Jump to content

Online banking hacked

Nick147
 Share

Recommended Posts

Nick147 Newbie

Nick147

Posted
Posted

Hello, my first post here, or on any PC help forum for that matter. I really hope some folks here may be able to help me.

 

It appears that my online banking has been hacked. Suddenly, two days ago, the lloydstsb website (which was a favourite link) started asking me for more info than usual about me and my account. I phoned the bank and they said it was a hoax site which looks identical to thiers. It appears someone is waiting for me to input these details and "pharm" them etc.

 

So - how do I get rid of it?! I saw the guide on this site and I will go through all of those steps when I get in tonight, but I thought it might be useful to say what I have done so far etc and prepare for some help!

 

I deleted the link - tried keying in "http lloydstsb" etc but still got the hoax site. I tried opening up in Firefox instead of IE but still the same problem. I did a full scan using windows essentials and it found nothing. I did the same with malwarebytes thing and got nothing. I downloaded SpyBot and ran that and nothing. I poked about in start up and windows system32 files and found nothing. I downloaded a programme called HiJack this but couldn't make head nor tail of it! Still whenever I try and go to the lloyds site I only get the hoax site. I clearly have some sophisticated trojan/virus inbedded and I need some help to get rid of it.

 

Any help much appreciated. I am at work at the moment so can't do anything on my home PC until tonight. I will go through the steps and create the logs detailed on this forum and post the details on this thread to help anyone who can try and help me.

 

Cheers,

 

Nick

  • Replies 21
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Nick147 Newbie

Nick147

Posted
  • Author
Posted

Hi Starbuck - here are the two OTL reports:

 

OTL logfile created on: 28/04/2011 19:34:58 - Run 1

OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Hawthorn\Desktop

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.19048)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

 

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 53.00% Memory free

6.00 Gb Paging File | 5.00 Gb Available in Paging File | 78.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 583.19 Gb Total Space | 390.85 Gb Free Space | 67.02% Space Free | Partition Type: NTFS

Drive D: | 12.98 Gb Total Space | 1.82 Gb Free Space | 14.00% Space Free | Partition Type: NTFS

 

Computer Name: HAWTHORNE-PC | User Name: Hawthorn | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

 

========== Processes (SafeList) ==========

 

PRC - C:\Users\Hawthorn\Desktop\OTL.scr (OldTimer Tools)

PRC - C:\Windows\System32\Macromed\Flash\FlashUtil10p_ActiveX.exe (Adobe Systems, Inc.)

PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)

PRC - c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe (Microsoft Corporation)

PRC - c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)

PRC - C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe (Google Inc.)

PRC - C:\Program Files\u*******\u*******.exe (Bit*******, Inc.)

PRC - C:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe (CyberLink Corp.)

PRC - C:\Windows\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe (CyberLink)

PRC - C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe (Hewlett-Packard)

PRC - C:\Program Files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe ()

PRC - C:\Program Files\Hewlett-Packard\HP Odometer\hpsysdrv.exe (Hewlett-Packard)

 

 

========== Modules (SafeList) ==========

 

MOD - C:\Users\Hawthorn\Desktop\OTL.scr (OldTimer Tools)

MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll (Microsoft Corporation)

 

 

========== Win32 Services (SafeList) ==========

 

SRV - (rpcapd) Remote Packet Capture Protocol v.0 (experimental) -- File not found

SRV - (Norton Internet Security) -- File not found

SRV - (gupdate) Google Update Service (gupdate) -- File not found

SRV - (NisSrv) -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe (Microsoft Corporation)

SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)

SRV - (GameConsoleService) -- C:\Program Files\HP Games\HP Game Console\GameConsoleService.exe (WildTangent, Inc.)

SRV - (ezSharedSvc) -- C:\Windows\System32\ezsvc7.dll (EasyBits Sofware AS)

SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)

 

 

========== Driver Services (SafeList) ==========

 

DRV - (MpKsldf9da8da) -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{93B5EE4A-B332-4A14-B789-7506D439D251}\MpKsldf9da8da.sys (Microsoft Corporation)

DRV - (MpKsl59506e51) -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{93B5EE4A-B332-4A14-B789-7506D439D251}\MpKsl59506e51.sys (Microsoft Corporation)

DRV - (NPF) -- C:\Windows\System32\drivers\npf.sys (CACE Technologies)

DRV - (NisDrv) -- C:\Windows\System32\drivers\NisDrvWFP.sys (Microsoft Corporation)

DRV - (MpNWMon) -- C:\Windows\System32\drivers\MpNWMon.sys (Microsoft Corporation)

DRV - (PCDSRVC{4F253FFC-7957E8FC-06000000}_0) -- c:\Program Files\PC-Doctor for Windows\pcdsrvc.pkms (PC-Doctor, Inc.)

DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation )

DRV - (alcan5wn) SpeedTouch USB ADSL PPP Networking Driver (NDISWAN) -- C:\Windows\System32\drivers\alcan5wn.sys (THOMSON)

DRV - (alcaudsl) -- C:\Windows\System32\drivers\alcaudsl.sys (THOMSON)

DRV - (ASPI32) -- C:\Windows\System32\drivers\aspi32.sys (Adaptec)

 

 

========== Standard Registry (SafeList) ==========

 

 

========== Internet Explorer ==========

 

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=93&bd=Pavilion&pf=cndt

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=93&bd=Pavilion&pf=cndt

 

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=93&bd=Pavilion&pf=cndt

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

 

========== FireFox ==========

 

 

 

FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/27 22:23:35 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

 

[2011/04/27 22:23:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Hawthorn\AppData\Roaming\mozilla\Extensions

[2011/04/27 22:23:35 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

File not found (No name found) --

[2009/12/03 00:03:38 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION

[2011/03/18 18:57:02 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll

[2010/01/01 09:00:00 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml

[2010/01/01 09:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

[2010/01/01 09:00:00 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml

[2010/01/01 09:00:00 | 000,001,180 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml

[2010/01/01 09:00:00 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

 

Hosts file not found

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (AOL Toolbar BHO) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)

O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {081230F8-EA50-42A9-983C-D22ABC2EED3B} - No CLSID value found.

O3 - HKCU\..\Toolbar\WebBrowser: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)

O4 - HKLM..\Run: [CLMLServer for HP TouchSmart] c:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe (CyberLink)

O4 - HKLM..\Run: [DVDAgent] c:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe (CyberLink Corp.)

O4 - HKLM..\Run: [HP Remote Software] C:\Program Files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe ()

O4 - HKLM..\Run: [hpsysdrv] c:\Program Files\Hewlett-Packard\HP Odometer\hpsysdrv.exe (Hewlett-Packard)

O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)

O4 - HKLM..\Run: [smartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe (Hewlett-Packard)

O4 - HKLM..\Run: [updateLBPShortCut] c:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)

O4 - HKLM..\Run: [updateP2GoShortCut] c:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)

O4 - HKLM..\Run: [updatePDIRShortCut] c:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)

O4 - HKLM..\Run: [updatePSTShortCut] c:\Program Files\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)

O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

O4 - HKCU..\Run: [{F3479133-218F-D79A-E856-E82540F0D7A2}] C:\Users\Hawthorn\AppData\Roaming\Byyf\eknyv.exe ()

O4 - HKCU..\Run: [u*******] C:\Program Files\u*******\u*******.exe (Bit*******, Inc.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideFastUserSwitching = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableLockWorkstation = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 0

O8 - Extra context menu item: &AOL Toolbar Search - C:\ProgramData\AOL\ieToolbar\resources\en-GB\local\search.html ()

O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll (Google Inc.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O13 - gopher Prefix: missing

O16 - DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} http://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20100728060044 (PhotoboxPhotowaysUploader5 Control)

O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} https://moneymanager.egg.com/Pinsafe/accounttracking.cab (Egg Money Manager Digital Safe)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-gb.cab (Windows Live Hotmail Photo Upload Tool)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Users\Hawthorn\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg

O24 - Desktop BackupWallPaper: C:\Users\Hawthorn\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg

O28 - HKLM ShellExecuteHooks: {E54729E8-BB3D-4270-9D49-7389EA579090} - C:\Windows\System32\ezUPBHook.dll (EasyBits Software Corp.)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

 

NetSvcs: FastUserSwitchingCompatibility - File not found

NetSvcs: Ias - File not found

NetSvcs: Nla - File not found

NetSvcs: Ntmssvc - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: SRService - File not found

NetSvcs: WmdmPmSp - File not found

NetSvcs: LogonHours - File not found

NetSvcs: PCAudit - File not found

NetSvcs: helpsvc - File not found

NetSvcs: uploadmgr - File not found

NetSvcs: ezSharedSvc - C:\Windows\System32\ezsvc7.dll (EasyBits Sofware AS)

 

MsConfig - StartUpReg: {F3479133-218F-D79A-E856-E82540F0D7A2} - hkey= - key= - C:\Users\Hawthorn\AppData\Roaming\Byyf\eknyv.exe ()

MsConfig - State: "startup" - 2

 

CREATERESTOREPOINT

Restore point Set: OTL Restore Point

 

========== Files/Folders - Created Within 30 Days ==========

 

[2011/04/28 19:32:44 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\Hawthorn\Desktop\OTL.scr

[2011/04/28 17:59:47 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Users\Hawthorn\Desktop\TFC.exe

[2011/04/27 23:11:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy

[2011/04/27 23:11:27 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy

[2011/04/27 22:44:14 | 000,000,000 | ---D | C] -- C:\Users\Hawthorn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis

[2011/04/27 22:44:13 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2011/04/27 22:23:39 | 000,000,000 | ---D | C] -- C:\Users\Hawthorn\AppData\Roaming\Mozilla

[2011/04/27 22:23:39 | 000,000,000 | ---D | C] -- C:\Users\Hawthorn\AppData\Local\Mozilla

[2011/04/27 22:23:34 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox

[2011/04/27 22:22:58 | 012,399,552 | ---- | C] (Mozilla) -- C:\Users\Hawthorn\Desktop\Firefox Setup 4.0.exe

[2011/04/27 08:56:29 | 004,240,384 | ---- | C] (Microsoft) -- C:\Windows\System32\GameUXLegacyGDFs.dll

[2011/04/27 08:56:29 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Apphlpdm.dll

[2011/04/27 08:56:15 | 000,876,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsPrint.dll

[2011/04/23 11:54:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes

[2011/04/23 11:54:13 | 000,000,000 | ---D | C] -- C:\Program Files\iPod

[2011/04/23 11:52:09 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour

[2011/04/13 20:31:03 | 000,292,864 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll

[2011/04/13 20:31:02 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\System32\atmlib.dll

[2011/04/13 20:30:58 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl

[2011/04/13 20:30:58 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll

[2011/04/13 20:30:58 | 000,602,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll

[2011/04/13 20:30:58 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll

[2011/04/13 20:30:58 | 000,385,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec

[2011/04/13 20:30:58 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll

[2011/04/13 20:30:57 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb

[2011/04/13 20:30:57 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll

[2011/04/13 20:30:57 | 000,173,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe

[2011/04/13 20:30:57 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe

[2011/04/13 20:30:57 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll

[2011/04/13 20:30:57 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll

[2011/04/13 20:30:57 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll

[2011/04/13 20:30:57 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll

[2011/04/13 20:30:57 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll

[2011/04/13 20:30:57 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll

[2011/04/13 20:30:57 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe

[2011/04/13 20:30:53 | 001,162,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfc42u.dll

[2011/04/13 20:30:52 | 001,136,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfc42.dll

[2011/04/13 20:30:48 | 000,025,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dnscacheugc.exe

[2011/04/13 20:30:46 | 002,041,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys

[2011/04/13 20:30:44 | 000,726,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll

[2011/04/13 20:30:44 | 000,420,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll

[2011/04/12 08:41:22 | 000,000,000 | ---D | C] -- C:\Users\Hawthorn\Documents\Wondershare Streaming Video Recorder

[2011/04/12 08:41:09 | 000,034,064 | ---- | C] (CACE Technologies) -- C:\Windows\System32\drivers\npf.sys

[2011/04/12 08:41:09 | 000,000,000 | ---D | C] -- C:\Windows\SysWOW64

[2011/04/12 08:41:08 | 000,240,248 | ---- | C] (CACE Technologies) -- C:\Windows\System32\wpcap.dll

[2011/04/12 08:41:08 | 000,088,704 | ---- | C] (CACE Technologies) -- C:\Windows\System32\Packet.dll

[2011/04/06 16:20:16 | 000,197,920 | ---- | C] (Apple Inc.) -- C:\Windows\System32\dnssdX.dll

[2011/04/06 16:20:16 | 000,107,808 | ---- | C] (Apple Inc.) -- C:\Windows\System32\dns-sd.exe

[2011/04/06 16:20:16 | 000,091,424 | ---- | C] (Apple Inc.) -- C:\Windows\System32\dnssd.dll

[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

[1 C:\Users\Hawthorn\Desktop\*.tmp files -> C:\Users\Hawthorn\Desktop\*.tmp -> ]

 

========== Files - Modified Within 30 Days ==========

 

[2011/04/28 19:32:51 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Hawthorn\Desktop\OTL.scr

[2011/04/28 19:00:01 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2011/04/28 18:06:32 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2011/04/28 18:05:29 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2011/04/28 18:05:29 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2011/04/28 18:05:05 | 3207,802,880 | -HS- | M] () -- C:\hiberfil.sys

[2011/04/28 17:59:53 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Users\Hawthorn\Desktop\TFC.exe

[2011/04/28 06:56:53 | 000,002,529 | ---- | M] () -- C:\Users\Hawthorn\Desktop\HiJackThis.lnk

[2011/04/27 22:43:14 | 001,402,880 | ---- | M] () -- C:\Users\Hawthorn\Desktop\HijackThis.msi

[2011/04/27 22:23:36 | 000,000,872 | ---- | M] () -- C:\Users\Hawthorn\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk

[2011/04/27 22:23:36 | 000,000,848 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk

[2011/04/27 22:23:16 | 012,399,552 | ---- | M] (Mozilla) -- C:\Users\Hawthorn\Desktop\Firefox Setup 4.0.exe

[2011/04/24 08:34:13 | 000,006,028 | ---- | M] () -- C:\Users\Hawthorn\AppData\Roaming\wklnhst.dat

[2011/04/23 11:54:49 | 000,001,666 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk

[2011/04/15 11:16:02 | 000,000,334 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForHawthorn.job

[2011/04/14 07:56:31 | 000,317,696 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

[2011/04/06 16:20:16 | 000,197,920 | ---- | M] (Apple Inc.) -- C:\Windows\System32\dnssdX.dll

[2011/04/06 16:20:16 | 000,107,808 | ---- | M] (Apple Inc.) -- C:\Windows\System32\dns-sd.exe

[2011/04/06 16:20:16 | 000,091,424 | ---- | M] (Apple Inc.) -- C:\Windows\System32\dnssd.dll

[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

[1 C:\Users\Hawthorn\Desktop\*.tmp files -> C:\Users\Hawthorn\Desktop\*.tmp -> ]

 

========== Files Created - No Company Name ==========

 

[2011/04/27 22:44:14 | 000,002,529 | ---- | C] () -- C:\Users\Hawthorn\Desktop\HiJackThis.lnk

[2011/04/27 22:43:03 | 001,402,880 | ---- | C] () -- C:\Users\Hawthorn\Desktop\HijackThis.msi

[2011/04/27 22:23:36 | 000,000,872 | ---- | C] () -- C:\Users\Hawthorn\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk

[2011/04/27 22:23:36 | 000,000,860 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk

[2011/04/27 22:23:36 | 000,000,848 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk

[2011/04/23 11:54:49 | 000,001,666 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk

[2011/04/12 08:41:08 | 000,053,299 | ---- | C] () -- C:\Windows\System32\pthreadVC.dll

[2011/01/11 00:20:37 | 000,000,033 | ---- | C] () -- C:\ProgramData\{081230F8-EA50-42A9-983C-D22ABC2EED3B}.ini

[2010/11/20 22:09:38 | 000,001,649 | ---- | C] () -- C:\Users\Hawthorn\AppData\Roaming\dvdae.config

[2010/11/20 22:04:59 | 000,001,302 | ---- | C] () -- C:\ProgramData\ss.ini

[2010/11/20 22:04:21 | 000,000,034 | ---- | C] () -- C:\Users\Hawthorn\AppData\Roaming\{081230F8-EA50-42A9-983C-D22ABC2EED3B}.ini

[2010/06/30 01:12:16 | 000,013,312 | ---- | C] () -- C:\Windows\LPRES.DLL

[2010/01/01 20:19:26 | 000,028,731 | ---- | C] () -- C:\Users\Hawthorn\AppData\Roaming\UserTile.png

[2009/12/13 20:05:40 | 000,006,028 | ---- | C] () -- C:\Users\Hawthorn\AppData\Roaming\wklnhst.dat

[2009/12/04 11:42:54 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll

[2009/12/04 11:42:54 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin

[2009/11/30 18:14:47 | 000,000,056 | -H-- | C] () -- C:\Windows\System32\ezsidmv.dat

[2009/11/30 13:15:07 | 000,071,168 | ---- | C] () -- C:\Users\Hawthorn\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2009/11/30 13:06:43 | 000,005,606 | ---- | C] () -- C:\Windows\System32\stci.dll

[2009/11/30 13:04:01 | 000,000,680 | ---- | C] () -- C:\Users\Hawthorn\AppData\Local\d3d9caps.dat

[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll

[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe

[2009/06/16 19:30:33 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin

[2009/06/16 11:52:01 | 000,009,300 | ---- | C] () -- C:\Windows\System32\ezdigsgn.dat

[2009/06/16 11:01:08 | 000,354,816 | ---- | C] () -- C:\Windows\System32\pythoncom26.dll

[2009/06/16 11:01:08 | 000,108,032 | ---- | C] () -- C:\Windows\System32\pywintypes26.dll

[2006/11/02 13:47:37 | 000,317,696 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT

[2006/11/02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll

[2006/11/02 11:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat

[2006/11/02 11:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat

[2006/11/02 11:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat

[2006/11/02 09:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin

[2006/11/02 09:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT

[2006/11/02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

[2006/11/02 08:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

[2005/02/04 04:59:48 | 000,118,784 | ---- | C] () -- C:\Windows\System32\metaflac.exe

[2005/02/04 04:59:44 | 000,217,088 | ---- | C] () -- C:\Windows\System32\flac.exe

 

========== LOP Check ==========

 

[2009/12/25 19:14:05 | 000,000,000 | ---D | M] -- C:\Users\Hawthorn\AppData\Roaming\Amazon

[2009/11/30 21:15:08 | 000,000,000 | ---D | M] -- C:\Users\Hawthorn\AppData\Roaming\Broad Intelligence

[2010/02/24 22:22:31 | 000,000,000 | ---D | M] -- C:\Users\Hawthorn\AppData\Roaming\Byyf

[2010/06/19 13:49:51 | 000,000,000 | ---D | M] -- C:\Users\Hawthorn\AppData\Roaming\Doctor Who

[2011/04/28 17:58:47 | 000,000,000 | ---D | M] -- C:\Users\Hawthorn\AppData\Roaming\Epeve

[2010/01/01 20:19:26 | 000,000,000 | ---D | M] -- C:\Users\Hawthorn\AppData\Roaming\PeerNetworking

[2009/12/13 20:05:41 | 000,000,000 | ---D | M] -- C:\Users\Hawthorn\AppData\Roaming\Template

[2011/04/28 19:36:53 | 000,000,000 | ---D | M] -- C:\Users\Hawthorn\AppData\Roaming\u*******

[2009/11/30 19:20:06 | 000,000,000 | ---D | M] -- C:\Users\Hawthorn\AppData\Roaming\WildTangent

[2010/12/05 11:07:31 | 000,000,000 | ---D | M] -- C:\Users\Hawthorn\AppData\Roaming\WinBatch

[2011/01/11 00:25:26 | 000,000,000 | ---D | M] -- C:\Users\Hawthorn\AppData\Roaming\Xilisoft

[2011/04/18 15:01:59 | 000,000,000 | ---D | M] -- C:\Users\Hawthorn\AppData\Roaming\_MDLogs

[2011/02/28 19:55:38 | 000,000,552 | ---- | M] () -- C:\Windows\Tasks\PCDRScheduledMaintenance.job

[2011/04/28 18:04:18 | 000,032,620 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

 

========== Purity Check ==========

 

 

 

========== Custom Scans ==========

 

 

< %SYSTEMDRIVE%\*.* >

[2009/11/30 20:17:03 | 000,001,278 | ---- | M] () -- C:\Ask & Record Toolbar Setup Log.txt

[2006/09/18 22:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat

[2009/04/11 07:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr

[2009/06/16 19:23:11 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK

[2006/09/18 22:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys

[2010/12/12 12:17:43 | 000,000,375 | ---- | M] () -- C:\FINIS_IT.TXT

[2011/04/28 18:05:05 | 3207,802,880 | -HS- | M] () -- C:\hiberfil.sys

[2011/04/28 18:05:04 | 3523,690,496 | -HS- | M] () -- C:\pagefile.sys

[2011/04/27 22:56:24 | 000,000,403 | ---- | M] () -- C:\rkill.log

[2009/06/16 11:36:45 | 000,000,349 | ---- | M] () -- C:\updatedatfix.log

[2008/08/26 13:37:52 | 000,000,458 | ---- | M] () -- C:\Windows Sidebar

 

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >

[2006/11/02 13:35:48 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\jnwppr.dll

[2006/10/26 20:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\msonpppr.dll

 

< %systemroot%\*. /mp /s >

 

< %systemroot%\system32\*.dll /lockedfiles >

[2009/03/08 12:31:42 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtmsft.dll

[2009/03/08 12:31:37 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtrans.dll

[1 C:\Windows\system32\*.tmp files -> C:\Windows\system32\*.tmp -> ]

 

< %systemroot%\Tasks\*.job /lockedfiles >

 

< %systemroot%\system32\drivers\*.sys /lockedfiles >

[2010/10/24 22:25:38 | 000,043,392 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\drivers\MpNWMon.sys

 

< %systemroot%\system32\*.exe /lockedfiles >

[1 C:\Windows\system32\*.tmp files -> C:\Windows\system32\*.tmp -> ]

 

< %systemroot%\System32\config\*.sav >

[2008/01/21 04:14:18 | 016,846,848 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV

[2008/01/21 04:14:08 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV

[2008/01/21 04:14:18 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV

[2006/11/02 11:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV

[2006/11/02 11:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

 

< %PROGRAMFILES%\* >

[2008/01/21 03:43:21 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

 

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

 

< hklm\software\clients\startmenuinternet|command /rs >

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/03/18 18:57:04 | 000,711,624 | ---- | M] (Mozilla Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/03/18 18:57:04 | 000,711,624 | ---- | M] (Mozilla Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/03/18 18:57:04 | 000,711,624 | ---- | M] (Mozilla Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/03/18 18:57:02 | 000,924,632 | ---- | M] (Mozilla Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/03/18 18:57:02 | 000,924,632 | ---- | M] (Mozilla Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/03/18 18:57:02 | 000,924,632 | ---- | M] (Mozilla Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\system32\ie4uinit.exe" -hide [2011/02/22 05:43:42 | 000,173,568 | ---- | M] (Microsoft Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\system32\ie4uinit.exe" -show [2011/02/22 05:43:42 | 000,173,568 | ---- | M] (Microsoft Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\system32\ie4uinit.exe" -reinstall [2011/02/22 05:43:42 | 000,173,568 | ---- | M] (Microsoft Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2011/02/22 07:21:12 | 000,638,232 | ---- | M] (Microsoft Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2011/02/22 07:21:12 | 000,638,232 | ---- | M] (Microsoft Corporation)

 

< hklm\software\clients\startmenuinternet|command /64 /rs >

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/03/18 18:57:04 | 000,711,624 | ---- | M] (Mozilla Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/03/18 18:57:04 | 000,711,624 | ---- | M] (Mozilla Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/03/18 18:57:04 | 000,711,624 | ---- | M] (Mozilla Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/03/18 18:57:02 | 000,924,632 | ---- | M] (Mozilla Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/03/18 18:57:02 | 000,924,632 | ---- | M] (Mozilla Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/03/18 18:57:02 | 000,924,632 | ---- | M] (Mozilla Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\system32\ie4uinit.exe" -hide [2011/02/22 05:43:42 | 000,173,568 | ---- | M] (Microsoft Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\system32\ie4uinit.exe" -show [2011/02/22 05:43:42 | 000,173,568 | ---- | M] (Microsoft Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\system32\ie4uinit.exe" -reinstall [2011/02/22 05:43:42 | 000,173,568 | ---- | M] (Microsoft Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2011/02/22 07:21:12 | 000,638,232 | ---- | M] (Microsoft Corporation)

HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2011/02/22 07:21:12 | 000,638,232 | ---- | M] (Microsoft Corporation)

 

========== Alternate Data Streams ==========

 

And:

 

OTL Extras logfile created on: 28/04/2011 19:34:58 - Run 1

OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Hawthorn\Desktop

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.19048)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

 

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 53.00% Memory free

6.00 Gb Paging File | 5.00 Gb Available in Paging File | 78.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 583.19 Gb Total Space | 390.85 Gb Free Space | 67.02% Space Free | Partition Type: NTFS

Drive D: | 12.98 Gb Total Space | 1.82 Gb Free Space | 14.00% Space Free | Partition Type: NTFS

 

Computer Name: HAWTHORNE-PC | User Name: Hawthorn | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

 

========== Extra Registry (SafeList) ==========

 

 

========== File Associations ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)

.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

 

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

 

========== Shell Spawning ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

 

========== Security Center Settings ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

"VistaSp1" = Reg Error: Unknown registry data type -- File not found

"VistaSp2" = Reg Error: Unknown registry data type -- File not found

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

 

========== Firewall Settings ==========

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

 

========== Authorized Applications List ==========

 

 

========== Vista Active Open Ports Exception List ==========

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{086C0AF9-53AF-41CF-AC1F-32B48D4C7B6A}" = lport=139 | protocol=6 | dir=in | app=system |

"{109696BE-3E83-40C1-8D42-180C36F47B1A}" = lport=445 | protocol=6 | dir=in | app=system |

"{25DB9E11-4D0E-4DE0-A3D3-C6883CF357F7}" = rport=139 | protocol=6 | dir=out | app=system |

"{28BF3C60-F019-45F9-8FE2-5D73EC2F3E9C}" = rport=137 | protocol=17 | dir=out | app=system |

"{2B082DF2-8C68-4F80-A1F9-F153232575D2}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |

"{5AAA6247-14C2-44B7-B785-33A0B18807C7}" = rport=445 | protocol=6 | dir=out | app=system |

"{AD2DA5E0-353F-49C1-B4A5-5161339EFA3F}" = lport=137 | protocol=17 | dir=in | app=system |

"{BE88A68A-D301-4295-BC6C-B8DD374879C5}" = lport=138 | protocol=17 | dir=in | app=system |

"{C38C16C1-AECB-47B8-BFB9-40C4236B786C}" = rport=138 | protocol=17 | dir=out | app=system |

"{C3F41F2D-CD08-460E-A5B7-C74A9E599AEF}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |

 

========== Vista Active Application Exception List ==========

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{1065F8B4-7B97-420D-A4D9-25F5C0A00E96}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |

"{14F40AEB-F7AA-4CC0-9E2C-4CEEF409216A}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |

"{15C17941-A575-4917-92DD-CF7D6F88767B}" = dir=in | app=c:\program files\hewlett-packard\touchsmart\media\hptouchsmartmusic.exe |

"{308BB295-DC95-46CC-A780-6DD5652E82F1}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\kernel\clml\clmlsvc.exe |

"{33DA1158-4DB3-41E5-B9A7-0B78A4370CEE}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\hptouchsmartphoto.exe |

"{361FBC7E-AB26-446F-A57A-AEB4AB0FDAC5}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\hptouchsmartphoto.exe |

"{3D64A585-B95D-40A8-B731-EEAC9B02FF3F}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |

"{427F587D-D3A6-4142-A128-AF392E63E65F}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\hptouchsmartmusic.exe |

"{4FE38CF0-677C-4D27-BB2B-E2822C610876}" = dir=in | app=c:\program files\cyberlink\powerdirector\pdr.exe |

"{53436E19-E608-4DC3-945F-E057C12F0094}" = dir=in | app=c:\program files\hewlett-packard\touchsmart\media\hptouchsmartvideo.exe |

"{5A431749-C09B-4EE9-B7C3-7031C00A5E2A}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\kernel\clml\clmlsvc.exe |

"{68925BD8-593D-4E32-B21A-F88C26CDDC92}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\hptouchsmartvideo.exe |

"{6D49EA74-8D0B-422F-BA9A-5F6D11886588}" = protocol=17 | dir=in | app=c:\users\hawthorn\desktop\audioconverter_setup.exe |

"{70A77100-15DC-4FEB-9A3A-8D8B234B5AE9}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |

"{7CBA89ED-4BDE-43FF-948D-5C93995A3BD4}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\hptouchsmartvideo.exe |

"{8217C5BF-BC73-4BB6-B795-2B9728E595BC}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |

"{85B5B1CD-68EF-40F2-82D7-12792B1EC125}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |

"{973A0764-472F-4098-A79C-C6F044B5F8AE}" = protocol=17 | dir=in | app=c:\program files\u*******\u*******.exe |

"{9FA36AE3-D53F-4522-B87D-6019E75B492D}" = dir=in | app=c:\program files\hewlett-packard\touchsmart\media\hptouchsmartphoto.exe |

"{A0ED2407-3306-49AE-BAEC-83C98D2B94E0}" = dir=in | app=c:\program files\itunes\itunes.exe |

"{AEF51EE7-D43D-42A8-8840-C4C873156A6F}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\hpdvdsmart.exe |

"{AF4C6573-9B35-4CAE-8DB6-3A72C8F21AAE}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |

"{B2B89773-6AAE-415B-88B4-E09CF192B502}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\hptouchsmartmusic.exe |

"{C40678ED-2B59-4351-B12F-C6032034750C}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |

"{CE5DD0AA-B329-430C-B492-9E4D90A453E6}" = protocol=6 | dir=in | app=c:\program files\u*******\u*******.exe |

"{D34FB656-88AC-4170-8342-804B8155F3D3}" = dir=in | app=c:\program files\hewlett-packard\touchsmart\media\tsmagent.exe |

"{D8880645-3237-4B58-ACF6-9A5499F4DA26}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\tsmagent.exe |

"{DAF2B2F5-288F-40EF-844F-EB02231BAB1D}" = dir=in | app=c:\program files\hewlett-packard\touchsmart\media\kernel\clml\clmlsvc.exe |

"{E656437E-D496-4FA9-8FC3-FB833CBD91EF}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\tsmagent.exe |

"{E855CC10-9B5D-4FEF-8ED7-6AC1922F1B88}" = protocol=6 | dir=in | app=c:\users\hawthorn\desktop\audioconverter_setup.exe |

"{EAC67776-0C17-40B0-9F15-30105F153D05}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\hpdvdsmart.exe |

"TCP Query User{112E744C-D470-412A-89FE-81F79790F220}C:\program files\speedtouch\dr speedtouch\drst.exe" = protocol=6 | dir=in | app=c:\program files\speedtouch\dr speedtouch\drst.exe |

"TCP Query User{892652AF-2D7A-4B94-8777-1CF509364A67}C:\windows\system32\taskeng.exe" = protocol=6 | dir=in | app=c:\windows\system32\taskeng.exe |

"TCP Query User{CF6948CF-1694-4505-8C3B-B4AD5587A1C1}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe |

"TCP Query User{F546FB83-0CEB-428E-ACB1-8FA20AD90B3E}C:\windows\system32\taskeng.exe" = protocol=6 | dir=in | app=c:\windows\system32\taskeng.exe |

"UDP Query User{2624E9A8-B13D-4B27-A493-F5BE0C196680}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe |

"UDP Query User{6A90F574-282B-4591-91DF-4CEF336F57EA}C:\windows\system32\taskeng.exe" = protocol=17 | dir=in | app=c:\windows\system32\taskeng.exe |

"UDP Query User{6DF8F322-7557-4E17-8C73-44C760F0EA2C}C:\program files\speedtouch\dr speedtouch\drst.exe" = protocol=17 | dir=in | app=c:\program files\speedtouch\dr speedtouch\drst.exe |

"UDP Query User{DC2043D5-CCF0-4A33-8234-D49FB4491905}C:\windows\system32\taskeng.exe" = protocol=17 | dir=in | app=c:\windows\system32\taskeng.exe |

 

========== HKEY_LOCAL_MACHINE Uninstall List ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

"{0295F89F-F698-4101-9A7D-49F407EC2D82}" = HP Active Support Library

"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter

"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works

"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer

"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate

"{1CC069FA-1A86-402E-9787-3F04E652C67A}" = HP Support Information

"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite Deluxe

"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer

"{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library

"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java 6 Update 18

"{290CA856-3737-4874-864B-BA142F4823C8}_is1" = HP MediaSmart Demo

"{353FE16B-30FE-469A-BF55-B978F4218003}" = iTunes

"{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729

"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker

"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go

"{40FAB9CD-D1A8-44DC-9B61-38B135E26E67}_is1" = Ask Default Search

"{40FB8D7C-6FF8-4AF2-BC8B-0B1DB32AF04B}" = HP Advisor

"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis

"{47F36D92-E58E-456D-B73C-3382737E4C42}" = HP Update

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{55979C41-7D6A-49CC-B591-64AC1BBE2C8B}" = HP Picasso Media Center Add-In

"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime

"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053

"{5F240DB8-0D74-4F13-86C3-929760392A8D}" = HP Remote Software

"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = HPAsset component for HP Active Support Library

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{774088D4-0777-4D78-904D-E435B318F5D2}" = Microsoft Antimalware

"{77A776C4-D10F-416D-88F0-53F2D9DCD9B3}" = Microsoft Security Client

"{784BEA84-FA66-4B19-BB80-7B545F248AC6}" = HP Total Care Setup

"{7B15D70E-9449-4CFB-B9BC-798465B2BD5C}" = Norton Internet Security

"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec

"{7C5B4583-7CBF-4289-B195-03B553959DEA}" = VoiceOver Kit

"{7F10292C-A190-4176-A665-A1ED3478DF86}" = LightScribe System Software

"{83073C45-3003-4671-9A86-243AAADD915A}" = Microsoft Calculator Plus

"{853A4763-6643-4604-8D64-28BDD8925F4C}" = Apple Application Support

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player

"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007

"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007

"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007

"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007

"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007

"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)

"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)

"{9CC89170-000B-457D-91F1-53691F85B223}" = Python 2.6.1

"{9F73FDEF-DDC1-4307-9D96-13AB3254641A}_is1" = Doctor Who: The Adventure Games

"{A0640EC2-B97E-4FC1-AD14-227C9E386BB4}" = HP Recovery Manager RSS

"{A6359CCF-215D-43D9-8366-479D231F2A72}" = Belkin Wireless USB Utility

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder

"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter

"{AC76BA86-7AD7-1033-7B44-A80000000002}" = Adobe Reader 8

"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder

"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter

"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0

"{B2EE25B9-5B00-4ACF-94F0-92433C28C39E}" = HP MediaSmart Music/Photo/Video

"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player

"{B84739A3-F943-47E4-95D8-96381EF5AC48}" = HP Customer Experience Enhancements

"{B8AC1A89-FFD1-4F97-8051-E505A160F562}" = HP Odometer

"{C2E4B5BD-32DB-4817-A060-341AB17C3F90}" = Bonjour

"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint

"{CACAEB5F-174D-4C7C-AC56-A33289A807CA}" = Apple Mobile Device Support

"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{DCCAD079-F92C-44DA-B258-624FC6517A5A}" = HP MediaSmart DVD

"{E9E34215-82EF-4909-BE2F-F581F0DC9062}" = DirectX for Managed Code Update (Summer 2004)

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"{FF202088-CF66-4DCA-B1C3-185E7044CEE6}" = HP MediaSmart SmartMenu

"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

"7-Zip" = 7-Zip 4.57

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.9

"AOL Toolbar" = AOL Toolbar 5.0

"BookSmart® 2.9.5 2.9.5" = BookSmart® 2.9.5 2.9.5

"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters

"EasyBits Magic Desktop" = Magic Desktop

"FLAC" = FLAC Installer 1.1.2a (remove only)

"HDMI" = Intel® Graphics Media Accelerator Driver

"HOMESTUDENTR" = Microsoft Office Home and Student 2007

"InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite Deluxe

"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go

"InstallShield_{A6359CCF-215D-43D9-8366-479D231F2A72}" = Belkin Wireless USB Utility

"InstallShield_{B2EE25B9-5B00-4ACF-94F0-92433C28C39E}" = HP MediaSmart Music/Photo/Video

"InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint

"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector

"InstallShield_{DCCAD079-F92C-44DA-B258-624FC6517A5A}" = HP MediaSmart DVD

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"MediaCoder Audio Edition" = MediaCoder Audio Edition 0.7.2.4530

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

"Microsoft Security Client" = Microsoft Security Essentials

"Mozilla Firefox 4.0 (x86 en-GB)" = Mozilla Firefox 4.0 (x86 en-GB)

"NewzToolz_is1" = NewzToolz v1.0.1

"OfficeTrial" = Microsoft Office Home and Student 60 day trial

"PC-Doctor for Windows" = Hardware Diagnostic Tools

"pywin32-py2.6" = Python 2.6 pywin32-212

"Security Task Manager" = Security Task Manager 1.8c

"sp44626" = sp44626

"u*******" = µ*******

"WildTangent hp Master Uninstall" = HP Games

 

========== Last 10 Event Log Errors ==========

 

[ Application Events ]

Error - 25/04/2011 03:56:17 | Computer Name = Hawthorne-PC | Source = WinMgmt | ID = 10

Description =

 

Error - 25/04/2011 09:52:24 | Computer Name = Hawthorne-PC | Source = WinMgmt | ID = 10

Description =

 

Error - 25/04/2011 10:58:16 | Computer Name = Hawthorne-PC | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 8.0.6001.19048, time stamp

0x4d633f27, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception

code 0xc0000005, fault offset 0x210fbdb5, process id 0xb10, application start time

0x01cc0351f7f4add2.

 

Error - 25/04/2011 18:09:07 | Computer Name = Hawthorne-PC | Source = Application Hang | ID = 1002

Description = The program iTunes.exe version 10.2.2.12 stopped interacting with

Windows and was closed. To see if more information about the problem is available,

check the problem history in the Problem Reports and Solutions control panel. Process

ID: e24 Start Time: 01cc0363418d7fb2 Termination Time: 5

 

Error - 26/04/2011 02:40:04 | Computer Name = Hawthorne-PC | Source = WinMgmt | ID = 10

Description =

 

Error - 26/04/2011 19:15:42 | Computer Name = Hawthorne-PC | Source = WinMgmt | ID = 10

Description =

 

Error - 27/04/2011 03:45:53 | Computer Name = Hawthorne-PC | Source = WinMgmt | ID = 10

Description =

 

Error - 27/04/2011 04:43:03 | Computer Name = Hawthorne-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083

Description =

 

Error - 27/04/2011 04:43:03 | Computer Name = Hawthorne-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083

Description =

 

Error - 27/04/2011 04:43:41 | Computer Name = Hawthorne-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083

Description =

 

[ System Events ]

Error - 27/04/2011 22:00:34 | Computer Name = Hawthorne-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20

Description =

 

Error - 28/04/2011 08:43:17 | Computer Name = Hawthorne-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20

Description =

 

Error - 28/04/2011 08:50:35 | Computer Name = Hawthorne-PC | Source = Service Control Manager | ID = 7000

Description =

 

Error - 28/04/2011 08:52:36 | Computer Name = Hawthorne-PC | Source = Service Control Manager | ID = 7000

Description =

 

Error - 28/04/2011 12:27:57 | Computer Name = Hawthorne-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20

Description =

 

Error - 28/04/2011 12:56:37 | Computer Name = Hawthorne-PC | Source = Service Control Manager | ID = 7000

Description =

 

Error - 28/04/2011 12:58:37 | Computer Name = Hawthorne-PC | Source = Service Control Manager | ID = 7000

Description =

 

Error - 28/04/2011 13:00:48 | Computer Name = Hawthorne-PC | Source = Service Control Manager | ID = 7031

Description =

 

Error - 28/04/2011 13:05:35 | Computer Name = Hawthorne-PC | Source = Service Control Manager | ID = 7000

Description =

 

Error - 28/04/2011 13:07:36 | Computer Name = Hawthorne-PC | Source = Service Control Manager | ID = 7000

Description =

 

 

< End of report >

 

 

Also - here is the Log from the MBAM run:

 

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4213

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.19048

28/04/2011 19:19:15

mbam-log-2011-04-28 (19-19-15).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)

Objects scanned: 303839

Time elapsed: 1 hour(s), 10 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

 

 

 

@Alternate Data Stream - 140 bytes -> C:\ProgramData\Temp:30FD0CBD

< End of report >

Nick147 Newbie

Nick147

Posted
  • Author
Posted

One other thing - the MBAM scan came up blank - but I did run that last night before finiding this forum, and it found these two files which I removed. But the virus is still there, hence this thread! The details were:

 

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4213

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.19048

27/04/2011 19:10:06

mbam-log-2011-04-27 (19-10-06).txt

Scan type: Quick scan

Objects scanned: 124424

Time elapsed: 7 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\Hawthorn\AppData\Local\Temp\0.11445688886370697.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Users\Hawthorn\AppData\Local\Temp\0.9443521808165434.exe (Trojan.Dropper) -

Starbuck Newbie

Starbuck

Posted
Posted

Hi Nick,

 

Ready for a little bit of work? :)

 

P2P Warning

Please note that as long as you're using any form of Peer-to-Peer networking ( Frostwire, Limewire, UTorrent etc.) and downloading files from non-documented sources, you can expect infestations of malware to occur.

Once upon a time, P2P file sharing was fairly safe. That is no longer true.

P2P programmes form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

 

Many of the programmes come bundled with other unwanted programmes, but even the ones free of any bundled software are not safe to use.

When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

 

You may decide to continue P2P sharing, but keep in mind that this practice may be the source of future malware infestation.

If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programmes, we may refuse to help you.

 

 

 

Step 1

You still have some remnants of Norton on the system.

To remove Norton Products:

Go to: Norton Removal Tool

 

Download it to your 'Desktop'.

Then click on the desktop icon to run the removal tool.

When complete, reboot the system

 

 

Step 2

Your MBAM is way out of date:

 

This is yours:

Malwarebytes' Anti-Malware 1.46

http://www.malwarebytes.org

 

Database version: 4213

This is mine today:

Malwarebytes' Anti-Malware 1.50.1.1100

http://www.malwarebytes.org

 

Database version: 6467

 

Please update MBAM and run another scan:

Start MBAM

Click on the Update tab

 

http://img.photobucket.com/albums/v708/starbuck50/new/mbamnew.png

 

Click Check for Updates

 

The latest Database Version is: 6467

 

If it says that MBAM needs to close to update it... let it close and then restart.

Then run the update again once the program has been updated.

Running the update a second time will update the database version.

 

Then click the Scan button.

 

Don't forget:

  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

 

 

Step 3

Double click on OTL to run it.

Copy the lines in the codebox below. (make sure that :Otl is on the first line )

:otl
SRV - (rpcapd) Remote Packet Capture Protocol v.0 (experimental) -- File not found
SRV - (Norton Internet Security) -- File not found
SRV - (gupdate) Google Update Service (gupdate) -- File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {081230F8-EA50-42A9-983C-D22ABC2EED3B} - No CLSID value found.
O4 - HKCU..\Run: [{F3479133-218F-D79A-E856-E82540F0D7A2}] C:\Users\Hawthorn\AppData\Roaming\Byyf\eknyv.exe ()
MsConfig - StartUpReg: {F3479133-218F-D79A-E856-E82540F0D7A2} - hkey= - key= - C:\Users\Hawthorn\AppData\Roaming\Byyf\eknyv.exe ()
@Alternate Data Stream - 140 bytes -> C:\ProgramData\Temp:30FD0CBD

:Files
ipconfig /flushdns /c

:commands
[emptytemp]
[purity]
[RESETHOSTS]
[EMPTYFLASH]

  • Return to OTL,
  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.
     
    http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png
     
  • Click the red Run Fix button.
     
    http://img.photobucket.com/albums/v708/starbuck50/runfixbutton.png
     
  • OTL will reboot your system once the fix has completed.
  • After the reboot, you may need to double click OTL to launch the program and retrieve the log.

 

 

In your next reply, please submit:

New MBAM report

OTL fix report

 

 

Thanks.

Member of:

UNITE

Nick147 Newbie

Nick147

Posted
  • Author
Posted

Done that, cheers - here are the two reports - new MBAM:

 

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6467

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.19048

28/04/2011 23:27:56

mbam-log-2011-04-28 (23-27-56).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)

Objects scanned: 327280

Time elapsed: 59 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{F3479133-218F-D79A-E856-E82540F0D7A2} (Trojan.ZbotR.Gen) -> Value: {F3479133-218F-D79A-E856-E82540F0D7A2} -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\Hawthorn\AppData\Roaming\Byyf\eknyv.exe (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.

 

And the OTL fix report:

 

All processes killed

========== OTL ==========

Error: No service named rpcapd) Remote Packet Capture Protocol v.0 (experimental was found to stop!

Service\Driver key rpcapd) Remote Packet Capture Protocol v.0 (experimental not found.

File File not found not found.

Error: No service named Norton Internet Security was found to stop!

Service\Driver key Norton Internet Security not found.

File File not found not found.

Error: No service named gupdate) Google Update Service (gupdate was found to stop!

Service\Driver key gupdate) Google Update Service (gupdate not found.

File File not found not found.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{081230F8-EA50-42A9-983C-D22ABC2EED3B} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{081230F8-EA50-42A9-983C-D22ABC2EED3B}\ not found.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\{F3479133-218F-D79A-E856-E82540F0D7A2} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3479133-218F-D79A-E856-E82540F0D7A2}\ not found.

File C:\Users\Hawthorn\AppData\Roaming\Byyf\eknyv.exe not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\{F3479133-218F-D79A-E856-E82540F0D7A2}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3479133-218F-D79A-E856-E82540F0D7A2}\ not found.

ADS C:\ProgramData\Temp:30FD0CBD deleted successfully.

========== FILES ==========

< ipconfig /flushdns /c >

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Users\Hawthorn\Desktop\cmd.bat deleted successfully.

C:\Users\Hawthorn\Desktop\cmd.txt deleted successfully.

========== COMMANDS ==========

 

[EMPTYTEMP]

 

User: All Users

 

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: Hawthorn

->Temp folder emptied: 18142648 bytes

->Temporary Internet Files folder emptied: 4723383 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 8305507 bytes

->Google Chrome cache emptied: 0 bytes

->Flash cache emptied: 3051 bytes

 

User: Public

 

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 5472 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 17036 bytes

RecycleBin emptied: 0 bytes

 

Total Files Cleaned = 30.00 mb

 

HOSTS file reset successfully

 

[EMPTYFLASH]

 

User: All Users

 

User: Default

 

User: Default User

 

User: Hawthorn

->Flash cache emptied: 0 bytes

 

User: Public

 

Total Flash Files Cleaned = 0.00 mb

 

 

OTL by OldTimer - Version 3.2.22.3 log created on 04282011_233217

Files\Folders moved on Reboot...

C:\Users\Hawthorn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OJV3LO75\ads[2].htm moved successfully.

C:\Users\Hawthorn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OJV3LO75\r[1].htm moved successfully.

C:\Users\Hawthorn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OJV3LO75\search[1].htm moved successfully.

C:\Users\Hawthorn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\37B8702E\11638-Online-banking-hacked[1].htm moved successfully.

C:\Users\Hawthorn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\37B8702E\ads[2].htm moved successfully.

C:\Users\Hawthorn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.

Registry entries deleted on Reboot...

Nick147 Newbie

Nick147

Posted
  • Author
Posted
By the way, thanks for that advise on the P2P - I had no idea that was the case - I won't be downloading files using that method anymore as I used UTorrent for the first time in ages a week or so ago, just before this started so it looks like that may well have been the route. I have turned it off and will dis-install once/if I get through all this!
Starbuck Newbie

Starbuck

Posted
Posted

Hi Nick,

 

Thanks for that.

Seems that MBAM picked up on what we were going to remove with OTL.

Let's look a little deeper now.

 

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

 

Link 1

Link 2

 

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

 

 

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

 

This is an example, you may rename ComboFix to anything you want.

 

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix.
    For more information read:
    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
     
    Then:
     
    Double click on Combo-Fix.exe & follow the prompts.
     
    Vista/Win7 users should right click on the icon and select Run as Administrator.
     
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
     
    If running Vista/Win7, you may not see the recovery console screens
     
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

http://img.photobucket.com/albums/v708/starbuck50/cf1.png

 

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

 

http://img.photobucket.com/albums/v706/ried7/whatnext.png

 

Click on Yes, to continue scanning for malware.

 

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

 

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

 

Thanks

Member of:

UNITE

Nick147 Newbie

Nick147

Posted
  • Author
Posted

Hi - thanks - I have done that and the log is below. If you do happen to reply before morning, am I ok to switch the machine off and pick up next steps tomorrow, or should I keep the machine running? If you don't reply, I will keep it running to be on the safe side!

 

Log:

 

ComboFix 11-04-28.01 - Hawthorn 29/04/2011 0:17.1.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3060.1981 [GMT 1:00]

Running from: c:\users\Hawthorn\Desktop\Combo-Fix1.exe

AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Hawthorn\hosts

c:\windows\system32\drivers\npf.sys

c:\windows\system32\Packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\wpcap.dll

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_NPF

.

.

((((((((((((((((((((((((( Files Created from 2011-03-28 to 2011-04-28 )))))))))))))))))))))))))))))))

.

.

2011-04-28 22:38 . 2011-04-28 22:38 5472 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2011-04-28 22:32 . 2011-04-28 22:32 -------- d-----w- C:\_OTL

2011-04-28 21:35 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4600B408-173A-414E-9DAE-FC23F72DD493}\mpengine.dll

2011-04-27 22:11 . 2011-04-28 21:21 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-04-27 22:11 . 2011-04-28 17:16 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2011-04-27 21:44 . 2011-04-27 21:44 388096 ----a-r- c:\users\Hawthorn\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-04-27 21:44 . 2011-04-27 21:44 -------- d-----w- c:\program files\Trend Micro

2011-04-27 21:23 . 2011-04-27 21:23 -------- d-----w- c:\users\Hawthorn\AppData\Local\Mozilla

2011-04-27 07:56 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll

2011-04-27 07:56 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

2011-04-27 07:56 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll

2011-04-23 10:54 . 2011-04-23 10:54 -------- d-----w- c:\program files\iPod

2011-04-23 10:52 . 2011-04-23 10:52 -------- d-----w- c:\program files\Bonjour

2011-04-13 19:31 . 2011-02-16 14:02 292864 ----a-w- c:\windows\system32\atmfd.dll

2011-04-13 19:31 . 2011-02-16 16:16 34304 ----a-w- c:\windows\system32\atmlib.dll

2011-04-12 07:41 . 2011-04-12 07:41 -------- d-----w- c:\windows\SysWOW64

2011-04-06 15:20 . 2011-04-06 15:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2011-04-06 15:20 . 2011-04-06 15:20 197920 ----a-w- c:\windows\system32\dnssdX.dll

2011-04-06 15:20 . 2011-04-06 15:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

2011-04-05 17:09 . 2011-01-26 19:01 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1D44C2CF-979D-4F7D-855F-F63DF4A88AE8}\gapaengine.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-04-11 07:04 . 2010-12-07 07:50 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-03-03 15:40 . 2011-04-27 07:56 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll

2011-03-03 15:40 . 2011-04-27 07:56 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll

2011-03-03 15:40 . 2011-04-27 07:56 542720 ----a-w- c:\windows\apppatch\AcLayers.dll

2011-03-03 15:40 . 2011-04-27 07:56 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll

2011-02-22 14:13 . 2011-03-22 18:26 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll

2011-02-22 13:33 . 2011-03-22 18:26 1068544 ----a-w- c:\windows\system32\DWrite.dll

2011-02-22 13:33 . 2011-03-22 18:26 797696 ----a-w- c:\windows\system32\FntCache.dll

2011-02-18 16:36 . 2011-02-18 16:36 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2011-02-18 16:36 . 2011-02-18 16:36 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll

2011-03-18 17:57 . 2011-04-27 21:23 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-11-30 289584]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-22 39408]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CLMLServer for HP TouchSmart"="c:\program files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2009-04-09 185640]

"hpsysdrv"="c:\program files\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-17 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-17 173592]

"HP Remote Software"="c:\program files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe" [2009-02-06 143360]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-17 150552]

"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]

"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]

"UpdatePSTShortCut"="c:\program files\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2009-02-02 210216]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]

"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]

"DVDAgent"="c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-09-09 1148200]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]

Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

"HideFastUserSwitching"= 0 (0x0)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R1 MpKslbc782ccd;MpKslbc782ccd;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4600B408-173A-414E-9DAE-FC23F72DD493}\MpKslbc782ccd.sys [x]

R1 MpKslf8e16574;MpKslf8e16574;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4600B408-173A-414E-9DAE-FC23F72DD493}\MpKslf8e16574.sys [x]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]

R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-24 43392]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-24 54144]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]

R3 PCDSRVC{4F253FFC-7957E8FC-06000000}_0;PCDSRVC{4F253FFC-7957E8FC-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor for windows\pcdsrvc.pkms [2009-02-02 20848]

S2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 21504]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

ezSharedSvc

.

Contents of the 'Scheduled Tasks' folder

.

2011-04-15 c:\windows\Tasks\HPCeeScheduleForHawthorn.job

- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2009-06-16 17:17]

.

2011-02-28 c:\windows\Tasks\PCDRScheduledMaintenance.job

- c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2009-02-02 19:00]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=93&bd=Pavilion&pf=cndt

IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-GB\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html

DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20100728060044

FF - ProfilePath - c:\users\Hawthorn\AppData\Roaming\Mozilla\Firefox\Profiles\bv2rwo3p.default\

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-SmartMenu - %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe

AddRemove-sp44626 - c:\hp\Softpaq\sp44626\sp44626.exe

.

.

.

**************************************************************************

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files:

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{4F253FFC-7957E8FC-06000000}_0]

"ImagePath"="\??\c:\program files\pc-doctor for windows\pcdsrvc.pkms"

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\progra~1\HEWLET~1\HPREMO~1\HPREMO~1.EXE

c:\windows\system32\wbem\unsecapp.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe

c:\\?\c:\windows\system32\wbem\WMIADAP.EXE

.

**************************************************************************

.

Completion time: 2011-04-29 00:31:27 - machine was rebooted

ComboFix-quarantined-files.txt 2011-04-28 23:30

.

Pre-Run: 419,468,144,640 bytes free

Post-Run: 419,078,832,128 bytes free

.

- - End Of File - - 03CEED81ED15F251FC19FB41F46AB874

Nick147 Newbie

Nick147

Posted
  • Author
Posted

Morning - shut down and re-started and went to the lloyds site via google this morning and the hoax screens have gone and all seems fine. I logged on to my site in the normal way - all secure, nothing odd, was abel to bank and logged off.

 

Thank you so much - I wouldn't have had a prayer! What a great resource a site like this is and people like you.

 

The on;y thing which appears different on my system is that when I start up, a pop up comes up saying that some start up programmes have been blocked -there is a little white box in the icon tray with a no entry style sign in the bottom left corner. When I click on it andother pop up offers options - "show or remove blocked start up programmes", "Run blocked programe", "view help" and "exit". If I click on the show and remove option I get a system configuration menu which opens at "start up" and a list of programmes and option to enable all or disable all etc. Not sure what that is all about but I take it it is nothing sinister?

 

Anything else I should do or do you think I am good to go? Any other advise aside from avoiding UTorrent and similar file sharing software?

 

Thanks again.

Plastic Nev Newbie

Plastic Nev

Posted
Posted

I will just pop in in case Starbuck is late in seeing this, for the moment don't do anything with those blocked entries until he sees this, also there is still more to do if only a clean up of things left behind, so please wait for further instruction from Starbuck. All the best otherwise and hope your system is back up and running well when finished.

Nev.

Need help with your computer problems? Then why not join Free PC Help. Register here.

If Free PC Help has helped you then please consider a donation. Click here

 We are all members helping other members. Please return here where you may be able to help someone else.  

After all, no one knows everything and you may have the answer that someone needs.

--------------------------------------------------------------------

I have installed Windows, now how do I install the curtains? 😄

image.png

Starbuck Newbie

Starbuck

Posted
Posted
when I start up, a pop up comes up saying that some start up programmes have been blocked

Does it say what programs have been blocked?

 

Double click on OTL.exe to run it.

  • Under Extra Registry section, select Use SafeList.
  • Don't check the boxes beside 'LOP Check' and 'Purity Check' this time.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open. Please post the contents of these 2 Notepad files in your next reply.

 

Thanks

Member of:

UNITE

Nick147 Newbie

Nick147

Posted
  • Author
Posted

Thanks both - the two notepad files from the OTL scan are here:

 

OTL logfile created on: 29/04/2011 12:39:02 - Run 2

OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Hawthorn\Desktop

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.19048)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

 

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 56.00% Memory free

6.00 Gb Paging File | 5.00 Gb Available in Paging File | 78.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 583.19 Gb Total Space | 389.87 Gb Free Space | 66.85% Space Free | Partition Type: NTFS

Drive D: | 12.98 Gb Total Space | 1.82 Gb Free Space | 14.00% Space Free | Partition Type: NTFS

 

Computer Name: HAWTHORNE-PC | User Name: Hawthorn | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

 

========== Processes (SafeList) ==========

 

PRC - C:\Users\Hawthorn\Desktop\OTL.scr (OldTimer Tools)

PRC - C:\Windows\System32\Macromed\Flash\FlashUtil10p_ActiveX.exe (Adobe Systems, Inc.)

PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)

PRC - c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe (Microsoft Corporation)

PRC - c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)

PRC - C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe (Google Inc.)

PRC - C:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe (CyberLink Corp.)

PRC - C:\Windows\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe (CyberLink)

PRC - C:\Program Files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe ()

PRC - C:\Program Files\Hewlett-Packard\HP Odometer\hpsysdrv.exe (Hewlett-Packard)

 

 

========== Modules (SafeList) ==========

 

MOD - C:\Users\Hawthorn\Desktop\OTL.scr (OldTimer Tools)

MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll (Microsoft Corporation)

 

 

========== Win32 Services (SafeList) ==========

 

SRV - (rpcapd) Remote Packet Capture Protocol v.0 (experimental) -- File not found

SRV - (gupdate) Google Update Service (gupdate) -- File not found

SRV - (NisSrv) -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe (Microsoft Corporation)

SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)

SRV - (GameConsoleService) -- C:\Program Files\HP Games\HP Game Console\GameConsoleService.exe (WildTangent, Inc.)

SRV - (ezSharedSvc) -- C:\Windows\System32\ezsvc7.dll (EasyBits Sofware AS)

SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)

 

 

========== Driver Services (SafeList) ==========

 

DRV - (MpKslb1efbda2) -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E29A3074-4943-4FF4-AC38-81FE30F3E648}\MpKslb1efbda2.sys (Microsoft Corporation)

DRV - (NisDrv) -- C:\Windows\System32\drivers\NisDrvWFP.sys (Microsoft Corporation)

DRV - (MpNWMon) -- C:\Windows\System32\drivers\MpNWMon.sys (Microsoft Corporation)

DRV - (PCDSRVC{4F253FFC-7957E8FC-06000000}_0) -- c:\Program Files\PC-Doctor for Windows\pcdsrvc.pkms (PC-Doctor, Inc.)

DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation )

DRV - (alcan5wn) SpeedTouch USB ADSL PPP Networking Driver (NDISWAN) -- C:\Windows\System32\drivers\alcan5wn.sys (THOMSON)

DRV - (alcaudsl) -- C:\Windows\System32\drivers\alcaudsl.sys (THOMSON)

DRV - (ASPI32) -- C:\Windows\System32\drivers\aspi32.sys (Adaptec)

 

 

========== Standard Registry (SafeList) ==========

 

 

========== Internet Explorer ==========

 

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=93&bd=Pavilion&pf=cndt

 

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

 

========== FireFox ==========

 

 

 

FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/27 22:23:35 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

 

[2011/04/27 22:23:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Hawthorn\AppData\Roaming\mozilla\Extensions

[2011/04/27 22:23:35 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

File not found (No name found) --

[2009/12/03 00:03:38 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION

[2011/03/18 18:57:02 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll

[2010/01/01 09:00:00 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml

[2010/01/01 09:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

[2010/01/01 09:00:00 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml

[2010/01/01 09:00:00 | 000,001,180 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml

[2010/01/01 09:00:00 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

 

O1 HOSTS File: ([2011/04/29 00:25:41 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (AOL Toolbar BHO) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)

O3 - HKCU\..\Toolbar\WebBrowser: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)

O4 - HKLM..\Run: [CLMLServer for HP TouchSmart] c:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe (CyberLink)

O4 - HKLM..\Run: [DVDAgent] c:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe (CyberLink Corp.)

O4 - HKLM..\Run: [HP Remote Software] C:\Program Files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe ()

O4 - HKLM..\Run: [hpsysdrv] c:\Program Files\Hewlett-Packard\HP Odometer\hpsysdrv.exe (Hewlett-Packard)

O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)

O4 - HKLM..\Run: [updateLBPShortCut] c:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)

O4 - HKLM..\Run: [updateP2GoShortCut] c:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)

O4 - HKLM..\Run: [updatePDIRShortCut] c:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)

O4 - HKLM..\Run: [updatePSTShortCut] c:\Program Files\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)

O4 - HKCU..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideFastUserSwitching = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableLockWorkstation = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 0

O8 - Extra context menu item: &AOL Toolbar Search - C:\ProgramData\AOL\ieToolbar\resources\en-GB\local\search.html ()

O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll (Google Inc.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O16 - DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} http://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20100728060044 (PhotoboxPhotowaysUploader5 Control)

O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} https://moneymanager.egg.com/Pinsafe/accounttracking.cab (Egg Money Manager Digital Safe)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-gb.cab (Windows Live Hotmail Photo Upload Tool)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Users\Hawthorn\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg

O24 - Desktop BackupWallPaper: C:\Users\Hawthorn\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg

O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found

O28 - HKLM ShellExecuteHooks: {E54729E8-BB3D-4270-9D49-7389EA579090} - C:\Windows\System32\ezUPBHook.dll (EasyBits Software Corp.)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

 

========== Files/Folders - Created Within 30 Days ==========

 

[2011/04/29 00:31:30 | 000,000,000 | ---D | C] -- C:\Windows\temp

[2011/04/29 00:31:29 | 000,000,000 | ---D | C] -- C:\Users\Hawthorn\AppData\Local\temp

[2011/04/29 00:25:47 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN

[2011/04/29 00:14:52 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe

[2011/04/29 00:14:52 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe

[2011/04/29 00:14:52 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe

[2011/04/29 00:14:47 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT

[2011/04/29 00:14:14 | 000,000,000 | ---D | C] -- C:\Qoobox

[2011/04/29 00:14:00 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe

[2011/04/28 23:32:17 | 000,000,000 | ---D | C] -- C:\_OTL

[2011/04/28 19:32:44 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\Hawthorn\Desktop\OTL.scr

[2011/04/28 17:59:47 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Users\Hawthorn\Desktop\TFC.exe

[2011/04/27 23:11:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy

[2011/04/27 23:11:27 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy

[2011/04/27 22:44:14 | 000,000,000 | ---D | C] -- C:\Users\Hawthorn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis

[2011/04/27 22:44:13 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2011/04/27 22:23:39 | 000,000,000 | ---D | C] -- C:\Users\Hawthorn\AppData\Roaming\Mozilla

[2011/04/27 22:23:39 | 000,000,000 | ---D | C] -- C:\Users\Hawthorn\AppData\Local\Mozilla

[2011/04/27 22:23:34 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox

[2011/04/27 22:22:58 | 012,399,552 | ---- | C] (Mozilla) -- C:\Users\Hawthorn\Desktop\Firefox Setup 4.0.exe

[2011/04/27 08:56:29 | 004,240,384 | ---- | C] (Microsoft) -- C:\Windows\System32\GameUXLegacyGDFs.dll

[2011/04/27 08:56:29 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Apphlpdm.dll

[2011/04/27 08:56:15 | 000,876,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsPrint.dll

[2011/04/23 11:54:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes

[2011/04/23 11:54:13 | 000,000,000 | ---D | C] -- C:\Program Files\iPod

[2011/04/23 11:52:09 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour

[2011/04/13 20:31:03 | 000,292,864 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll

[2011/04/13 20:31:02 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\System32\atmlib.dll

[2011/04/13 20:30:58 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl

[2011/04/13 20:30:58 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll

[2011/04/13 20:30:58 | 000,602,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll

[2011/04/13 20:30:58 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll

[2011/04/13 20:30:58 | 000,385,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec

[2011/04/13 20:30:58 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll

[2011/04/13 20:30:57 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb

[2011/04/13 20:30:57 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll

[2011/04/13 20:30:57 | 000,173,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe

[2011/04/13 20:30:57 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe

[2011/04/13 20:30:57 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll

[2011/04/13 20:30:57 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll

[2011/04/13 20:30:57 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll

[2011/04/13 20:30:57 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll

[2011/04/13 20:30:57 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll

[2011/04/13 20:30:57 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll

[2011/04/13 20:30:57 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe

[2011/04/13 20:30:53 | 001,162,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfc42u.dll

[2011/04/13 20:30:52 | 001,136,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfc42.dll

[2011/04/13 20:30:48 | 000,025,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dnscacheugc.exe

[2011/04/13 20:30:46 | 002,041,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys

[2011/04/13 20:30:44 | 000,726,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll

[2011/04/13 20:30:44 | 000,420,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll

[2011/04/12 08:41:22 | 000,000,000 | ---D | C] -- C:\Users\Hawthorn\Documents\Wondershare Streaming Video Recorder

[2011/04/12 08:41:09 | 000,000,000 | ---D | C] -- C:\Windows\SysWOW64

[2011/04/06 16:20:16 | 000,197,920 | ---- | C] (Apple Inc.) -- C:\Windows\System32\dnssdX.dll

[2011/04/06 16:20:16 | 000,107,808 | ---- | C] (Apple Inc.) -- C:\Windows\System32\dns-sd.exe

[2011/04/06 16:20:16 | 000,091,424 | ---- | C] (Apple Inc.) -- C:\Windows\System32\dnssd.dll

[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

[1 C:\Users\Hawthorn\Desktop\*.tmp files -> C:\Users\Hawthorn\Desktop\*.tmp -> ]

 

========== Files - Modified Within 30 Days ==========

 

[2011/04/29 11:49:26 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2011/04/29 11:49:26 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2011/04/29 09:49:03 | 3209,879,552 | -HS- | M] () -- C:\hiberfil.sys

[2011/04/29 00:25:41 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts

[2011/04/29 00:10:17 | 004,332,535 | R--- | M] () -- C:\Users\Hawthorn\Desktop\Combo-Fix1.exe

[2011/04/28 22:17:49 | 000,932,400 | ---- | M] () -- C:\Users\Hawthorn\Desktop\Norton_Removal_Tool.exe

[2011/04/28 21:07:06 | 000,073,216 | ---- | M] () -- C:\Users\Hawthorn\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2011/04/28 19:32:51 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Hawthorn\Desktop\OTL.scr

[2011/04/28 17:59:53 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Users\Hawthorn\Desktop\TFC.exe

[2011/04/28 06:56:53 | 000,002,529 | ---- | M] () -- C:\Users\Hawthorn\Desktop\HiJackThis.lnk

[2011/04/27 22:43:14 | 001,402,880 | ---- | M] () -- C:\Users\Hawthorn\Desktop\HijackThis.msi

[2011/04/27 22:23:36 | 000,000,872 | ---- | M] () -- C:\Users\Hawthorn\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk

[2011/04/27 22:23:36 | 000,000,848 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk

[2011/04/27 22:23:16 | 012,399,552 | ---- | M] (Mozilla) -- C:\Users\Hawthorn\Desktop\Firefox Setup 4.0.exe

[2011/04/24 08:34:13 | 000,006,028 | ---- | M] () -- C:\Users\Hawthorn\AppData\Roaming\wklnhst.dat

[2011/04/23 11:54:49 | 000,001,666 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk

[2011/04/15 11:16:02 | 000,000,334 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForHawthorn.job

[2011/04/14 07:56:31 | 000,317,696 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

[2011/04/06 16:20:16 | 000,197,920 | ---- | M] (Apple Inc.) -- C:\Windows\System32\dnssdX.dll

[2011/04/06 16:20:16 | 000,107,808 | ---- | M] (Apple Inc.) -- C:\Windows\System32\dns-sd.exe

[2011/04/06 16:20:16 | 000,091,424 | ---- | M] (Apple Inc.) -- C:\Windows\System32\dnssd.dll

[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

[1 C:\Users\Hawthorn\Desktop\*.tmp files -> C:\Users\Hawthorn\Desktop\*.tmp -> ]

 

========== Files Created - No Company Name ==========

 

[2011/04/29 00:14:52 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe

[2011/04/29 00:14:52 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe

[2011/04/29 00:14:52 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe

[2011/04/29 00:14:52 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe

[2011/04/29 00:14:52 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe

[2011/04/29 00:10:11 | 004,332,535 | R--- | C] () -- C:\Users\Hawthorn\Desktop\Combo-Fix1.exe

[2011/04/28 22:17:44 | 000,932,400 | ---- | C] () -- C:\Users\Hawthorn\Desktop\Norton_Removal_Tool.exe

[2011/04/27 22:44:14 | 000,002,529 | ---- | C] () -- C:\Users\Hawthorn\Desktop\HiJackThis.lnk

[2011/04/27 22:43:03 | 001,402,880 | ---- | C] () -- C:\Users\Hawthorn\Desktop\HijackThis.msi

[2011/04/27 22:23:36 | 000,000,872 | ---- | C] () -- C:\Users\Hawthorn\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk

[2011/04/27 22:23:36 | 000,000,860 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk

[2011/04/27 22:23:36 | 000,000,848 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk

[2011/04/23 11:54:49 | 000,001,666 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk

[2011/01/11 00:20:37 | 000,000,033 | ---- | C] () -- C:\ProgramData\{081230F8-EA50-42A9-983C-D22ABC2EED3B}.ini

[2010/11/20 22:09:38 | 000,001,649 | ---- | C] () -- C:\Users\Hawthorn\AppData\Roaming\dvdae.config

[2010/11/20 22:04:59 | 000,001,302 | ---- | C] () -- C:\ProgramData\ss.ini

[2010/11/20 22:04:21 | 000,000,034 | ---- | C] () -- C:\Users\Hawthorn\AppData\Roaming\{081230F8-EA50-42A9-983C-D22ABC2EED3B}.ini

[2010/06/30 01:12:16 | 000,013,312 | ---- | C] () -- C:\Windows\LPRES.DLL

[2010/01/01 20:19:26 | 000,028,731 | ---- | C] () -- C:\Users\Hawthorn\AppData\Roaming\UserTile.png

[2009/12/13 20:05:40 | 000,006,028 | ---- | C] () -- C:\Users\Hawthorn\AppData\Roaming\wklnhst.dat

[2009/12/04 11:42:54 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll

[2009/12/04 11:42:54 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin

[2009/11/30 18:14:47 | 000,000,056 | -H-- | C] () -- C:\Windows\System32\ezsidmv.dat

[2009/11/30 13:15:07 | 000,073,216 | ---- | C] () -- C:\Users\Hawthorn\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2009/11/30 13:06:43 | 000,005,606 | ---- | C] () -- C:\Windows\System32\stci.dll

[2009/11/30 13:04:01 | 000,000,680 | ---- | C] () -- C:\Users\Hawthorn\AppData\Local\d3d9caps.dat

[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll

[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe

[2009/06/16 19:30:33 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin

[2009/06/16 11:52:01 | 000,009,300 | ---- | C] () -- C:\Windows\System32\ezdigsgn.dat

[2009/06/16 11:01:08 | 000,354,816 | ---- | C] () -- C:\Windows\System32\pythoncom26.dll

[2009/06/16 11:01:08 | 000,108,032 | ---- | C] () -- C:\Windows\System32\pywintypes26.dll

[2006/11/02 13:47:37 | 000,317,696 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT

[2006/11/02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll

[2006/11/02 11:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat

[2006/11/02 11:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat

[2006/11/02 11:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat

[2006/11/02 09:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin

[2006/11/02 09:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT

[2006/11/02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

[2006/11/02 08:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

[2005/02/04 04:59:48 | 000,118,784 | ---- | C] () -- C:\Windows\System32\metaflac.exe

[2005/02/04 04:59:44 | 000,217,088 | ---- | C] () -- C:\Windows\System32\flac.exe

< End of report >

 

And:

 

OTL Extras logfile created on: 29/04/2011 12:39:02 - Run 2

OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Hawthorn\Desktop

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.19048)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

 

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 56.00% Memory free

6.00 Gb Paging File | 5.00 Gb Available in Paging File | 78.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 583.19 Gb Total Space | 389.87 Gb Free Space | 66.85% Space Free | Partition Type: NTFS

Drive D: | 12.98 Gb Total Space | 1.82 Gb Free Space | 14.00% Space Free | Partition Type: NTFS

 

Computer Name: HAWTHORNE-PC | User Name: Hawthorn | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

 

========== Extra Registry (SafeList) ==========

 

 

========== File Associations ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

 

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

 

========== Shell Spawning ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

 

========== Security Center Settings ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

"FirewallDisableNotify" = 0

"AntiVirusDisableNotify" = 0

"UpdatesDisableNotify" = 0

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

"VistaSp1" = Reg Error: Unknown registry data type -- File not found

"VistaSp2" = Reg Error: Unknown registry data type -- File not found

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

 

========== System Restore Settings ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

 

========== Firewall Settings ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

 

========== Authorized Applications List ==========

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

 

 

========== Vista Active Open Ports Exception List ==========

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{086C0AF9-53AF-41CF-AC1F-32B48D4C7B6A}" = lport=139 | protocol=6 | dir=in | app=system |

"{109696BE-3E83-40C1-8D42-180C36F47B1A}" = lport=445 | protocol=6 | dir=in | app=system |

"{25DB9E11-4D0E-4DE0-A3D3-C6883CF357F7}" = rport=139 | protocol=6 | dir=out | app=system |

"{28BF3C60-F019-45F9-8FE2-5D73EC2F3E9C}" = rport=137 | protocol=17 | dir=out | app=system |

"{2B082DF2-8C68-4F80-A1F9-F153232575D2}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |

"{5AAA6247-14C2-44B7-B785-33A0B18807C7}" = rport=445 | protocol=6 | dir=out | app=system |

"{AD2DA5E0-353F-49C1-B4A5-5161339EFA3F}" = lport=137 | protocol=17 | dir=in | app=system |

"{BE88A68A-D301-4295-BC6C-B8DD374879C5}" = lport=138 | protocol=17 | dir=in | app=system |

"{C38C16C1-AECB-47B8-BFB9-40C4236B786C}" = rport=138 | protocol=17 | dir=out | app=system |

"{C3F41F2D-CD08-460E-A5B7-C74A9E599AEF}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |

 

========== Vista Active Application Exception List ==========

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{1065F8B4-7B97-420D-A4D9-25F5C0A00E96}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |

"{14F40AEB-F7AA-4CC0-9E2C-4CEEF409216A}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |

"{15C17941-A575-4917-92DD-CF7D6F88767B}" = dir=in | app=c:\program files\hewlett-packard\touchsmart\media\hptouchsmartmusic.exe |

"{1672DEDB-A365-4210-9099-91431097BE82}" = protocol=6 | dir=in | app=c:\users\hawthorn\appdata\local\temp\7zscc57.tmp\symnrt.exe |

"{308BB295-DC95-46CC-A780-6DD5652E82F1}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\kernel\clml\clmlsvc.exe |

"{33DA1158-4DB3-41E5-B9A7-0B78A4370CEE}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\hptouchsmartphoto.exe |

"{361FBC7E-AB26-446F-A57A-AEB4AB0FDAC5}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\hptouchsmartphoto.exe |

"{3D64A585-B95D-40A8-B731-EEAC9B02FF3F}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |

"{427F587D-D3A6-4142-A128-AF392E63E65F}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\hptouchsmartmusic.exe |

"{4FE38CF0-677C-4D27-BB2B-E2822C610876}" = dir=in | app=c:\program files\cyberlink\powerdirector\pdr.exe |

"{53436E19-E608-4DC3-945F-E057C12F0094}" = dir=in | app=c:\program files\hewlett-packard\touchsmart\media\hptouchsmartvideo.exe |

"{5A431749-C09B-4EE9-B7C3-7031C00A5E2A}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\kernel\clml\clmlsvc.exe |

"{68925BD8-593D-4E32-B21A-F88C26CDDC92}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\hptouchsmartvideo.exe |

"{6D49EA74-8D0B-422F-BA9A-5F6D11886588}" = protocol=17 | dir=in | app=c:\users\hawthorn\desktop\audioconverter_setup.exe |

"{70A77100-15DC-4FEB-9A3A-8D8B234B5AE9}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |

"{7CBA89ED-4BDE-43FF-948D-5C93995A3BD4}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\hptouchsmartvideo.exe |

"{8217C5BF-BC73-4BB6-B795-2B9728E595BC}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |

"{85B5B1CD-68EF-40F2-82D7-12792B1EC125}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |

"{973A0764-472F-4098-A79C-C6F044B5F8AE}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |

"{9FA36AE3-D53F-4522-B87D-6019E75B492D}" = dir=in | app=c:\program files\hewlett-packard\touchsmart\media\hptouchsmartphoto.exe |

"{A0ED2407-3306-49AE-BAEC-83C98D2B94E0}" = dir=in | app=c:\program files\itunes\itunes.exe |

"{AEF51EE7-D43D-42A8-8840-C4C873156A6F}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\hpdvdsmart.exe |

"{AF4C6573-9B35-4CAE-8DB6-3A72C8F21AAE}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |

"{B2B89773-6AAE-415B-88B4-E09CF192B502}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\hptouchsmartmusic.exe |

"{C40678ED-2B59-4351-B12F-C6032034750C}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |

"{CE5DD0AA-B329-430C-B492-9E4D90A453E6}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |

"{D34FB656-88AC-4170-8342-804B8155F3D3}" = dir=in | app=c:\program files\hewlett-packard\touchsmart\media\tsmagent.exe |

"{D8880645-3237-4B58-ACF6-9A5499F4DA26}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\tsmagent.exe |

"{DAF2B2F5-288F-40EF-844F-EB02231BAB1D}" = dir=in | app=c:\program files\hewlett-packard\touchsmart\media\kernel\clml\clmlsvc.exe |

"{DD8E3877-BF12-4015-B039-2743528C9CD2}" = protocol=17 | dir=in | app=c:\users\hawthorn\appdata\local\temp\7zscc57.tmp\symnrt.exe |

"{E656437E-D496-4FA9-8FC3-FB833CBD91EF}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\tsmagent.exe |

"{E855CC10-9B5D-4FEF-8ED7-6AC1922F1B88}" = protocol=6 | dir=in | app=c:\users\hawthorn\desktop\audioconverter_setup.exe |

"{EAC67776-0C17-40B0-9F15-30105F153D05}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\hpdvdsmart.exe |

"TCP Query User{112E744C-D470-412A-89FE-81F79790F220}C:\program files\speedtouch\dr speedtouch\drst.exe" = protocol=6 | dir=in | app=c:\program files\speedtouch\dr speedtouch\drst.exe |

"TCP Query User{2A53FD6A-2809-46AE-8641-DDB85B0FC3FA}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe |

"TCP Query User{892652AF-2D7A-4B94-8777-1CF509364A67}C:\windows\system32\taskeng.exe" = protocol=6 | dir=in | app=c:\windows\system32\taskeng.exe |

"TCP Query User{CF6948CF-1694-4505-8C3B-B4AD5587A1C1}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe |

"TCP Query User{F546FB83-0CEB-428E-ACB1-8FA20AD90B3E}C:\windows\system32\taskeng.exe" = protocol=6 | dir=in | app=c:\windows\system32\taskeng.exe |

"UDP Query User{2624E9A8-B13D-4B27-A493-F5BE0C196680}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe |

"UDP Query User{6A90F574-282B-4591-91DF-4CEF336F57EA}C:\windows\system32\taskeng.exe" = protocol=17 | dir=in | app=c:\windows\system32\taskeng.exe |

"UDP Query User{6DF8F322-7557-4E17-8C73-44C760F0EA2C}C:\program files\speedtouch\dr speedtouch\drst.exe" = protocol=17 | dir=in | app=c:\program files\speedtouch\dr speedtouch\drst.exe |

"UDP Query User{DC2043D5-CCF0-4A33-8234-D49FB4491905}C:\windows\system32\taskeng.exe" = protocol=17 | dir=in | app=c:\windows\system32\taskeng.exe |

"UDP Query User{DFAE34F3-EAD2-47CF-8191-C5FD93B0B8F6}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe |

 

========== HKEY_LOCAL_MACHINE Uninstall List ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

"{0295F89F-F698-4101-9A7D-49F407EC2D82}" = HP Active Support Library

"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter

"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works

"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer

"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate

"{1CC069FA-1A86-402E-9787-3F04E652C67A}" = HP Support Information

"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite Deluxe

"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer

"{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library

"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java 6 Update 18

"{290CA856-3737-4874-864B-BA142F4823C8}_is1" = HP MediaSmart Demo

"{353FE16B-30FE-469A-BF55-B978F4218003}" = iTunes

"{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729

"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker

"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go

"{40FAB9CD-D1A8-44DC-9B61-38B135E26E67}_is1" = Ask Default Search

"{40FB8D7C-6FF8-4AF2-BC8B-0B1DB32AF04B}" = HP Advisor

"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis

"{47F36D92-E58E-456D-B73C-3382737E4C42}" = HP Update

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{55979C41-7D6A-49CC-B591-64AC1BBE2C8B}" = HP Picasso Media Center Add-In

"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime

"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053

"{5F240DB8-0D74-4F13-86C3-929760392A8D}" = HP Remote Software

"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = HPAsset component for HP Active Support Library

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{774088D4-0777-4D78-904D-E435B318F5D2}" = Microsoft Antimalware

"{77A776C4-D10F-416D-88F0-53F2D9DCD9B3}" = Microsoft Security Client

"{784BEA84-FA66-4B19-BB80-7B545F248AC6}" = HP Total Care Setup

"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec

"{7C5B4583-7CBF-4289-B195-03B553959DEA}" = VoiceOver Kit

"{7F10292C-A190-4176-A665-A1ED3478DF86}" = LightScribe System Software

"{83073C45-3003-4671-9A86-243AAADD915A}" = Microsoft Calculator Plus

"{853A4763-6643-4604-8D64-28BDD8925F4C}" = Apple Application Support

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player

"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007

"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007

"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007

"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007

"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007

"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)

"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)

"{9CC89170-000B-457D-91F1-53691F85B223}" = Python 2.6.1

"{9F73FDEF-DDC1-4307-9D96-13AB3254641A}_is1" = Doctor Who: The Adventure Games

"{A0640EC2-B97E-4FC1-AD14-227C9E386BB4}" = HP Recovery Manager RSS

"{A6359CCF-215D-43D9-8366-479D231F2A72}" = Belkin Wireless USB Utility

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder

"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter

"{AC76BA86-7AD7-1033-7B44-A80000000002}" = Adobe Reader 8

"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder

"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter

"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0

"{B2EE25B9-5B00-4ACF-94F0-92433C28C39E}" = HP MediaSmart Music/Photo/Video

"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player

"{B84739A3-F943-47E4-95D8-96381EF5AC48}" = HP Customer Experience Enhancements

"{B8AC1A89-FFD1-4F97-8051-E505A160F562}" = HP Odometer

"{C2E4B5BD-32DB-4817-A060-341AB17C3F90}" = Bonjour

"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint

"{CACAEB5F-174D-4C7C-AC56-A33289A807CA}" = Apple Mobile Device Support

"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{DCCAD079-F92C-44DA-B258-624FC6517A5A}" = HP MediaSmart DVD

"{E9E34215-82EF-4909-BE2F-F581F0DC9062}" = DirectX for Managed Code Update (Summer 2004)

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"{FF202088-CF66-4DCA-B1C3-185E7044CEE6}" = HP MediaSmart SmartMenu

"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

"7-Zip" = 7-Zip 4.57

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.9

"AOL Toolbar" = AOL Toolbar 5.0

"BookSmart® 2.9.5 2.9.5" = BookSmart® 2.9.5 2.9.5

"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters

"EasyBits Magic Desktop" = Magic Desktop

"FLAC" = FLAC Installer 1.1.2a (remove only)

"HDMI" = Intel® Graphics Media Accelerator Driver

"HOMESTUDENTR" = Microsoft Office Home and Student 2007

"InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite Deluxe

"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go

"InstallShield_{A6359CCF-215D-43D9-8366-479D231F2A72}" = Belkin Wireless USB Utility

"InstallShield_{B2EE25B9-5B00-4ACF-94F0-92433C28C39E}" = HP MediaSmart Music/Photo/Video

"InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint

"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector

"InstallShield_{DCCAD079-F92C-44DA-B258-624FC6517A5A}" = HP MediaSmart DVD

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"MediaCoder Audio Edition" = MediaCoder Audio Edition 0.7.2.4530

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

"Microsoft Security Client" = Microsoft Security Essentials

"Mozilla Firefox 4.0 (x86 en-GB)" = Mozilla Firefox 4.0 (x86 en-GB)

"NewzToolz_is1" = NewzToolz v1.0.1

"OfficeTrial" = Microsoft Office Home and Student 60 day trial

"PC-Doctor for Windows" = Hardware Diagnostic Tools

"pywin32-py2.6" = Python 2.6 pywin32-212

"Security Task Manager" = Security Task Manager 1.8c

"uTorrent" = µTorrent

"WildTangent hp Master Uninstall" = HP Games

 

========== Last 10 Event Log Errors ==========

 

[ Application Events ]

Error - 27/04/2011 15:58:57 | Computer Name = Hawthorne-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083

Description =

 

Error - 27/04/2011 15:58:57 | Computer Name = Hawthorne-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083

Description =

 

Error - 27/04/2011 15:58:58 | Computer Name = Hawthorne-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083

Description =

 

Error - 27/04/2011 15:59:09 | Computer Name = Hawthorne-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083

Description =

 

Error - 27/04/2011 15:59:29 | Computer Name = Hawthorne-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083

Description =

 

Error - 27/04/2011 15:59:43 | Computer Name = Hawthorne-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083

Description =

 

Error - 27/04/2011 15:59:59 | Computer Name = Hawthorne-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083

Description =

 

Error - 27/04/2011 16:00:16 | Computer Name = Hawthorne-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083

Description =

 

Error - 27/04/2011 16:00:45 | Computer Name = Hawthorne-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083

Description =

 

Error - 27/04/2011 16:00:52 | Computer Name = Hawthorne-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083

Description =

 

[ System Events ]

Error - 28/04/2011 18:31:43 | Computer Name = Hawthorne-PC | Source = Service Control Manager | ID = 7000

Description =

 

Error - 28/04/2011 18:32:17 | Computer Name = Hawthorne-PC | Source = Service Control Manager | ID = 7031

Description =

 

Error - 28/04/2011 18:36:06 | Computer Name = Hawthorne-PC | Source = Service Control Manager | ID = 7000

Description =

 

Error - 28/04/2011 19:16:18 | Computer Name = Hawthorne-PC | Source = Service Control Manager | ID = 7030

Description =

 

Error - 28/04/2011 19:21:25 | Computer Name = Hawthorne-PC | Source = Service Control Manager | ID = 7030

Description =

 

Error - 28/04/2011 19:23:52 | Computer Name = Hawthorne-PC | Source = Service Control Manager | ID = 7030

Description =

 

Error - 28/04/2011 19:23:58 | Computer Name = Hawthorne-PC | Source = Service Control Manager | ID = 7030

Description =

 

Error - 28/04/2011 19:28:38 | Computer Name = Hawthorne-PC | Source = Service Control Manager | ID = 7000

Description =

 

Error - 28/04/2011 22:01:19 | Computer Name = Hawthorne-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20

Description =

 

Error - 29/04/2011 04:51:40 | Computer Name = Hawthorne-PC | Source = Service Control Manager | ID = 7000

Description =

 

 

< End of report >

Starbuck Newbie

Starbuck

Posted
Posted

Hi Nick,

 

Just a couple of things this time.

 

Step 1

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 25 and save it to your desktop.
  • Scroll down to where it says "Java SE 6 Update 25".
  • Click the "Download JRE" button to the right.
  • Accept the license agreement.
  • select 'Windows x86' offline from the list.
  • Save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u25-windows-i586-p.exe to install the newest version.

 

 

Step 2

Let's double check for any leftovers now:

 

I'd like you to do an ESET OnlineScan

 

You may find it beneficial to close your resident AV program before running the scan.

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
     
  • Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
     
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer.
      Save it to your desktop.
    • Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.

    [*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png

    [*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.

    [*]Accept any security warnings from your browser.

    [*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png

    [*]Click the Start button.

    [*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

    [*]When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png

    [*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as ESETScan.

    Include the contents of this report in your next reply.

    [*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.

    [*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

 

 

Note:

It's been found that on some systems the Eset's Online Scan fails during the database download ( around 20% )

To prevent this happening:

When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):

 

Enable Anti-Stealth technology

 

http://img.photobucket.com/albums/v708/starbuck50/eset.png

 

 

In your next reply, please submit:

Eset scan report

 

 

Thanks.

Member of:

UNITE

Nick147 Newbie

Nick147

Posted
  • Author
Posted

Hi - this is the only one I had any trouble with - took a while to get this working - frozen screens etc - but did the scan and it has just finished but I can't get a log - the screen just says:

 

Scan Results

 

No threats found

 

Scanned files: 199470

Infected files: 0

Cleaned files: 0

Total scan time: 01:23:46

Scan status: finished

 

It then gives me an option to uninstall application on close.

Starbuck Newbie

Starbuck

Posted
Posted

Hi Nick,

 

took a while to get this working - frozen screens etc - but did the scan and it has just finished but I can't get a log - the screen just says:

That does seem to happen sometimes, especially if all the other security programs haven't been disabled before trying to run it.

The main thing is that nothing was found..... that's good http://fc07.deviantart.net/images3/i/2004/146/9/1/Two_thumbs_up.gif

 

It then gives me an option to uninstall application on close.

You can uninstall it once it's finished, or we'll remove it when we clean up at the end.

 

If you are happy with the way the system is running we'll finish off the cleaning process.

Member of:

UNITE

Starbuck Newbie

Starbuck

Posted
Posted

Hi Nick

 

Step 1

Restart MBAM.

Click on the Quarantine tab

If there are items in quarantine.....

Make sure everything is selected and then click Delete All.

Close MBAM.

 

 

Step 2

Please uninstall ComboFix by

Clicking on Start ...then run ... and type in combofix /uninstall (don't forget there's is a gap between x and /) Then press Ok

http://img.photobucket.com/albums/v708/starbuck50/new/cfu.png

 

This action will uninstall Combofix and also perform a few cleanup measures

 

 

 

Step 3

  • Please double-click OTL.exe to run it.
  • You should see a CleanUp! button, press that button,
     
    http://img.photobucket.com/albums/v708/starbuck50/cleanupbutton.png
     
  • This will cleanup an assortment of tools used during malware removal, plus itself

 

Note:

MBAM will not be removed

 

 

Step 4

Now you should set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

 

Click on Start... Control Panel... System and Maintenance... System

Click on System Protection in the left-hand task list.

Uncheck the checkboxes next to each hard drive listed under the Create restore points automatically on the selected disks: section.

 

When you uncheck a disk you will be presented with a screen.

You should click on the Turn System Protection Off button.

Click Apply and then OK.

 

Reboot your computer.

 

Now:

Click on Start... Control Panel... System and Maintenance... System

Click on System Protection in the left-hand task list.

Put a checkmark in the checkboxes next to each hard drive listed under the Create restore points automatically on the selected disks: section.

Click Apply and then OK.

 

Your System restore will now be active again... starting with a new restore point.

 

To find out how you may have been infected....read this topic:

How did i get infected?

 

Not all of the following information will be applicable to you, but it's still best to read it all.

 

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

  • Use an AntiVirus Software

     

    Note*:

    Upon installation MS Security Essentials will check that your OS is a legal copy.

     

    Only install one AntiVirus program

     

    [*]Update your AntiVirus Software regularly

     

    [*]Use a 3rd party Firewall

    NOTE: If choosing Zone Alarm be aware that the free version also installs ZoneAlarm Spy Blocker. It is recommended however that you UNcheck this option.

     

    Only install one software Firewall

     

    Some 3rd party Firewalls will turn off the windows firewall when they are installed.

    It's always best to check that the Windows Firewall is turned off:

     

    How to turn off Windows Firewall:

    Start ... Control Panel ...click on 'Classic View'.

    now select Windows Firewall.

    When the Windows Firewall box opens, put a tick against .. Off (not recommended) and then click Ok

     

    [*]Scan regularly with a 'Stand Alone' Anti-Malware scanner:

    Installing another scanner that you can run once or twice a week is always beneficial.

    Something like:

    Malwarebytes Anti-Malware

    SUPERAntiSypware

    Remember to update these programs each time before running.

    You can install more than one of these if you only run them as stand alone programs.

     

    [*] Use an alternative browser:

    Some excellent alternatives to MS Internet Explorer are:

     

    Firefox

    For added security, add the NoScript extension to this browser:

    Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks

    also consider adding:

    WOT - Safe Browsing Tool

     

    Web of Trust warns you about risky sites that cheat customers, deliver malware or send spam. Millions of members of the WOT community rate sites based on their experience, giving you an extra layer of protection when browsing or searching the Web.

    Btw: you don't have to make a contribution.

     

    Opera

     

    They offer better security, more stability, and better speed.

     

    [*]Keep a backup of your registry

    Keeping a regular backup of your registry will help when something goes wrong.

    Use a program like:

    Erunt

     

    A full tutorial on how to set up and use Erunt can be found here:

    Erunt tutorial

     

    [*]Keep your system clean of temp files etc, using a 'Cleaner':

    Cleaners are programs that will help to clean out your:

    Windows temp files

    Current user temp files

    Cookies

    Temporary Internet flies

    Browser history

    Recycle bin

    Etc.......

    In other words.... all the rubbish that you accumalate over the course of your browsing and day to day usage of your pc.

    Programs like:

    TFC by OldTimer

    ATF Cleaner

     

    [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.

     

    [*]Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

     

    A tutorial on installing & using this product can be found here:

    Using and installing SpywareBlaster

     

    [*]Update all your 'Security' programs regularly - Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

 

Glad I was able to help.

 

Safe surfing. http://fc08.deviantart.net/fs71/f/2010/033/b/3/Computer_addict__by_Sinister_Starfeesh.gif

Member of:

UNITE

Nick147 Newbie

Nick147

Posted
  • Author
Posted

Hi - thanks so much for all your help - you have been amazxing. I am working my way through the list to make my PC safer - will soon get it all done ansd hopefully will be much better educated and protected from things in the future.

 

Thanks again,

 

Nick

Starbuck Newbie

Starbuck

Posted
Posted
thanks so much for all your help - you have been amazing.

Thank you for the nice comment.

Although our help is always free, it's nice to get comments like that, it makes everything worthwhile. http://fc07.deviantart.net/images3/i/2004/146/9/1/Two_thumbs_up.gif

Member of:

UNITE

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...