Transferred from Vista looks more like detox needed

mij · July 31, 2010

My wife's Dell Studio one, running Vista home hangs where even basic internal programs like word or 'restore' wont work or just 'not responding'. I have tried a vista disk 'repair' and it did allow me to see that device driver had no X's against any hardware. The MS fireguard was in operation all the time.

The problem is that It wont go on the net to download any antiviral ware or anything else that will help me to detox the thing.

I do have this machine running and my wife has a laptop that works fine.

I do have the Vista 'installation disk' that came with it so I am prepared for a re-installation if that's necessary.

Cheers

jim

Plastic Nev · July 31, 2010

Hi Jim, to help things along till one of our security guys gets to you and to save a bit of time, please follow everything below, Because you are not able to connect the machine to the net, download the items to another machine and transfer them using a memory stick, or pen drive or similar.--

Step 1

Download TFC by OldTimer to your desktop

Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Step 2

Please download Malwarebytes Anti-Malware and save it to your desktop.

Make sure you are connected to the Internet.
Double-click on Download_mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
[*]Then click Finish.
[*]MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
[*]On the Scanner tab:
- Make sure the "Perform Full Scan" option is selected.
- Then click on the Scan button.
[*]If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
[*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
[*]When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
[*]Click OK to close the message box and continue with the removal process.
[*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
[*]Make sure that everything is checked, and click Remove Selected.
[*]When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
[*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
[*]Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Step 3

Download OTL to your desktop.
if you have problems, try this download link:
OTL
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check

.

http://img.photobucket.com/albums/v708/starbuck50/new/newOtl2.png

Now copy the lines in the codebox below.
Code:
netsvcs
msconfig
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT
right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.

http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png
.
Click the Run Scan button.

http://img.photobucket.com/albums/v708/starbuck50/runscan.png
Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.

In your next reply, please submit:

MBAM scan report

Both reports from OTL

Thanks.

Edited July 31, 2010 by Starbuck

Starbuck · July 31, 2010

Hi mij,

Have you tried to access the internet using 'safe mode with networking'?

If it will connect that way.... try and download the programs that 'plastic nev' asked for directly to the infected system.

mij · July 31, 2010

Hi mij,

Have you tried to access the internet using 'safe mode with networking'?
If it will connect that way.... try and download the programs that 'plastic nev' asked for directly to the infected system.

Thanks for that 'cuz it worked! Wossmore I was able to get to restore point and go back a month ago - before all these troubles began. That enabled it to boot back up in normal mode and connect online.

Ok am going through the detox anyway but nowt found so far.

I will post the files as requested.

cheers

jim

:)

Starbuck · July 31, 2010

Hi mij,

Glad to hear you had a bit of success with the problem.

Still post the:

MBAM scan report and both reports from OTL and i'll take a look and see if there's any leftovers on the system for you.

Ok am going through the detox anyway

I like that term, sounds good

Edited July 31, 2010 by Starbuck

mij · July 31, 2010

transferred for vista

Hi mij,

Glad to hear you had a bit of success with the problem.

Still post the:
MBAM scan report and both reports from OTL and i'll take a look and see if there's any leftovers on the system for you.

I like that term, sounds good

Even with the restored registry of the 27th june (a month ago) it still found a trojan 'bredolab' Malware bytes sorted it though.

Here are the logs, I've included the first mbam one as well as the second.

I hope they are in the right order - no doubt you'll let me know if they are not.

Cheers

jim

PS Shouldn't I have an OTF file log or sumpin? I dunno, I'm not used to this stuff.

Malwarebytes' Anti-Malware 1.44

Database version: 3615

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

22/01/2010 19:01:38

mbam-log-2010-01-22 (19-01-38).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 318389

Time elapsed: 58 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\$Recycle.Bin\S-1-5-21-3210984195-2674545727-4288912263-1000\$RMPNVYT.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Users\Helen\AppData\Roaming\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4374

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

31/07/2010 20:08:03

mbam-log-2010-07-31 (20-08-03).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 229203

Time elapsed: 37 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files (x86)\Trend Micro\HijackThis\backups\backup-20100122-120940-917-rarype32.exe (Trojan.Bredolab) -> Quarantined and deleted successfully.

OTL logfile created on: 31/07/2010 17:54:39 - Run 1

OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\Helen\Desktop

64bit-Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation

Internet Explorer (Version = 7.0.6001.18000)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 60.00% Memory free

6.00 Gb Paging File | 4.00 Gb Available in Paging File | 74.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 451.07 Gb Total Space | 361.34 Gb Free Space | 80.11% Space Free | Partition Type: NTFS

Drive D: | 14.65 Gb Total Space | 13.59 Gb Free Space | 92.74% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: HELEN-PC

Current User Name: Helen

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Include 64bit Scans

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\Helen\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe (Trusteer Ltd.)

PRC - C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe (Trusteer Ltd.)

PRC - C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe (TomTom)

PRC - C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)

PRC - C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)

PRC - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)

PRC - C:\Program Files (x86)\Dell\OSD\AIO_OSD.exe (Dell Corporation)

PRC - C:\Program Files (x86)\Dell\OSD\OSDSvr.exe ()

PRC - C:\Program Files (x86)\Dell V505\dldwmsdmon.exe ()

PRC - C:\Program Files (x86)\Dell V505\dldwmon.exe ()

PRC - C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)

PRC - C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe (Microsoft Corporation)

========== Modules (SafeList) ==========

MOD - C:\Users\Helen\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\Program Files (x86)\Trusteer\Rapport\bin\rooksbas.dll (Trusteer Ltd.)

MOD - C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll (Microsoft Corporation)

MOD - C:\Windows\SysWOW64\msscript.ocx (Microsoft Corporation)

MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV:64bit: - (CSIScanner) -- C:\Program Files\Prevx\prevx.exe (Prevx)

SRV:64bit: - (wltrysvc) -- C:\Windows\SysNative\WLTRYSVC.EXE ()

SRV:64bit: - (AERTFilters) -- C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe (Andrea Electronics Corporation)

SRV:64bit: - (dldwCATSCustConnectService) -- C:\Windows\SysNative\spool\DRIVERS\x64\3\\dldwserv.exe ()

SRV:64bit: - (dldw_device) -- C:\Windows\SysNative\dldwcoms.exe ()

SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)

SRV - (RapportLaunService) -- C:\Program Files (x86)\Trusteer\Rapport\bin\RapportLaunService64.exe (Trusteer Ltd.)

SRV - (RapportMgmtService) -- C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe (Trusteer Ltd.)

SRV - (GoToAssist) -- C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe (Citrix Online, a division of Citrix Systems, Inc.)

SRV - (TomTomHOMEService) -- C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe (TomTom)

SRV - (SBSDWSCService) -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)

SRV - (FOXOSDService) -- C:\Program Files (x86)\Dell\OSD\OSDSvr.exe ()

SRV - (dldw_device) -- C:\Windows\SysWow64\dldwcoms.exe ( )

========== Driver Services (SafeList) ==========

DRV:64bit: - (NwlnkFwd) -- C:\Windows\SysNative\DRIVERS\nwlnkfwd.sys File not found

DRV:64bit: - (NwlnkFlt) -- C:\Windows\SysNative\DRIVERS\nwlnkflt.sys File not found

DRV:64bit: - (IpInIp) -- C:\Windows\SysNative\DRIVERS\ipinip.sys File not found

DRV:64bit: - (pxrts) -- C:\Windows\SysNative\drivers\pxrts.sys ()

DRV:64bit: - (pxscan) -- C:\Windows\SysNative\drivers\pxscan.sys ()

DRV:64bit: - (pxkbf) -- C:\Windows\SysNative\drivers\pxkbf.sys ()

DRV:64bit: - (FXOSDDRV) -- C:\Windows\SysNative\DRIVERS\FxOSDdrv64.sys ()

DRV:64bit: - (BCM42RLY) -- C:\Windows\SysNative\drivers\BCM42RLY.sys ()

DRV:64bit: - (BCM43XX) -- C:\Windows\SysNative\DRIVERS\bcmwl664.sys ()

DRV:64bit: - (CtClsFlt) -- C:\Windows\SysNative\DRIVERS\CtClsFlt.sys ()

DRV:64bit: - (nvamacpi) -- C:\Windows\SysNative\DRIVERS\NVAMACPI.sys ()

DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\DRIVERS\b57nd60a.sys ()

DRV:64bit: - (WSDPrintDevice) -- C:\Windows\SysNative\DRIVERS\WSDPrint.sys ()

DRV:64bit: - (PxHlpa64) -- C:\Windows\SysNative\Drivers\PxHlpa64.sys ()

DRV:64bit: - (Ntfs) -- C:\Windows\SysNative\Wbem\ntfs.mof ()

DRV - (RapportPG64) -- C:\Program Files (x86)\Trusteer\Rapport\bin\RapportPG64.sys (Trusteer Ltd.)

DRV - (RapportKE64) -- C:\Program Files (x86)\Trusteer\Rapport\bin\RapportKE64.sys (Trusteer Ltd.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

[2010/03/13 12:17:54 | 000,000,000 | ---D | M] -- C:\Users\Helen\AppData\Roaming\mozilla\Extensions

[2010/03/13 12:17:54 | 000,000,000 | ---D | M] -- C:\Users\Helen\AppData\Roaming\mozilla\Extensions\home2@tomtom.com

O1 HOSTS File: ([2010/03/30 01:24:59 | 000,380,983 | R--- | M]) - C:\Windows\SysNative\drivers\etc\Hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: ::1 localhost

O1 - Hosts: 127.0.0.1 007guard.com - 007guard and Windows Vista

O1 - Hosts: 127.0.0.1 007guard.com

O1 - Hosts: 127.0.0.1 008i.com

O1 - Hosts: 127.0.0.1 008k.com

O1 - Hosts: 127.0.0.1 00hq.com

O1 - Hosts: 127.0.0.1 010402.com

O1 - Hosts: 127.0.0.1 www.032439.com

O1 - Hosts: 127.0.0.1 032439.com

O1 - Hosts: 127.0.0.1 0scan.com

O1 - Hosts: 127.0.0.1 1000gratisproben.com

O1 - Hosts: 127.0.0.1 www.1000gratisproben.com

O1 - Hosts: 127.0.0.1 1001namen.com

O1 - Hosts: 127.0.0.1 100888290cs.com

O1 - Hosts: 127.0.0.1 www.100888290cs.com

O1 - Hosts: 127.0.0.1 100sexlinks.com

O1 - Hosts: 127.0.0.1 10sek.com

O1 - Hosts: 127.0.0.1 www.1-2005-search.com

O1 - Hosts: 13125 more lines...

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.

O4:64bit: - HKLM..\Run: [broadcom Wireless Manager UI] C:\Windows\SysNative\WLTRAY.exe ()

O4:64bit: - HKLM..\Run: [dldwamon] C:\Program Files (x86)\Dell V505\dldwamon.exe ()

O4:64bit: - HKLM..\Run: [dldwmon.exe] C:\Program Files (x86)\Dell V505\dldwmon.exe ()

O4:64bit: - HKLM..\Run: [NvCplDaemon] C:\Windows\SysNative\NvCpl.DLL ()

O4:64bit: - HKLM..\Run: [NvMediaCenter] C:\Windows\SysNative\NvMcTray.DLL ()

O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)

O4:64bit: - HKLM..\Run: [skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe File not found

O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

O4 - HKLM..\Run: [Dell V505] C:\Program Files (x86)\Dell V505\fm3032.exe ()

O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)

O4 - HKCU..\Run: [spybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)

O4 - HKCU..\Run: [TomTomHOME.exe] C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)

O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe File not found

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O13 - gopher Prefix: missing

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254

O18:64bit: - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found

O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)

O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)

O20:64bit: - Winlogon\Notify\GoToAssist: DllName - Reg Error: Key error. - C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll File not found

O32 - HKLM CDRom: AutoRun - 1

O33 - MountPoints2\{9e4670ed-127e-11df-9ed4-0024e80c7d96}\Shell\AutoRun\command - "" = G:\setup.exe -- File not found

O33 - MountPoints2\{a1420bea-2e91-11df-bb67-0024e80c7d96}\Shell\AutoRun\command - "" = G:\InstallTomTomHOME.exe -- File not found

O33 - MountPoints2\{e1d32dda-ac7b-1e55-b16e-806e6f6e6963}\Shell - "" = AutoRun

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35:64bit: - HKLM\..comfile [open] -- "%1" %*

O35:64bit: - HKLM\..exefile [open] -- "%1" %*

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*

O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[8509/06/13 02:43:19 | 000,000,000 | ---D | C] -- C:\Windows\Panther

[8509/06/13 02:42:50 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\OEM

[8509/06/12 19:46:10 | 000,000,000 | ---D | C] -- C:\Windows\Debug

[8509/06/12 17:49:19 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution

[8509/06/12 17:44:12 | 000,000,000 | ---D | C] -- C:\Windows\Prefetch

[2010/07/31 17:51:55 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\Helen\Desktop\OTL.exe

[2010/07/31 17:48:07 | 000,060,928 | ---- | C] (Prevx) -- C:\Windows\SysWow64\PxSecure.dll

[2010/07/31 17:48:05 | 000,000,000 | ---D | C] -- C:\Program Files\Prevx

[2010/07/31 17:47:44 | 000,000,000 | ---D | C] -- C:\ProgramData\PrevxCSI

[2010/07/31 11:54:53 | 000,000,000 | ---D | C] -- C:\Users\Helen\Documents\Dell WebCam Central

[2010/02/11 13:38:08 | 000,364,544 | ---- | C] ( ) -- C:\Windows\SysWow64\dldwinpa.dll

[2010/02/11 13:38:08 | 000,339,968 | ---- | C] ( ) -- C:\Windows\SysWow64\dldwiesc.dll

[2010/02/11 13:38:06 | 000,651,264 | ---- | C] ( ) -- C:\Windows\SysWow64\dldwpmui.dll

[2010/02/11 13:38:04 | 000,851,968 | ---- | C] ( ) -- C:\Windows\SysWow64\dldwusb1.dll

[2010/02/11 13:38:03 | 001,069,056 | ---- | C] ( ) -- C:\Windows\SysWow64\dldwserv.dll

[2010/02/11 13:38:02 | 000,577,536 | ---- | C] ( ) -- C:\Windows\SysWow64\dldwlmpm.dll

[2010/02/11 13:38:01 | 000,679,936 | ---- | C] ( ) -- C:\Windows\SysWow64\dldwhbn3.dll

[2010/02/11 13:38:00 | 000,376,832 | ---- | C] ( ) -- C:\Windows\SysWow64\dldwcomm.dll

[2010/02/11 13:37:59 | 000,765,952 | ---- | C] ( ) -- C:\Windows\SysWow64\dldwcomc.dll

[1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[8509/06/12 17:52:05 | 000,047,092 | ---- | M] () -- C:\Windows\SysNative\license.rtf

[8509/06/12 17:51:28 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_User_WpdFs_01_00_00.Wdf

[2010/07/31 17:52:46 | 007,340,032 | -HS- | M] () -- C:\Users\Helen\ntuser.dat

[2010/07/31 17:51:57 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Helen\Desktop\OTL.exe

[2010/07/31 17:48:07 | 000,060,928 | ---- | M] (Prevx) -- C:\Windows\SysWow64\PxSecure.dll

[2010/07/31 17:48:06 | 000,056,320 | ---- | M] () -- C:\Windows\SysNative\drivers\pxrts.sys

[2010/07/31 17:48:06 | 000,034,696 | ---- | M] () -- C:\Windows\SysNative\drivers\pxscan.sys

[2010/07/31 17:48:06 | 000,022,336 | ---- | M] () -- C:\Windows\SysNative\drivers\pxkbf.sys

[2010/07/31 17:47:53 | 000,000,050 | ---- | M] () -- C:\Windows\wininit.ini

[2010/07/31 17:46:58 | 000,000,217 | ---- | M] () -- C:\Users\Helen\Desktop\Google.url

[2010/07/31 17:40:19 | 000,690,960 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI

[2010/07/31 17:40:19 | 000,599,764 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat

[2010/07/31 17:40:19 | 000,105,270 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat

[2010/07/31 17:35:32 | 000,065,536 | ---- | M] () -- C:\Windows\SysNative\Ikeext.etl

[2010/07/31 17:35:30 | 000,000,890 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2010/07/31 17:35:27 | 000,003,616 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2010/07/31 17:35:26 | 000,003,616 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2010/07/31 17:35:24 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT

[2010/07/31 17:35:17 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2010/07/31 17:34:44 | 000,524,288 | -HS- | M] () -- C:\Users\Helen\ntuser.dat{bd1e410d-9cbe-11df-b61d-0024e80c7d96}.TMContainer00000000000000000002.regtrans-ms

[2010/07/31 17:34:44 | 000,524,288 | -HS- | M] () -- C:\Users\Helen\ntuser.dat{bd1e410d-9cbe-11df-b61d-0024e80c7d96}.TMContainer00000000000000000001.regtrans-ms

[2010/07/31 17:34:44 | 000,065,536 | -HS- | M] () -- C:\Users\Helen\ntuser.dat{bd1e410d-9cbe-11df-b61d-0024e80c7d96}.TM.blf

[2010/07/31 17:34:34 | 001,418,804 | -H-- | M] () -- C:\Users\Helen\AppData\Local\IconCache.db

[2010/07/31 17:31:00 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2010/07/31 17:21:04 | 000,524,288 | -HS- | M] () -- C:\Users\Helen\NTUSER.DAT{bef7d13c-9b13-11df-83ed-0024e80c7d96}.TMContainer00000000000000000001.regtrans-ms

[2010/07/31 17:21:04 | 000,065,536 | -HS- | M] () -- C:\Users\Helen\NTUSER.DAT{bef7d13c-9b13-11df-83ed-0024e80c7d96}.TM.blf

[2010/07/30 11:42:24 | 000,000,211 | ---- | M] () -- C:\Users\Helen\Desktop\Runbox.url

[2010/07/30 01:47:38 | 000,524,288 | -HS- | M] () -- C:\Users\Helen\NTUSER.DAT{bef7d13c-9b13-11df-83ed-0024e80c7d96}.TMContainer00000000000000000002.regtrans-ms

[2010/07/30 01:47:07 | 000,032,768 | ---- | M] () -- C:\Users\Helen\Desktop\celtic card2.docx.doc

[2010/07/29 22:11:04 | 000,002,826 | ---- | M] () -- C:\Users\Helen\Desktop\Ancestry.url

[2010/07/29 22:04:24 | 000,000,208 | ---- | M] () -- C:\Users\Helen\Desktop\BBC - Homepage.url

[2010/07/29 14:35:44 | 000,034,304 | ---- | M] () -- C:\Users\Helen\Desktop\Our Branch of Bennisons.doc

[2010/07/29 12:32:26 | 000,524,288 | -HS- | M] () -- C:\Users\Helen\NTUSER.DAT{f0f03d89-0deb-11df-b0f6-0024e80c7d96}.TMContainer00000000000000000001.regtrans-ms

[2010/07/29 12:32:26 | 000,065,536 | -HS- | M] () -- C:\Users\Helen\NTUSER.DAT{f0f03d89-0deb-11df-b0f6-0024e80c7d96}.TM.blf

[2010/07/26 23:06:43 | 000,000,000 | ---- | M] () -- C:\Users\Helen\Desktop\john bennison 1911

[2010/07/25 16:46:23 | 001,146,091 | ---- | M] () -- C:\Users\Helen\Desktop\011074.pdf

[2010/07/25 00:53:13 | 000,030,720 | ---- | M] () -- C:\Users\Helen\Desktop\MRI scanning.doc

[2010/07/23 14:04:11 | 000,595,264 | ---- | M] () -- C:\Users\Helen\Desktop\HIS10_Coronary_angioplasty_0509.pdf

[2010/07/13 12:10:48 | 000,735,435 | ---- | M] () -- C:\Users\Helen\Desktop\Extras_Page.pdf

[2010/07/13 12:10:39 | 000,797,067 | ---- | M] () -- C:\Users\Helen\Desktop\Directions_to_Mimosa_.pdf

[2010/07/13 12:10:29 | 000,794,036 | ---- | M] () -- C:\Users\Helen\Desktop\Directions_to_Century_Wharf.pdf

[2010/07/13 12:10:14 | 000,075,729 | ---- | M] () -- C:\Users\Helen\Desktop\TermsOfBusinessMain.pdf

[2010/07/13 12:10:06 | 000,242,087 | ---- | M] () -- C:\Users\Helen\Desktop\receipt_12934_20100713-00003.pdf

[2010/07/13 12:09:57 | 000,243,042 | ---- | M] () -- C:\Users\Helen\Desktop\invoice_10194_20100713-00003.pdf

[2010/07/13 12:09:46 | 000,258,734 | ---- | M] () -- C:\Users\Helen\Desktop\checkinLetterManaged20100713-00003.pdf

[2010/07/03 19:21:49 | 000,327,052 | ---- | M] () -- C:\Users\Helen\Documents\03-07-2010 19;21;24.rtf

[1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files Created - No Company Name ==========

[8509/06/12 17:51:28 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_User_WpdFs_01_00_00.Wdf

[2010/07/31 17:48:06 | 000,056,320 | ---- | C] () -- C:\Windows\SysNative\drivers\pxrts.sys

[2010/07/31 17:48:06 | 000,034,696 | ---- | C] () -- C:\Windows\SysNative\drivers\pxscan.sys

[2010/07/31 17:48:06 | 000,022,336 | ---- | C] () -- C:\Windows\SysNative\drivers\pxkbf.sys

[2010/07/31 17:47:44 | 000,000,050 | ---- | C] () -- C:\Windows\wininit.ini

[2010/07/31 17:23:53 | 000,524,288 | -HS- | C] () -- C:\Users\Helen\ntuser.dat{bd1e410d-9cbe-11df-b61d-0024e80c7d96}.TMContainer00000000000000000002.regtrans-ms

[2010/07/31 17:23:53 | 000,524,288 | -HS- | C] () -- C:\Users\Helen\ntuser.dat{bd1e410d-9cbe-11df-b61d-0024e80c7d96}.TMContainer00000000000000000001.regtrans-ms

[2010/07/31 17:23:53 | 000,065,536 | -HS- | C] () -- C:\Users\Helen\ntuser.dat{bd1e410d-9cbe-11df-b61d-0024e80c7d96}.TM.blf

[2010/07/29 22:38:46 | 000,032,768 | ---- | C] () -- C:\Users\Helen\Desktop\celtic card2.docx.doc

[2010/07/29 14:19:50 | 000,524,288 | -HS- | C] () -- C:\Users\Helen\NTUSER.DAT{bef7d13c-9b13-11df-83ed-0024e80c7d96}.TMContainer00000000000000000002.regtrans-ms

[2010/07/29 14:19:50 | 000,524,288 | -HS- | C] () -- C:\Users\Helen\NTUSER.DAT{bef7d13c-9b13-11df-83ed-0024e80c7d96}.TMContainer00000000000000000001.regtrans-ms

[2010/07/29 14:19:50 | 000,065,536 | -HS- | C] () -- C:\Users\Helen\NTUSER.DAT{bef7d13c-9b13-11df-83ed-0024e80c7d96}.TM.blf

[2010/07/29 01:32:11 | 000,034,304 | ---- | C] () -- C:\Users\Helen\Desktop\Our Branch of Bennisons.doc

[2010/07/26 23:06:36 | 000,000,000 | ---- | C] () -- C:\Users\Helen\Desktop\john bennison 1911

[2010/07/25 16:46:22 | 001,146,091 | ---- | C] () -- C:\Users\Helen\Desktop\011074.pdf

[2010/07/24 16:23:46 | 000,030,720 | ---- | C] () -- C:\Users\Helen\Desktop\MRI scanning.doc

[2010/07/23 14:04:09 | 000,595,264 | ---- | C] () -- C:\Users\Helen\Desktop\HIS10_Coronary_angioplasty_0509.pdf

[2010/07/13 12:10:47 | 000,735,435 | ---- | C] () -- C:\Users\Helen\Desktop\Extras_Page.pdf

[2010/07/13 12:10:38 | 000,797,067 | ---- | C] () -- C:\Users\Helen\Desktop\Directions_to_Mimosa_.pdf

[2010/07/13 12:10:28 | 000,794,036 | ---- | C] () -- C:\Users\Helen\Desktop\Directions_to_Century_Wharf.pdf

[2010/07/13 12:10:14 | 000,075,729 | ---- | C] () -- C:\Users\Helen\Desktop\TermsOfBusinessMain.pdf

[2010/07/13 12:10:06 | 000,242,087 | ---- | C] () -- C:\Users\Helen\Desktop\receipt_12934_20100713-00003.pdf

[2010/07/13 12:09:57 | 000,243,042 | ---- | C] () -- C:\Users\Helen\Desktop\invoice_10194_20100713-00003.pdf

[2010/07/13 12:09:45 | 000,258,734 | ---- | C] () -- C:\Users\Helen\Desktop\checkinLetterManaged20100713-00003.pdf

[2010/07/03 19:21:48 | 000,327,052 | ---- | C] () -- C:\Users\Helen\Documents\03-07-2010 19;21;24.rtf

[2010/02/11 13:38:08 | 000,389,120 | ---- | C] () -- C:\Windows\SysWow64\DLDWinst.dll

[2010/02/11 13:38:08 | 000,335,872 | ---- | C] () -- C:\Windows\SysWow64\dldwcomx.dll

[2010/02/11 13:38:07 | 000,147,456 | ---- | C] () -- C:\Windows\SysWow64\dldwjswr.dll

[2010/02/11 13:38:07 | 000,106,496 | ---- | C] () -- C:\Windows\SysWow64\dldwinsr.dll

[2010/02/11 13:38:07 | 000,036,864 | ---- | C] () -- C:\Windows\SysWow64\dldwcur.dll

[2010/02/11 13:38:06 | 000,520,192 | ---- | C] () -- C:\Windows\SysWow64\dldwutil.dll

[2010/02/11 13:38:06 | 000,180,224 | ---- | C] () -- C:\Windows\SysWow64\dldwinsb.dll

[2010/02/11 13:38:06 | 000,176,128 | ---- | C] () -- C:\Windows\SysWow64\dldwins.dll

[2010/02/11 13:38:05 | 000,086,016 | ---- | C] () -- C:\Windows\SysWow64\dldwcub.dll

[2010/02/11 13:38:04 | 000,077,824 | ---- | C] () -- C:\Windows\SysWow64\dldwcu.dll

[2010/02/11 13:37:59 | 000,077,906 | ---- | C] () -- C:\Windows\SysWow64\DLDWcfg.dll

[2010/02/01 14:23:28 | 000,327,168 | ---- | C] () -- C:\Windows\SysWow64\cutil32.dll

[2008/05/07 21:42:00 | 001,036,288 | ---- | C] () -- C:\Windows\SysWow64\dldwdrs.dll

[2008/04/23 08:53:14 | 000,081,920 | ---- | C] () -- C:\Windows\SysWow64\dldwcaps.dll

[2008/02/26 20:24:06 | 000,069,632 | ---- | C] () -- C:\Windows\SysWow64\dldwcnv4.dll

[2008/01/21 03:50:05 | 000,060,124 | ---- | C] () -- C:\Windows\SysWow64\tcpmon.ini

[2008/01/21 03:49:49 | 000,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:A8ADE5D8

@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:DFC5A2B2

< End of report >