C803C-DD3B-4015-BC51-AFB9E67B9076}" = Readme

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{7745B7A9-F323-4BB9-9811-01BF57A028DA}" = Map Button (Windows Live Toolbar)

"{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}" = Windows Live Favorites for Windows Live Toolbar

"{7C03270C-4FAB-4F5C-B10D-52FEDA190790}" = DocumentViewerQFolder

"{7E545666-F422-45FD-B3DF-C0B99A1A579F}" = QuickBooks Pro 2008

"{7E7B7865-6C80-4373-8BC1-C2EB9431F9DE}" = ProductContextNPI

"{8331C3EA-0C91-43AA-A4D4-27221C631139}" = Status

"{876A4C7A-412A-40b8-9DCF-B04D2339B73E}" = c7100_Help

"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8A4CE7FD-9657-4B06-9943-E1819F3D5D67}" = DocProc

"{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}" = Unload

"{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge

Posted

extras report continued

 

Modules

"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12

"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007

"{90120000-0015-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007

"{90120000-0016-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007

"{90120000-0018-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007

"{90120000-0019-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007

"{90120000-001A-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007

"{90120000-001B-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}_PROHYBRIDR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-040C-0000-0000000FF1CE}_PROHYBRIDR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}_PROHYBRIDR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007

"{90120000-0117-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components

"{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007

"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)

"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant

"{95120000-0122-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector

"{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync

"{996512CF-F35B-48DE-9291-557FA5316967}" = ScannerCopy

"{A29800BA-0BF1-4E63-9F31-DF05A87F4104}" = InstantShareDevices

"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A351224F-533A-4EED-89F4-0BF3417FD31D}" = WD Backup

"{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}" = Highlight Viewer (Windows Live Toolbar)

"{A7B279F4-E9B0-470F-A6A0-54C31C340DBC}" = C7100

"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components

"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support

"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder

"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.1

"{B2157760-AA3C-4E2E-BFE6-D20BC52495D9}" = cp_PosterPrintConfig

"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0

"{B32C4059-6E7A-41EF-AD20-56DF1872B923}" = Business Contact Manager for Outlook 2007 SP2

"{B6286A44-7505-471A-A72B-04EC2DB2F442}" = CueTour

"{B69CFE29-FD03-4E0A-87A7-6ED97F98E5B3}" = CP_Panorama1Config

"{B8DBED1E-8BC3-4d08-B94A-F9D7D88E9BBF}" = HPSSupply

"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client

"{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}" = HP Photosmart, Officejet and Deskjet 7.0.A

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service

Pack 2

"{C1C6767D-B395-43CB-BF99-051B58B86DA6}" = PhotoGallery

"{C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476}" = SolutionCenter

"{C8753E28-2680-49BF-BD48-DD38FD086EFE}" = AiO_Scan_CDA

"{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}" = HP Update

"{C994D98C-293D-4825-958E-EB684B4D413F}" = MSN Toolbar

"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1

"{D5A145FC-D00C-4F1A-9119-EB4D9D659750}" = Windows Live Toolbar

"{D6E4E5D6-7693-4BB4-95BA-21F38FAFEE90}" = Safari

"{DBC20735-34E6-4E97-A9E5-2066B66B243D}" = TrayApp

"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader

"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware

"{E1B80DEE-A795-4258-8445-074C06AE3AB8}" = MarketResearch

"{E3CAAC8F-DEFD-4985-BFA3-0F6FCBCAC55E}" = Amethyst CADwizz MAX V3

"{ED2C557E-9C18-41FF-B58E-A05EEF0B3B5F}" = CP_CalendarTemplates1

"{F084395C-40FB-4DB3-981C-B51E74E1E83D}" = Smart Menus (Windows Live Toolbar)

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"{F157460F-720E-482f-8625-AD7843891E5F}" = InstantShareDevicesMFC

"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)

"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01

"{F3760724-B29D-465B-BC53-E5D72095BCC4}" = Scan

"{F439D7AF-03F3-4F8E-AEC4-571BFE977C61}" = iTunes

"{F6076EF9-08E1-442F-B6A2-BFB61B295A14}" = Fax_CDA

"{F87DA817-8D53-42CC-AA45-93A100341033}" = Nero 7 Essentials

"{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone Configuration Utility

"{FB15E224-67C3-491F-9F5C-F257BC418412}" = Destinations

"{FBB980B0-63F8-4B48-8D65-90F1D9F81D9F}" = NewCopy_CDA

"{FE7E1DD7-EBCE-4696-ADE2-22BDBF2372DA}" = DocumentViewer

"Ad-Aware" = Ad-Aware

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"avast!" = avast! Antivirus

"BCM Monitor" = BCM Monitor

"Business Contact Manager" = Business Contact Manager for Outlook 2007 SP2

"CNXT_MODEM_PCI_VEN_14F1&DEV_2C06&SUBSYS_14F10000" = Soft Modem with SmartCP

"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com

"Google Desktop" = Google Desktop

"Google Updater" = Google Updater

"HP Document Viewer" = HP Document Viewer 7.0

"HP Imaging Device Functions" = HP Imaging Device Functions 7.0

"HP Photo & Imaging" = HP Photosmart Premier Software 6.5

"HP Solution Center & Imaging Support Tools" = HP Solution Center 7.0

"HPExtendedCapabilities" = HP Customer Participation Program 7.0

"HPOCR" = OCR Software by I.R.I.S 7.0

"Identity Patrol v2.0" = Identity Patrol v2.0

"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs

"ie7" = Windows Internet Explorer 7

"ie8" = Windows Internet Explorer 8

"InstallShield_{2F8C106A-7DFC-45DE-8006-F9145AADF1D8}" = iPod Updater 2004-08-06

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Microsoft SQL Server 2005" = Microsoft SQL Server 2005

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs

"Nortel Business Element Manager" = Nortel Business Element Manager

"NVIDIA Drivers" = NVIDIA Drivers

"PKR" = PKR

"PROHYBRIDR" = 2007 Microsoft Office system

"Registry Patrol" = Registry Patrol

"Shop for HP Supplies" = Shop for HP Supplies

"Switch" = Switch Sound File Converter

"SynTPDeinstKey" = Synaptics Pointing Device Driver

"TomTom HOME" = TomTom HOME 2.7.3.1894

"vghd" = VirtuaGirl HD

"Windows Live Toolbar" = Windows Live Toolbar

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Windows Mobile Device Handbook" = Windows Mobile® Device Handbook

"Windows XP Service Pack" = Windows XP Service Pack 3

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

"Yahoo! Software Update" = Yahoo! Software Update

 

========== Last 10 Event Log Errors ==========

 

[ Antivirus Events ]

Error - 30/12/2008 17:12:02 | Computer Name = EXTREMEPAD | Source = avast! | ID = 33554522

Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of

C:\Documents and Settings\Stuart\Local Settings\Temporary Internet Files\Content.IE5\TFDPR1FL\aa[1].js

failed, 0000A413.

 

Error - 30/12/2008 17:12:02 | Computer Name = EXTREMEPAD | Source = avast! | ID = 33554522

Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of

https://anytimepc-client.sky.com/vod/page/home.do failed, 0000A413.

 

Error - 06/01/2009 14:46:12 | Computer Name = EXTREMEPAD | Source = avast! | ID = 33554522

Description = Internal error has occurred in module aswar scan function failed!,

function A0000111.

 

Error - 05/11/2009 07:24:47 | Computer Name = EXTREMEPAD | Source = avast! | ID = 33554522

Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of

http://fb.mindjolt.com/fb/ad/game_iframead.jsp?gameKey=OU72CABMJ3BRHVFI&fb_sig_in_iframe=1&fb_sig_iframe_key=751d31dd6b56b26b...

failed, 0000A413.

 

Error - 05/11/2009 18:16:55 | Computer Name = EXTREMEPAD | Source = avast! | ID = 33554522

Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of

MindJolt Games...

failed, 0000A413.

 

Error - 06/11/2009 22:35:40 | Computer Name = EXTREMEPAD | Source = avast! | ID = 33554522

Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of

http://fb.mindjolt.com/fb/ad/game_iframead.jsp?gameKey=OU72CABMJ3BRHVFI&fb_sig_in_iframe=1&fb_sig_iframe_key=faeac4e1eef307c2...

failed, 0000A413.

 

Error - 08/11/2009 04:14:34 | Computer Name = EXTREMEPAD | Source = avast! | ID = 33554522

Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of

Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK failed, 0000A413.

 

Error - 16/01/2010 00:24:38 | Computer Name = EXTREMEPAD | Source = avast! | ID = 33554522

Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of

C:\DOCUMENTS AND SETTINGS\STUART\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE

DESKTOP\42AC6A93CE20\SIDEBAR_REMOVED_PLUGIN_DATA failed, 00000005.

 

Error - 16/01/2010 08:27:26 | Computer Name = EXTREMEPAD | Source = avast! | ID = 33554522

Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of

C:\DOCUMENTS AND SETTINGS\STUART\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE

DESKTOP\42AC6A93CE20\SIDEBAR_REMOVED_PLUGIN_DATA failed, 00000005.

 

Error - 16/01/2010 19:37:20 | Computer Name = EXTREMEPAD | Source = avast! | ID = 33554522

Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of

C:\DOCUMENTS AND SETTINGS\STUART\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE

DESKTOP\42AC6A93CE20\SIDEBAR_REMOVED_PLUGIN_DATA failed, 00000005.

 

[ Application Events ]

Error - 24/02/2010 14:24:05 | Computer Name = EXTREMEPAD | Source = Google Update | ID = 20

Description =

 

Error - 24/02/2010 15:24:05 | Computer Name = EXTREMEPAD | Source = Google Update | ID = 20

Description =

 

Error - 24/02/2010 16:24:05 | Computer Name = EXTREMEPAD | Source = Google Update | ID = 20

Description =

 

Error - 24/02/2010 17:24:05 | Computer Name = EXTREMEPAD | Source = Google Update | ID = 20

Description =

 

Error - 25/02/2010 09:06:06 | Computer Name = EXTREMEPAD | Source = Application Error | ID = 1000

Description = Faulting application identitypatrol.exe, version 2.2.0.0, faulting

module msvbvm60.dll, version 6.0.98.2, fault address 0x0005d26c.

 

Error - 26/02/2010 03:03:46 | Computer Name = EXTREMEPAD | Source = Windows Search Service | ID = 3024

Description = The update cannot be started because the content sources cannot be

accessed. Fix the errors and try the update again. Context: Application, SystemIndex

Catalog

 

Error - 26/02/2010 12:22:49 | Computer Name = EXTREMEPAD | Source = Application Error | ID = 1000

Description = Faulting application identitypatrol.exe, version 2.2.0.0, faulting

module msvbvm60.dll, version 6.0.98.2, fault address 0x0005d26c.

 

Error - 26/02/2010 16:41:20 | Computer Name = EXTREMEPAD | Source = Application Error | ID = 1000

Description = Faulting application identitypatrol.exe, version 2.2.0.0, faulting

module msvbvm60.dll, version 6.0.98.2, fault address 0x0005d26c.

 

Error - 28/02/2010 21:34:32 | Computer Name = EXTREMEPAD | Source = Application Error | ID = 1000

Description = Faulting application hijackthis.exe, version 2.0.0.3, faulting module

msvbvm60.dll, version 6.0.98.2, fault address 0x0005d26c.

 

Error - 01/03/2010 08:18:37 | Computer Name = EXTREMEPAD | Source = Application Error | ID = 1000

Description = Faulting application identitypatrol.exe, version 2.2.0.0, faulting

module msvbvm60.dll, version 6.0.98.2, fault address 0x0005d26c.

 

[ OSession Events ]

Error - 13/08/2009 07:14:35 | Computer Name = EXTREMEPAD | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application

Version: 12.0.6300.5000, Microsoft Office Version: 12.0.6215.1000. This session

lasted 3 seconds with 0 seconds of active time. This session ended with a crash.

 

Error - 13/08/2009 07:19:48 | Computer Name = EXTREMEPAD | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application

Version: 12.0.6300.5000, Microsoft Office Version: 12.0.6215.1000. This session

lasted 104 seconds with 60 seconds of active time. This session ended with a crash.

 

Error - 02/09/2009 14:56:36 | Computer Name = EXTREMEPAD | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:

12.0.6316.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 218

seconds with 180 seconds of active time. This session ended with a crash.

 

Error - 28/09/2009 17:41:55 | Computer Name = EXTREMEPAD | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:

12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 110

seconds with 0 seconds of active time. This session ended with a crash.

 

Error - 11/10/2009 08:48:58 | Computer Name = EXTREMEPAD | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:

12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 97

seconds with 60 seconds of active time. This session ended with a crash.

 

Error - 27/10/2009 17:06:35 | Computer Name = EXTREMEPAD | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:

12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 103

seconds with 60 seconds of active time. This session ended with a crash.

 

Error - 08/12/2009 01:50:10 | Computer Name = EXTREMEPAD | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:

12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 213

seconds with 60 seconds of active time. This session ended with a crash.

 

Error - 10/12/2009 09:09:10 | Computer Name = EXTREMEPAD | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:

12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1827

seconds with 240 seconds of active time. This session ended with a crash.

 

Error - 12/12/2009 16:30:31 | Computer Name = EXTREMEPAD | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:

12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 71

seconds with 60 seconds of active time. This session ended with a crash.

 

Error - 28/01/2010 04:04:38 | Computer Name = EXTREMEPAD | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:

12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 329

seconds with 120 seconds of active time. This session ended with a crash.

 

[ System Events ]

Error - 24/02/2010 06:18:20 | Computer Name = EXTREMEPAD | Source = Service Control Manager | ID = 7022

Description = The KService service hung on starting.

 

Error - 26/02/2010 16:40:38 | Computer Name = EXTREMEPAD | Source = Service Control Manager | ID = 7022

Description = The KService service hung on starting.

 

Error - 01/03/2010 03:52:28 | Computer Name = EXTREMEPAD | Source = Service Control Manager | ID = 7022

Description = The KService service hung on starting.

 

Error - 01/03/2010 08:16:41 | Computer Name = EXTREMEPAD | Source = Service Control Manager | ID = 7022

Description = The KService service hung on starting.

 

Error - 01/03/2010 08:43:00 | Computer Name = EXTREMEPAD | Source = Service Control Manager | ID = 7022

Description = The KService service hung on starting.

 

Error - 01/03/2010 08:54:01 | Computer Name = EXTREMEPAD | Source = Service Control Manager | ID = 7011

Description = Timeout (30000 milliseconds) waiting for a transaction response from

the avast! Mail Scanner service.

 

Error - 01/03/2010 08:54:31 | Computer Name = EXTREMEPAD | Source = Service Control Manager | ID = 7011

Description = Timeout (30000 milliseconds) waiting for a transaction response from

the avast! Mail Scanner service.

Posted

extras report continued

 

Error - 01/03/2010 08:55:01 | Computer Name = EXTREMEPAD | Source = Service Control Manager | ID = 7011

Description = Timeout (30000 milliseconds) waiting for a transaction response from

the service.

 

Error - 01/03/2010 09:04:58 | Computer Name = EXTREMEPAD | Source = Service Control Manager | ID = 7022

Description = The KService service hung on starting.

 

Error - 01/03/2010 10:02:03 | Computer Name = EXTREMEPAD | Source = Service Control Manager | ID = 7022

Description = The KService service hung on starting.

 

 

< End of report >

Posted

Hi thingameejig,

Step 1

Click on start... settings... control panel and double-click on Add or Remove Programs. From within Add or Remove Programs uninstall the following:

 

Java™ 6 Update 3

Java™ 6 Update 5

Java™ 6 Update 7

 

These are old versions of Java and should have been removed.

 

Don't remove... Java™ 6 Update 18

This is the latest version.

 

Reboot the system when completed.

 

Step 2

Double click on OTL.exe to run it.

Copy the lines in the codebox below. (make sure you include the first lot of : )

:Otl
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - SITEguard - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab  (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab  (Reg Error: Key error.)
O33 - MountPoints2\{7dcf3ec0-0136-11df-8744-001060d01536}\Shell\AutoRun\command - "" = E:\InstallTomTomHOME.exe -- File not found
O33 - MountPoints2\{c8e06ce9-c4bb-11dd-858c-001060d01536}\Shell - "" = AutoRun
O33 - MountPoints2\{c8e06ce9-c4bb-11dd-858c-001060d01536}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c8e06ce9-c4bb-11dd-858c-001060d01536}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
[2010/02/19 21:30:09 | 000,009,728 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
@Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9239D250
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9

:commands
[emptytemp]
[purity]
[RESETHOSTS]
[EMPTYFLASH]

  • Return to OTL,
  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.
     
    http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png
     
  • Click the red Run Fix button.
     
    http://img.photobucket.com/albums/v708/starbuck50/runfixbutton.png
     
  • OTL will reboot your system once the fix has completed.
  • After the reboot, you may need to double click OTL to launch the program and retrieve the log.

 

Copy and paste the contents of the OTL log that comes up after the fix in your next reply.

 

Step 3

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

 

Link 1

Link 2

 

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

 

 

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

 

This is an example, you may rename ComboFix to anything you want.

 

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix.
    For more information read:
    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
     
    Then:
     
    Double click on Combo-Fix.exe & follow the prompts.
     
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    If running Vista, you may not see this screen
     
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

 

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

 

http://img.photobucket.com/albums/v706/ried7/whatnext.png

 

Click on Yes, to continue scanning for malware.

 

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

 

 

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

 

In your next reply, please submit:

Otl report that comes up after the fix.

ComboFix.txt

 

 

Thanks.

Member of:

UNITE

Posted

All processes killed

========== OTL ==========

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ not found.

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\ deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\SITEguard deleted successfully.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}

C:\WINDOWS\Downloaded Program Files\gp.inf not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7dcf3ec0-0136-11df-8744-001060d01536}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7dcf3ec0-0136-11df-8744-001060d01536}\ not found.

File E:\InstallTomTomHOME.exe not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c8e06ce9-c4bb-11dd-858c-001060d01536}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c8e06ce9-c4bb-11dd-858c-001060d01536}\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c8e06ce9-c4bb-11dd-858c-001060d01536}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c8e06ce9-c4bb-11dd-858c-001060d01536}\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c8e06ce9-c4bb-11dd-858c-001060d01536}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c8e06ce9-c4bb-11dd-858c-001060d01536}\ not found.

File E:\LaunchU3.exe not found.

C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini moved successfully.

ADS C:\Documents and Settings\All Users\Application Data\TEMP:9239D250 deleted successfully.

ADS C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9 deleted successfully.

========== COMMANDS ==========

 

[EMPTYTEMP]

 

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 204952 bytes

 

User: All Users

 

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Flash cache emptied: 41085 bytes

 

User: LocalService

->Temp folder emptied: 66016 bytes

->Temporary Internet Files folder emptied: 47759 bytes

 

User: NetworkService

->Temp folder emptied: 295392 bytes

->Temporary Internet Files folder emptied: 12107441 bytes

 

User: Stuart

->Temp folder emptied: 136638028 bytes

->Temporary Internet Files folder emptied: 138550175 bytes

->Java cache emptied: 25802316 bytes

->FireFox cache emptied: 58484417 bytes

->Apple Safari cache emptied: 10554646 bytes

->Flash cache emptied: 49989 bytes

 

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 2176856 bytes

%systemroot%\System32 .tmp files removed: 3613713 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 155178763 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23449822 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 1362480 bytes

 

Total Files Cleaned = 542.00 mb

 

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

 

[EMPTYFLASH]

 

User: Administrator

 

User: All Users

 

User: Default User

->Flash cache emptied: 0 bytes

 

User: LocalService

 

User: NetworkService

 

User: Stuart

->Flash cache emptied: 0 bytes

 

Total Flash Files Cleaned = 0.00 mb

 

 

OTL by OldTimer - Version 3.1.32.0 log created on 03012010_173214

Files\Folders moved on Reboot...

File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_e38.dat not found!

C:\Documents and Settings\Stuart\Local Settings\Temporary Internet Files\Content.IE5\IL5T36U2\9279-suspected-key-logger[2].html moved successfully.

C:\Documents and Settings\Stuart\Local Settings\Temporary Internet Files\Content.IE5\IL5T36U2\ads[3].htm moved successfully.

C:\Documents and Settings\Stuart\Local Settings\Temporary Internet Files\Content.IE5\00ZM1POQ\ads[3].htm moved successfully.

C:\Documents and Settings\Stuart\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.

File\Folder C:\WINDOWS\temp\Perflib_Perfdata_6fc.dat not found!

Registry entries deleted on Reboot...

Posted

ComboFix 10-03-01.01 - Stuart 01/03/2010 18:44:12.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3070.2303 [GMT 0:00]

Running from: c:\documents and settings\Stuart\Desktop\Combo-Fix.exe

AV: avast! antivirus 4.8.1368 [VPS 100301-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((( Files Created from 2010-02-01 to 2010-03-01 )))))))))))))))))))))))))))))))

.

2010-03-01 17:32 . 2010-03-01 17:32 -------- d-----w- C:\_OTL

2010-03-01 15:24 . 2010-03-01 15:24 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-03-01 15:24 . 2010-03-01 15:24 95024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys

2010-03-01 15:24 . 2010-03-01 15:24 598368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScanner.dll

2010-03-01 15:23 . 2010-03-01 15:23 566608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll

2010-03-01 15:22 . 2010-03-01 15:22 562272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll

2010-03-01 15:22 . 2010-03-01 15:22 221408 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll

2010-03-01 15:21 . 2010-03-01 15:22 1230160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll

2010-03-01 15:21 . 2010-03-01 15:21 247120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll

2010-03-01 15:20 . 2010-03-01 15:20 17480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll

2010-03-01 15:14 . 2010-03-01 15:14 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-03-01 15:14 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe

2010-03-01 12:18 . 2004-07-16 16:11 622113 ----a-w- c:\windows\system32\IDPList.dll

2010-03-01 12:18 . 2004-05-15 12:12 13772 ----a-w- c:\windows\system32\IDPImmData.dll

2010-03-01 12:18 . 2004-06-12 12:02 162 ----a-w- c:\windows\system32\IDPCritProc.dll

2010-03-01 12:17 . 2010-03-01 12:17 1002044 ----a-w- c:\windows\system32\IDPExe.zip

2010-03-01 12:17 . 2010-03-01 12:17 1669117 ----a-w- c:\windows\system32\IDPSig.zip

2010-03-01 00:49 . 2010-03-01 00:49 388096 ----a-r- c:\documents and settings\Stuart\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe

2010-03-01 00:49 . 2010-03-01 00:49 -------- d-----w- c:\program files\TrendMicro

2010-02-25 13:09 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

2010-02-22 22:22 . 2010-02-22 22:22 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield

2010-02-22 22:22 . 2010-02-22 22:22 -------- d-----w- c:\program files\CA Design

2010-02-14 20:47 . 2010-02-14 20:48 -------- d-----w- c:\program files\iTunes

2010-02-14 20:44 . 2010-02-14 20:44 -------- d-----w- c:\program files\QuickTime

2010-02-14 20:37 . 2010-02-14 20:37 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe

2010-02-10 23:07 . 2010-02-10 23:07 -------- d-sh--w- c:\documents and settings\Default User\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-01 18:46 . 2008-12-19 01:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki

2010-03-01 17:09 . 2008-02-23 22:28 -------- d-----w- c:\program files\Java

2010-03-01 17:09 . 2008-02-23 22:27 -------- d-----w- c:\program files\Common Files\Java

2010-03-01 15:24 . 2009-09-22 17:49 884176 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe

2010-03-01 15:23 . 2009-09-23 09:38 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-03-01 15:23 . 2009-09-22 17:49 211064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll

2010-03-01 15:23 . 2009-09-22 17:49 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe

2010-03-01 15:23 . 2009-09-22 17:49 393896 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll

2010-03-01 15:22 . 2009-09-22 17:49 390320 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll

2010-03-01 15:22 . 2009-09-22 17:49 167312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll

2010-03-01 15:21 . 2009-09-22 17:49 6330848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll

2010-03-01 15:20 . 2009-09-22 17:49 329048 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll

2010-03-01 15:20 . 2009-09-22 17:49 94712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll

2010-03-01 15:18 . 2009-09-22 17:49 961984 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll

2010-03-01 15:18 . 2009-09-22 17:49 835312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe

2010-03-01 15:17 . 2009-09-22 17:49 842992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe

2010-03-01 15:17 . 2009-09-22 17:49 1593320 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe

2010-03-01 15:17 . 2009-09-22 17:49 815184 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe

2010-03-01 15:16 . 2009-09-22 17:49 1229232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe

2010-03-01 15:14 . 2008-01-08 17:47 -------- d-----w- c:\program files\Lavasoft

2010-02-28 23:13 . 2009-02-12 10:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-02-26 19:58 . 2008-01-08 20:34 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-02-22 22:22 . 2008-01-08 12:24 -------- d-----w- c:\program files\Common Files\InstallShield

2010-02-14 20:47 . 2008-01-08 22:51 -------- d-----w- c:\program files\iPod

2010-02-14 20:47 . 2008-01-30 19:48 -------- d-----w- c:\program files\Common Files\Apple

2010-02-13 14:27 . 2008-01-08 21:58 -------- d-----w- c:\program files\Google

2010-02-10 23:07 . 2008-01-09 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-02-04 15:53 . 2009-09-22 17:50 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-02-02 10:57 . 2009-03-15 22:02 7 ----a-w- c:\windows\sbacknt.bin

2010-01-27 08:55 . 2010-01-27 08:55 503808 ----a-w- c:\documents and settings\Stuart\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7706e4d1-n\msvcp71.dll

2010-01-27 08:55 . 2010-01-27 08:55 348160 ----a-w- c:\documents and settings\Stuart\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7706e4d1-n\msvcr71.dll

2010-01-27 08:55 . 2010-01-27 08:55 499712 ----a-w- c:\documents and settings\Stuart\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7706e4d1-n\jmc.dll

2010-01-27 08:55 . 2010-01-27 08:55 61440 ----a-w- c:\documents and settings\Stuart\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-527bf776-n\decora-sse.dll

2010-01-27 08:55 . 2010-01-27 08:55 12800 ----a-w- c:\documents and settings\Stuart\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-527bf776-n\decora-d3d.dll

2010-01-24 19:22 . 2008-01-09 22:49 -------- d-----w- c:\documents and settings\Stuart\Application Data\Skype

2010-01-24 18:33 . 2008-01-09 22:54 -------- d-----w- c:\documents and settings\Stuart\Application Data\skypePM

2010-01-21 08:18 . 2008-02-29 00:26 -------- d-----w- c:\program files\Microsoft Silverlight

2010-01-18 18:09 . 2008-01-09 00:16 -------- d-----w- c:\program files\Common Files\Adobe

2010-01-18 00:00 . 2008-03-14 00:52 3360 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2008\qbbackup.sys

2010-01-16 14:19 . 2008-01-08 12:26 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-01-16 03:57 . 2010-01-16 01:24 -------- d-----w- c:\program files\IdentityPatrol

2010-01-16 02:09 . 2010-01-16 01:12 -------- d-----w- c:\program files\Registry Patrol

2010-01-15 19:37 . 2010-01-15 19:37 -------- dc----w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}

2010-01-15 17:46 . 2010-01-12 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-01-15 17:43 . 2009-08-11 15:33 -------- d-----w- c:\program files\Citrix

2010-01-15 17:28 . 2009-12-30 10:37 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!

2010-01-15 16:59 . 2010-01-12 16:17 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-01-15 16:51 . 2010-01-15 16:50 960 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg

2010-01-15 12:43 . 2010-01-15 10:33 16 ----a-w- c:\windows\system32\config\systemprofile\Application Data\mvhgkr.dat

2010-01-15 12:43 . 2010-01-15 10:36 120 ----a-w- c:\windows\Qcitiwoni.dat

2010-01-15 10:36 . 2010-01-15 10:36 0 ----a-w- c:\windows\Oxefikomeje.bin

2010-01-15 10:33 . 2010-01-15 10:33 4 ----a-w- c:\documents and settings\LocalService\Application Data\mvhgkr.dat

2010-01-14 18:09 . 2010-01-14 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\TomTom

2010-01-14 18:07 . 2010-01-14 18:07 -------- d-----w- c:\program files\TomTom HOME 2

2010-01-14 18:00 . 2010-01-14 18:00 -------- d-----w- c:\program files\TomTom DesktopSuite

2010-01-14 09:48 . 2008-01-08 23:13 -------- d-----w- c:\program files\PKR

2010-01-12 17:35 . 2009-03-02 17:12 -------- d-----w- c:\program files\Yahoo!

2010-01-12 16:24 . 2010-01-12 16:24 -------- d-----w- c:\documents and settings\Stuart\Application Data\Malwarebytes

2010-01-12 16:24 . 2010-01-12 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-01-12 13:07 . 2009-03-15 22:02 -------- d-----w- c:\program files\vghd

2010-01-12 13:07 . 2009-03-15 22:02 152904 ----a-w- c:\windows\system32\vghd.scr

2010-01-12 13:07 . 2010-01-12 13:07 -------- d-----w- c:\documents and settings\Stuart\Application Data\vghd

2010-01-11 09:42 . 2009-12-30 10:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard

2010-01-08 21:50 . 2010-01-08 21:50 171080 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-12-31 16:50 . 2006-02-28 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-30 12:00 . 2008-01-08 20:35 78304 ----a-w- c:\documents and settings\Stuart\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-12-30 11:58 . 2009-12-30 11:59 816384 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2008\Components\DownloadQB17\Patch\qbpatch2.exe

2009-12-21 19:14 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-17 17:14 . 2008-11-27 10:31 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-12-16 18:43 . 2008-01-08 12:03 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2006-02-28 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-08 19:26 . 2006-02-28 12:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2004-08-03 22:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2006-02-28 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-24 864256]

"GenePccMon.exe"="c:\program files\Genesys PC Camera Device\GenePccMon.exe" [2007-02-13 36864]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-01-15 30192]

"IdentityPatrol"="c:\program files\IdentityPatrol\IdentityPatrol.exe" [2008-02-12 6840320]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-22 141608]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-14 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-14 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-9-8 967960]

WD Backup Monitor.lnk - c:\program files\My Book\WD Backup\uBBMonitor.exe [2009-9-23 98304]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=

"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Kontiki\\KService.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [22/09/2009 17:50 64288]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/01/2009 11:27 114768]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/01/2009 11:27 20560]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [04/02/2010 15:52 1229232]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [13/11/2009 11:31 92008]

R3 DCamUSBGene;GenesysLogic USB2.0 PC Camera;c:\windows\system32\drivers\USBGENE.sys [08/01/2008 12:50 131584]

S2 gupdate1c98cfde1ebe9de;Google Update Service (gupdate1c98cfde1ebe9de);c:\program files\Google\Update\GoogleUpdate.exe [12/02/2009 10:37 133104]

S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [15/01/2010 22:20 30192]

.

Contents of the 'Scheduled Tasks' folder

2010-03-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 15:17]

2010-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-03-01 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]

2010-03-01 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-12 18:46]

2010-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-12 10:37]

2010-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-12 10:37]

2010-03-01 c:\windows\Tasks\User_Feed_Synchronization-{5A6F850F-0EEA-403D-B358-444B4AA78D53}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]

.

.

Posted

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

 

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2010-03-01 18:45

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

GenePccMon.exe = c:\program files\Genesys PC Camera Device\GenePccMon.exe???????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1228)

c:\windows\system32\WININET.dll

c:\docume~1\Stuart\LOCALS~1\Temp\catchme.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-03-01 18:47:43

ComboFix-quarantined-files.txt 2010-03-01 18:47

Pre-Run: 176,929,280,000 bytes free

Post-Run: 176,884,244,480 bytes free

- - End Of File - - EE1C7C556386AC4DF4435886877D28ED

Posted

Hi thingameejig,

 

I see that Combofix has been run twice before, when was it run?

 

Let's get an online scan done and see if there's anything else.

 

I'd like you to do an ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
     
  • Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
     
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer.
      Save it to your desktop.
    • Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.

    [*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png

    [*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.

    [*]Accept any security warnings from your browser.

    [*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png

    [*]Click the Start button.

    [*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

    [*]When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png

    [*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as ESETScan.

    Include the contents of this report in your next reply.

    [*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.

    [*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Member of:

UNITE

Posted

The combofix was only run today, it froze twice before it ran fully.

 

results of esetscan....

 

C:\Program Files\Registry Patrol\RegistryPatrol.exe a variant of Win32/Adware.RegistryPatrol application cleaned by deleting - quarantined

C:\WINDOWS\system32\drivers\etc\hosts.20100115-150815.backup Win32/Qhost trojan cleaned by deleting - quarantined

C:\WINDOWS\system32\drivers\etc\hosts.20100115-151016.backup Win32/Qhost trojan cleaned by deleting - quarantined

C:\_OTL\MovedFiles\03012010_173214\C_WINDOWS\System32\drivers\etc\hosts Win32/Qhost trojan cleaned by deleting - quarantined

 

 

(thank you for advice and help so far, I don't fully understand wht we hve achieved but I am sure it's all good. As i originaly stated i have a potential problem on two other pc's, should i duplicate these steps on them or is each step specific to the first?. Likewise if we haven't finished yet I apologise for the interuption.... i'm all ears again! (or eyes and fingers!))

Posted (edited)

Hi thingameejig

 

I don't fully understand wht we hve achieved but I am sure it's all good
There was no actual Keylogger showing in the reports, maybe it was just a program that shows signs of working like a keylogger.

Sounds odd i know, but i actually use a couple. The main program i use for storing/copying and pasting my canned speeches is sometimes thrown up as a keylogger, but it's not....but it has the ability to use keyboard shortcuts.

 

You did have a couple of problems, but they have now been sorted.

 

C:\WINDOWS\system32\drivers\etc\hosts.20100115-150815.backup Win32/Qhost trojan cleaned by deleting - quarantined

C:\WINDOWS\system32\drivers\etc\hosts.20100115-151016.backup Win32/Qhost trojan cleaned by deleting - quarantined

C:\_OTL\MovedFiles\03012010_173214\C_WINDOWS\Syste m32\drivers\etc\hosts Win32/Qhost trojan cleaned by deleting - quarantined

we beat Eset to these as we had already reset your hosts file. :)

 

s i originaly stated i have a potential problem on two other pc's, should i duplicate these steps on them or is each step specific to the first?
No, each system has to be treated differently. Never use the same fix for another system.

Feel free to start a new thread for the other systems and we'll be glad to take a look for you.

 

If your system seems to be running ok, we'll finish off the cleaning.

so....... everything ok now?

Edited by Starbuck

Member of:

UNITE

Posted

If your system seems to be running ok, we'll finish off the cleaning.

so....... everything ok now?

 

Yes, the system is OK however the odd thing is there wasn't any sign of a problem with it before we started. I started the thread because of the theft we experienced from our on line banking.

 

Overnight I ran my AV software....

 

Advent proffesional ..... found nothing

 

adaware (free download) .... found nothing

 

stopzilla .... found loads, such as...

 

Catchme (trojan)

HKlM \system\ current control settings

GASF

Internet security 2010

ezula dash memory

 

I deleted these turn laptop off/on then re ran stopzilla and Internet security 2010 & GASF are still there

 

other than that I am ready/happy to continu aith the proccess

 

Further to this I have my doubts..... I am wondering if it would be simpler to just reinstall windows altogether and start again ????

 

I am also considering buying a fourth laptop and having it solely designated to online banking and such like... Unfortunately this experience has left me with little faith in on line security

Posted

One of our secucurity experts will likely say the same things any one else will. But follow through with the cleaning first. I think you are probably just about done.

 

After that you might get some opinions on over all security. A dedicated banking computer would be over kill in my opinion.

 

In any case I will wait.

We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs.

Get help with computer problems. Join Free PC Help here

 

Donations are welcome. Read Here

Posted

Hi thingameejig

 

stopzilla .... found loads, such as...

 

Catchme (trojan)

HKlM \system\ current control settings

GASF

Internet security 2010

ezula dash memory

Catchme isn't a trojan,it's part of one our cleaning tools .... but some programs may flag it as such because of how it works.

GASF

Internet security 2010 these are interesting though.

GASF is associated with the TDSS rootkit, which is designed to steal information.

I suspect that this may have been removed by one of your security programs prier to us checking.

Combofix is very good at detecting this rootkit, but didn't find anything. It maybe that there's a registry entry still laying around somewhere. This is the problem with these types of rootkits.

If we had seen this in the reports we would normally have recommended a reformat/reinstall to make sure it was removed completely.

There is a tool designed specifically to search for this, it wouldn't hurt to run that.

Internet security 2010 is a rouge program, but none of the scans detected it ... maybe this is just registry remnants again.

Like i say these may have been removed by one of your security programs and may have just left a few orphan entries in the registry.

 

Let's take a look to be on the safe side.

 

Step 1

Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Click on Start >> Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.
     
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
     
     
  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

 

Step 2

Please update MBAM and run another scan:

Start MBAM

Click on the Update tab >> click Search for Updates

If it says that MBAM needs to close to update it... let it close and then restart it.

On restart >> click the Scan button.

 

Don't forget:

  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

 

Let me have both reports and we'll check that everything has gone.

 

Thanks.

Member of:

UNITE

Posted

18:10:31:359 1796 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25

18:10:31:359 1796 ================================================================================

18:10:31:359 1796 SystemInfo:

18:10:31:359 1796 OS Version: 5.1.2600 ServicePack: 3.0

18:10:31:359 1796 Product type: Workstation

18:10:31:359 1796 ComputerName: EXTREMEPAD

18:10:31:359 1796 UserName: Stuart

18:10:31:359 1796 Windows directory: C:\WINDOWS

18:10:31:359 1796 Processor architecture: Intel x86

18:10:31:359 1796 Number of processors: 2

18:10:31:359 1796 Page size: 0x1000

18:10:31:359 1796 Boot type: Normal boot

18:10:31:359 1796 ================================================================================

18:10:31:375 1796 UnloadDriverW: NtUnloadDriver error 2

18:10:31:375 1796 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2

18:10:31:406 1796 Initialize success

18:10:31:406 1796

18:10:31:406 1796 Scanning Services ...

18:10:31:406 1796 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

18:10:31:406 1796 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

18:10:31:406 1796 wfopen_ex: Trying to KLMD file open

18:10:31:406 1796 wfopen_ex: File opened ok (Flags 2)

18:10:31:406 1796 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

18:10:31:406 1796 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

18:10:31:406 1796 wfopen_ex: Trying to KLMD file open

18:10:31:406 1796 wfopen_ex: File opened ok (Flags 2)

18:10:31:906 1796 GetAdvancedServicesInfo: Raw services enum returned 401 services

18:10:31:906 1796 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

18:10:31:906 1796 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

18:10:31:906 1796

18:10:31:906 1796 Scanning Kernel memory ...

18:10:31:906 1796 Devices to scan: 2

18:10:31:906 1796

18:10:31:906 1796 Driver Name: Disk

18:10:31:906 1796 IRP_MJ_CREATE : BA90EBB0

18:10:31:906 1796 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

18:10:31:906 1796 IRP_MJ_CLOSE : BA90EBB0

18:10:31:906 1796 IRP_MJ_READ : BA908D1F

18:10:31:906 1796 IRP_MJ_WRITE : BA908D1F

18:10:31:906 1796 IRP_MJ_QUERY_INFORMATION : 804F4562

18:10:31:906 1796 IRP_MJ_SET_INFORMATION : 804F4562

18:10:31:906 1796 IRP_MJ_QUERY_EA : 804F4562

18:10:31:906 1796 IRP_MJ_SET_EA : 804F4562

18:10:31:906 1796 IRP_MJ_FLUSH_BUFFERS : BA9092E2

18:10:31:906 1796 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

18:10:31:906 1796 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

18:10:31:906 1796 IRP_MJ_DIRECTORY_CONTROL : 804F4562

18:10:31:906 1796 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

18:10:31:906 1796 IRP_MJ_DEVICE_CONTROL : BA9093BB

18:10:31:906 1796 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28

18:10:31:906 1796 IRP_MJ_SHUTDOWN : BA9092E2

18:10:31:906 1796 IRP_MJ_LOCK_CONTROL : 804F4562

18:10:31:906 1796 IRP_MJ_CLEANUP : 804F4562

18:10:31:906 1796 IRP_MJ_CREATE_MAILSLOT : 804F4562

18:10:31:906 1796 IRP_MJ_QUERY_SECURITY : 804F4562

18:10:31:906 1796 IRP_MJ_SET_SECURITY : 804F4562

18:10:31:906 1796 IRP_MJ_POWER : BA90AC82

18:10:31:906 1796 IRP_MJ_SYSTEM_CONTROL : BA90F99E

18:10:31:906 1796 IRP_MJ_DEVICE_CHANGE : 804F4562

18:10:31:906 1796 IRP_MJ_QUERY_QUOTA : 804F4562

18:10:31:906 1796 IRP_MJ_SET_QUOTA : 804F4562

18:10:31:906 1796 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code

18:10:31:906 1796 sion

18:10:31:921 1796 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

18:10:31:921 1796

18:10:31:921 1796 Driver Name: atapi

18:10:31:921 1796 IRP_MJ_CREATE : BA6ED6F2

18:10:31:921 1796 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

18:10:31:921 1796 IRP_MJ_CLOSE : BA6ED6F2

18:10:31:921 1796 IRP_MJ_READ : 804F4562

18:10:31:921 1796 IRP_MJ_WRITE : 804F4562

18:10:31:921 1796 IRP_MJ_QUERY_INFORMATION : 804F4562

18:10:31:921 1796 IRP_MJ_SET_INFORMATION : 804F4562

18:10:31:921 1796 IRP_MJ_QUERY_EA : 804F4562

18:10:31:921 1796 IRP_MJ_SET_EA : 804F4562

18:10:31:921 1796 IRP_MJ_FLUSH_BUFFERS : 804F4562

18:10:31:921 1796 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

18:10:31:921 1796 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

18:10:31:921 1796 IRP_MJ_DIRECTORY_CONTROL : 804F4562

18:10:31:921 1796 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

18:10:31:921 1796 IRP_MJ_DEVICE_CONTROL : BA6ED712

18:10:31:921 1796 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA6E9852

18:10:31:921 1796 IRP_MJ_SHUTDOWN : 804F4562

18:10:31:921 1796 IRP_MJ_LOCK_CONTROL : 804F4562

18:10:31:921 1796 IRP_MJ_CLEANUP : 804F4562

18:10:31:921 1796 IRP_MJ_CREATE_MAILSLOT : 804F4562

18:10:31:921 1796 IRP_MJ_QUERY_SECURITY : 804F4562

18:10:31:921 1796 IRP_MJ_SET_SECURITY : 804F4562

18:10:31:921 1796 IRP_MJ_POWER : BA6ED73C

18:10:31:921 1796 IRP_MJ_SYSTEM_CONTROL : BA6F4336

18:10:31:921 1796 IRP_MJ_DEVICE_CHANGE : 804F4562

18:10:31:921 1796 IRP_MJ_QUERY_QUOTA : 804F4562

18:10:31:921 1796 IRP_MJ_SET_QUOTA : 804F4562

18:10:31:921 1796 siohd: 0

18:10:32:000 1796 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean

18:10:32:000 1796

18:10:32:000 1796 Completed

18:10:32:015 1796

18:10:32:015 1796 Results:

18:10:32:015 1796 Memory objects infected / cured / cured on reboot: 0 / 0 / 0

18:10:32:015 1796 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

18:10:32:015 1796 File objects infected / cured / cured on reboot: 0 / 0 / 0

18:10:32:015 1796

18:10:32:015 1796 KLMD(ARK) unloaded successfully

 

 

MBAM ?????what is this? how do i access it?

Posted
MBAM ?????what is this? how do i access it?

Sorry my mistake, i thought you had MBAM installed.

That's what happens when you work too many logs at once.

 

Please download Malwarebytes Anti-Malware and save it to your desktop.

  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware

    [*]Then click Finish.

    [*]MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

    [*]On the Scanner tab:

    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.

    [*]If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.

    [*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.

    [*]When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".

    [*]Click OK to close the message box and continue with the removal process.

    [*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.

    [*]Make sure that everything is checked, and click Remove Selected.

    [*]When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)

    [*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

    [*]Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

 

Let me have the report after the scan.

 

Thanks

Member of:

UNITE

Posted

OK, by coincedence on other advise I had run this earlier (just didn't recognise the reference to it), however i ran it again.

Below is the log from earlier, however when I ran it the second time it finished the scan displayed a virus and upon removal a note popped up saying that the software had experienced a fault and had to close.

 

 

 

 

Malwarebytes' Anti-Malware 1.44

Database version: 3813

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

02/03/2010 16:11:17

mbam-log-2010-03-02 (16-11-17).txt

Scan type: Full Scan (C:\|)

Objects scanned: 232391

Time elapsed: 1 hour(s), 4 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\LocalService\Application Data\mvhgkr.dat (Malware.Trace) -> Quarantined and deleted successfully.

Posted

With everything i have carried out i was begining to restore my faith in my security.

In addition to your instructions i have also ran...

 

advent anti virus

adaware

stopzilla

microsoft malicous tool removal

windows protection scan

 

 

However in the half an hour Ilost connectivity to my bt home hub, my wifi didn't register it ..... I moved to within 10 feet of the unit, it then registered it but didn't connect.

After four attempts it reconnected then shortly afterwards it failed.

I then turned the hub off/on and things appear back to normal.

whilstdoing this I opened microsoft outlook which came up with the error "personal folders not closed properly" last time i used it (not true to my knowledge)

 

Question.... are these just coincidences? could this be related to the infiltration i suspect I have? Or am I just becoming too sensitive about everyday normal computing glitches?

Posted

Hi thingameejig,

 

Files Infected:

C:\Documents and Settings\LocalService\Application Data\mvhgkr.dat (Malware.Trace) -> Quarantined and deleted successfully.

This is actually related to 'Internet Security 2010'.

 

This is why sometimes we recommend a reformat/re-install .... there isn't a single program that will find every bad file/folder, we have to use so many. The programs we use all search in different ways, that's why some programs find things and some miss things.

 

After four attempts it reconnected then shortly afterwards it failed.

I then turned the hub off/on and things appear back to normal.

whilstdoing this I opened microsoft outlook which came up with the error "personal folders not closed properly" last time i used it (not true to my knowledge)

 

Question.... are these just coincidences? could this be related to the infiltration i suspect I have?

In another thread i'm working on, someone else was having connection problems ( they were on BT as well) seems they checked with BT and it turns out that BT are upgrading their system at the moment and some small problems are bound to occur.

Member of:

UNITE

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...