Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Virus/Malware eating my hard drive? [Closed]

Started by dlinderyd , Apr 06 2009 04:58 PM

This topic is locked

#1
dlinderyd

Posted 06 April 2009 - 04:58 PM

Member

Member
17 posts

Hi,

This is my first post so please let me know if I'm breaking any unwritten rules or have missed one of your FAQs.

I have a Dell XPS M1530 with a 500GB HD partitioned into 4 drives: OS (60GB NTFS), Documents (340GB NTFS), Music OS (65GB NTFS) and BootIT (8MB FAT16). The laptop runs a Vista Ultimate 32-bit dual boot, with BootIT NG as boot Manager, hiding the MUSIC OS drive from the OS drive and vise versa. The drives are partitioned with Acronis Disk Director.

Recently I've noticed that my OS drive has been running out of space. Freshly installed I had around 25GB free, from memory, but over the last few weeks that has been shrinking. I thought at first it was due to temp files from a video project I was working on in Premiere Elements 7, but that doesn't seem to be the case as space disappeared quickly even after finishing the project, and project temp files should be located on an external USB drive anyway.

The other day I got a message saying that I only had 177MB free on my OS drive! I unstalled Premiere Elements 4 (as I now have the latest version) which recovered 5GB. Not happy, but at least with a functioning laptop I went to bed just to see the next morning that the recovered 5GB was almost gone. I had about 500MB free now. I ran disk clean and recovered 1GB and then ran AFT Cleaner, which now leaves me with 2.4GB. It should really be around 25GB or so.

Installed software apart from Vista Ultimate is Office 2007 Basic (Word, Excel, Outlook), Photoshop CS2, Lightroom 2, Premiere Elements 7. Apart from this there are a few small helper applications to sync my mobile/cell to my laptop, HP MediaSmart Server Console, etc.

Selecting properties on my OS drive shows that 2.4GB of 60GB is free. However, selecting all files and folders (after showing hidden and system files) tells me that all files on the OS drive only take up just under 30GB, so I should have 30GB free.

Can someone please try to explain this to me and give me a hint what to do about it? It feels to me that I have been infected by some Malware. The other day I got a notice from Norton Internet Security 2009 saying it had discovered a virus (my 3rd virus ever in 15 years or so, as I'm usually very careful, and the 1st on this laptop) W32.IRCbot and that it had been cleaned.

What I have done so far:
Run Norton Internet Security 2009 Scan
Unistalled Premiere Elements 4
Run Disk Clean
Read your Malware FAQ
Run ATF Cleaner
Run MalwareBytes Anti-Malware (which rebooted my laptop)
Run Rootkit detection (during which findstr keept crashing)
Run OTListIt2 (minimal output)
I've also run ComboFix (recovered 1GB) before I read the FAQ on your site

I would greatly appreciate if anyone could let me know what to try next or help me interpret my log files.

/Donald

Edited by dlinderyd, 07 April 2009 - 08:56 AM.

#2
dlinderyd

Posted 07 April 2009 - 05:20 AM

Member

Topic Starter
Member
17 posts

Quick update. Now, 12 hours after my post another 1.9GB is gone and free space is down to 556MB, which is starting to get critical. Have run Norton full scan again - nothing to report.

#3
dlinderyd

Posted 07 April 2009 - 08:53 AM

Member

Topic Starter
Member
17 posts

I ran WinDirStat to check disk usate and it came up with 29GB of unknown files, as you can see from attached screen dump. This indicates to me that there is something odd going on.

Attached Thumbnails

#4
dlinderyd

Posted 08 April 2009 - 06:50 PM

Member

Topic Starter
Member
17 posts

Update: Somehow I've got 3GB free now, so gained 2.5GB since the day before yesterday, without doing anything to try to solve the issue.

#5
dlinderyd

Posted 12 April 2009 - 05:44 AM

Member

Topic Starter
Member
17 posts

Almost runing out of space now. 200MB free today. The other day I had 6GB. This clearly isn't normal. I would really appreciate if anyone could give me a hint on what to do. Or should I just wipe my HD and start over. Really don't like that option.

#6
Jimmy2012

Posted 12 April 2009 - 01:20 PM

Trusted Helper

Retired Staff
6,238 posts

Hello dlinderyd and welcome to Geeks to go.

Sorry about the delay.

Please delete OTListIt2 and re-download it by doing the following.

Download OTListIt2 to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTListIt2.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Edited by Jimmy2012, 12 April 2009 - 01:20 PM.

#7
dlinderyd

Posted 12 April 2009 - 05:23 PM

Member

Topic Starter
Member
17 posts

Hi Jimmy,
Thanks for your reply. I only got the OTListIt.txt to open after the scan and can't find the Extras.txt file anywhere. Below is the OTListIt.txt and I've also included the WinDirstat screen. The big yellow area is the big unknown.
------
OTListIt logfile created on: 13/04/2009 00:08:01 - Run 4
OTListIt2 by OldTimer - Version 2.0.12.0 Folder = D:\Donald\Skrivbord\MalWare Tools
Windows Vista Ultimate Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: Storbritannien | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.63 Gb Available Physical Memory | 81.57% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): ?:\pagefile.sys;

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 60.50 Gb Total Space | 0.68 Gb Free Space | 1.13% Space Free | Partition Type: NTFS
Drive D: | 340.01 Gb Total Space | 201.01 Gb Free Space | 59.12% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 232.88 Gb Total Space | 58.67 Gb Free Space | 25.19% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DELBOY
Current User Name: Donald
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\Windows\system32\nvvsvc.exe (NVIDIA Corporation)
PRC - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Acronis)
PRC - C:\Program Files\Fingerprint Reader Suite\upeksvr.exe (UPEK Inc.)
PRC - C:\Windows\system32\aestsrv.exe (Andrea Electronics Corporation)
PRC - C:\Program Files\Windows Home Server\esClient.exe (Microsoft Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe (Intel Corporation)
PRC - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe (Microsoft Corporation)
PRC - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe (Symantec Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation)
PRC - C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.)
PRC - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\STacSV.exe (IDT, Inc.)
PRC - C:\Windows\system32\DRIVERS\ACFXAU32.exe (Conexant Systems, Inc.)
PRC - C:\Program Files\Windows Home Server\WHSConnector.exe (Microsoft Corporation)
PRC - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe (Symantec Corporation)
PRC - C:\Windows\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
PRC - C:\Windows\OEM02Mon.exe (Creative Technology Ltd.)
PRC - C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe (IDT, Inc.)
PRC - C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
PRC - C:\Program\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
PRC - C:\Program\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)
PRC - C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
PRC - C:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
PRC - C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe (Hewlett-Packard)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Windows Sidebar\sidebar.exe (Microsoft Corporation)
PRC - C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation)
PRC - C:\Program\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe (Sony Ericsson Mobile Communications AB)
PRC - C:\Windows\ehome\ehtray.exe (Microsoft Corporation)
PRC - C:\Program Files\DellTPad\ApMsgFwd.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
PRC - C:\Program\Google\Google Calendar Sync\GoogleCalendarSync.exe (Google)
PRC - C:\Program Files\Personal\bin\Personal.exe (Technology Nexus AB)
PRC - C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
PRC - C:\Program Files\SetPoint\SetPoint.exe (Logitech Inc.)
PRC - C:\Program Files\Windows Home Server\WHSTrayApp.exe (Microsoft Corporation)
PRC - C:\Windows\ehome\ehmsas.exe (Microsoft Corporation)
PRC - C:\Program Files\DellTPad\HidFind.exe (Alps Electric Co., Ltd.)
PRC - C:\Windows\system32\wbem\wmiprvse.exe (Microsoft Corporation)
PRC - C:\Program Files\DellTPad\Apntex.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Fingerprint Reader Suite\psqltray.exe (UPEK Inc.)
PRC - C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE (Logitech Inc.)
PRC - C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe (Broadcom Corporation.)
PRC - C:\Program Files\Windows Live\Contacts\wlcomm.exe (Microsoft Corporation)
PRC - C:\Windows\system32\conime.exe (Microsoft Corporation)
PRC - C:\Windows\ehome\ehsched.exe (Microsoft Corporation)
PRC - C:\Windows\ehome\ehRecvr.exe (Microsoft Corporation)
PRC - C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
PRC - C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
PRC - D:\Donald\Skrivbord\MalWare Tools\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (AcronisOSSReinstallSvc [Auto | Stopped]) -- C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe ()
SRV - (AcrSch2Svc [Auto | Running]) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Acronis)
SRV - (Adobe LM Service [On_Demand | Stopped]) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (Adobe Systems)
SRV - (AESTFilters [Auto | Running]) -- C:\Windows\system32\aestsrv.exe (Andrea Electronics Corporation)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (ehRecvr [On_Demand | Running]) -- C:\Windows\ehome\ehRecvr.exe (Microsoft Corporation)
SRV - (ehSched [On_Demand | Running]) -- C:\Windows\ehome\ehsched.exe (Microsoft Corporation)
SRV - (ehstart [Auto | Stopped]) -- C:\Windows\ehome\ehstart.dll (Microsoft Corporation)
SRV - (esClient [Auto | Running]) -- C:\Program Files\Windows Home Server\esClient.exe (Microsoft Corporation)
SRV - (EvtEng [Auto | Running]) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation)
SRV - (FLEXnet Licensing Service [On_Demand | Stopped]) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (IAANTMON [Auto | Running]) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe (Intel Corporation)
SRV - (idsvc [Unknown | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (MDM [Auto | Running]) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe (Microsoft Corporation)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (Norton Internet Security [Auto | Running]) -- C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe (Symantec Corporation)
SRV - (nvsvc [Auto | Running]) -- C:\Windows\system32\nvvsvc.exe (NVIDIA Corporation)
SRV - (odserv [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (RegSrvc [Auto | Running]) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation)
SRV - (sprtsvc_dellsupportcenter [Auto | Running]) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.)
SRV - (STacSV [Auto | Running]) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\STacSV.exe (IDT, Inc.)
SRV - (Symantec RemoteAssist [On_Demand | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe (Symantec, Inc.)
SRV - (WHSConnector [Auto | Running]) -- C:\Program Files\Windows Home Server\WHSConnector.exe (Microsoft Corporation)
SRV - (WinDefend [Auto | Stopped]) -- C:\Program Files\Windows Defender\mpsvc.dll (Microsoft Corporation)
SRV - (WMPNetworkSvc [On_Demand | Running]) -- C:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
SRV - (XAudioService [Auto | Running]) -- C:\Windows\system32\DRIVERS\ACFXAU32.exe (Conexant Systems, Inc.)

========== Driver Services (SafeList) ==========

DRV - (61883 [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\61883.sys (Microsoft Corporation)
DRV - (acfva [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\ACFVA32.sys (Conexant Systems Inc.)
DRV - (adp94xx [Disabled | Stopped]) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (adpahci [Disabled | Stopped]) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (adpu160m [Disabled | Stopped]) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (adpu320 [Disabled | Stopped]) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (aic78xx [Disabled | Stopped]) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (aliide [Disabled | Stopped]) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (ApfiltrService [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (arc [Disabled | Stopped]) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (arcsas [Disabled | Stopped]) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (Avc [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\avc.sys (Microsoft Corporation)
DRV - (BackupReader [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\BackupReader.sys (Microsoft Corporation)
DRV - (BHDrvx86 [System | Running]) -- C:\Windows\System32\Drivers\NIS\1005000.087\BHDrvx86.sys (Symantec Corporation)
DRV - (BrFiltLo [On_Demand | Stopped]) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrFiltUp [On_Demand | Stopped]) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (Brserid [Disabled | Stopped]) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrSerWdm [Disabled | Stopped]) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm [Disabled | Stopped]) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (BrUsbSer [On_Demand | Stopped]) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (btwaudio [On_Demand | Running]) -- C:\Windows\system32\drivers\btwaudio.sys (Broadcom Corporation.)
DRV - (btwavdt [On_Demand | Running]) -- C:\Windows\system32\drivers\btwavdt.sys (Broadcom Corporation.)
DRV - (btwrchid [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\btwrchid.sys (Broadcom Corporation.)
DRV - (ccHP [System | Running]) -- C:\Windows\System32\Drivers\NIS\1005000.087\ccHPx86.sys (Symantec Corporation)
DRV - (cmdide [Disabled | Stopped]) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (dgcfltr [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\ACFDCP32.sys (Conexant Systems, Inc.)
DRV - (E1G60 [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\E1G60I32.sys (Intel Corporation)
DRV - (eeCtrl [System | Running]) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (elxstor [Disabled | Stopped]) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (EraserUtilRebootDrv [On_Demand | Running]) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (eyeonedp [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\eyeonedp.sys ()
DRV - (HpCISSs [Disabled | Stopped]) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (i1display [On_Demand | Stopped]) -- C:\Windows\System32\Drivers\i1display.sys ()
DRV - (iaStor [Boot | Running]) -- C:\Windows\system32\DRIVERS\iaStor.sys (Intel Corporation)
DRV - (iaStorV [Disabled | Stopped]) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (IDSVix86 [System | Running]) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090408.002\IDSvix86.sys (Symantec Corporation)
DRV - (iirsp [Disabled | Stopped]) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (iteatapi [Disabled | Stopped]) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (iteraid [Disabled | Stopped]) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (LHidFilt [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\LHidFilt.Sys (Logitech, Inc.)
DRV - (LMouFilt [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\LMouFilt.Sys (Logitech, Inc.)
DRV - (LSI_FC [Disabled | Stopped]) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (LSI_SAS [Disabled | Stopped]) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (LSI_SCSI [Disabled | Stopped]) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (mdmxsdk [Auto | Running]) -- C:\Windows\system32\DRIVERS\ACFSDK32.sys (Conexant)
DRV - (megasas [Disabled | Stopped]) -- C:\Windows\system32\drivers\megasas.sys (LSI Corporation)
DRV - (MegaSR [Disabled | Stopped]) -- C:\Windows\system32\drivers\megasr.sys (LSI Corporation, Inc.)
DRV - (Mraid35x [Disabled | Stopped]) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (MSDV [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\msdv.sys (Microsoft Corporation)
DRV - (NAVENG [On_Demand | Running]) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090412.003\NAVENG.SYS (Symantec Corporation)
DRV - (NAVEX15 [On_Demand | Running]) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090412.003\NAVEX15.SYS (Symantec Corporation)
DRV - (NETw4v32 [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\NETw4v32.sys (Intel Corporation)
DRV - (nfrd960 [Disabled | Stopped]) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (ntrigdigi [Disabled | Stopped]) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
DRV - (nvlddmkm [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\nvlddmkm.sys (NVIDIA Corporation)
DRV - (nvraid [Disabled | Stopped]) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nvstor [Disabled | Stopped]) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (OEM02Dev [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\OEM02Dev.sys (Creative Technology Ltd.)
DRV - (OEM02Vfx [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\OEM02Vfx.sys (EyePower Games Pte. Ltd.)
DRV - (PDIHWCTL [Auto | Running]) -- C:\Windows\system32\drivers\pdihwctl.sys (Portrait Displays, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\Windows\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (ql2300 [Disabled | Stopped]) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (ql40xx [Disabled | Stopped]) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (rimmptsk [Auto | Running]) -- C:\Windows\system32\DRIVERS\rimmptsk.sys (REDC)
DRV - (rimsptsk [Auto | Running]) -- C:\Windows\system32\DRIVERS\rimsptsk.sys (REDC)
DRV - (rismxdp [Auto | Running]) -- C:\Windows\system32\DRIVERS\rixdptsk.sys (REDC)
DRV - (s0016bus [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\s0016bus.sys (MCCI Corporation)
DRV - (s0016mdfl [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\s0016mdfl.sys (MCCI Corporation)
DRV - (s0016mdm [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\s0016mdm.sys (MCCI Corporation)
DRV - (s0016mgmt [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\s0016mgmt.sys (MCCI Corporation)
DRV - (s0016nd5 [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\s0016nd5.sys (MCCI Corporation)
DRV - (s0016obex [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\s0016obex.sys (MCCI Corporation)
DRV - (s0016unic [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\s0016unic.sys (MCCI Corporation)
DRV - (secdrv [Auto | Running]) -- C:\Windows\System32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (SiSRaid4 [Disabled | Stopped]) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (snapman380 [Boot | Running]) -- C:\Windows\system32\DRIVERS\snman380.sys (Acronis)
DRV - (SRTSP [On_Demand | Running]) -- C:\Windows\System32\Drivers\NIS\1005000.087\SRTSP.SYS (Symantec Corporation)
DRV - (SRTSPX [System | Running]) -- C:\Windows\system32\drivers\NIS\1005000.087\SRTSPX.SYS (Symantec Corporation)
DRV - (STHDA [On_Demand | Running]) -- C:\Windows\system32\drivers\stwrt.sys (IDT, Inc.)
DRV - (Symc8xx [Disabled | Stopped]) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (SymEFA [Boot | Running]) -- C:\Windows\system32\drivers\NIS\1005000.087\SYMEFA.SYS (Symantec Corporation)
DRV - (SymEvent [On_Demand | Running]) -- C:\Windows\system32\Drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (SYMFW [On_Demand | Running]) -- C:\Windows\System32\Drivers\NIS\1005000.087\SYMFW.SYS (Symantec Corporation)
DRV - (SymIM [System | Running]) -- C:\Windows\system32\DRIVERS\SymIMv.sys (Symantec Corporation)
DRV - (SYMNDISV [On_Demand | Running]) -- C:\Windows\System32\Drivers\NIS\1005000.087\SYMNDISV.SYS (Symantec Corporation)
DRV - (SYMTDI [System | Running]) -- C:\Windows\System32\Drivers\NIS\1005000.087\SYMTDI.SYS (Symantec Corporation)
DRV - (Sym_hi [Disabled | Stopped]) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (Sym_u3 [Disabled | Stopped]) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (TcUsb [On_Demand | Running]) -- C:\Windows\System32\Drivers\tcusb.sys (UPEK Inc.)
DRV - (tdrpman174 [Boot | Running]) -- C:\Windows\system32\DRIVERS\tdrpm174.sys (Acronis)
DRV - (tifsfilter [Auto | Running]) -- C:\Windows\system32\DRIVERS\tifsfilt.sys (Acronis)
DRV - (timounter [Boot | Running]) -- C:\Windows\system32\DRIVERS\timntr.sys (Acronis)
DRV - (uliahci [Disabled | Stopped]) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (UlSata [Disabled | Stopped]) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (ulsata2 [Disabled | Stopped]) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (UMPass [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\umpass.sys (Microsoft Corporation)
DRV - (usbser [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\usbser.sys (Microsoft Corporation)
DRV - (viaide [Disabled | Stopped]) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (vsmraid [Disabled | Stopped]) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (XAudio [Auto | Running]) -- C:\Windows\system32\DRIVERS\ACFXAU32.sys (Conexant Systems, Inc.)
DRV - (yukonwlh [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\yk60x86.sys (Marvell)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: (27 bytes) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\IPSBHO.DLL (Symantec Corporation)
O2 - BHO: (Windows Live inloggningshjälpen) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (BrowserHelper Class) - {9A065C65-4EE7-4DDD-9918-F129089A894A} - C:\Program Files\Windows Home Server\WHSDeskBands.dll (Microsoft Corporation)
O2 - BHO: (no name) - {CF070CB8-F02F-4af4-A7B7-8D45CAD4BB54} - Reg Error: Key error. File not found
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - Reg Error: Key error. File not found
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Home Server Banner) - {D73E76A3-F902-45BD-8FC8-95AE8E014671} - C:\Program Files\Windows Home Server\WHSDeskBands.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {D73E76A3-F902-45BD-8FC8-95AE8E014671} - C:\Program Files\Windows Home Server\WHSDeskBands.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D73E76A3-F902-45BD-8FC8-95AE8E014671} - C:\Program Files\Windows Home Server\WHSDeskBands.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" (Acronis)
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s (Creative Technology Ltd.)
O4 - HKLM..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter (SupportSoft, Inc.)
O4 - HKLM..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" ( )
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE (Logitech Inc.)
O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE" (Logitech Inc.)
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
O4 - HKLM..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [PSQLLauncher] "C:\Program Files\Fingerprint Reader Suite\launcher.exe" /startup (UPEK Inc.)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKCU..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter (SupportSoft, Inc.)
O4 - HKCU..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (Microsoft Corporation)
O4 - HKCU..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (Microsoft Corporation)
O4 - HKCU..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (Microsoft Corporation)
O4 - HKCU..\Run: [Sony Ericsson PC Suite] "C:\Program\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon (Sony Ericsson Mobile Communications AB)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 (Microsoft Corporation)
O8 - Extra context menu item: Skicka bild till &Bluetooth-enhet... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Skicka sida till &Bluetooth-enhet... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [@%SystemRoot%\system32\nlasvc.dll,-1000] - C:\Windows\system32\NLAapi.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [@%SystemRoot%\system32\napinsp.dll,-1000] - C:\Windows\system32\napinsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [@%SystemRoot%\system32\pnrpnsp.dll,-1000] - C:\Windows\system32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [@%SystemRoot%\system32\pnrpnsp.dll,-1001] - C:\Windows\system32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [Bluetooth-namnområde] - C:\Windows\system32\wshbth.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: bloomberg.net ([bba] https in Local intranet)
O15 - HKCU\..Trusted Domains: skandiabanken.se ([secure] https in Trusted sites)
O15 - HKCU\..Trusted Domains: 2 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.micr.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} http://cdn.scan.onec...e/wlscctrl2.cab (Windows Live OneCare safety scanner control)
O16 - DPF: {5D2CF9D0-113A-476B-986F-288B54571614} http://www.devalvr.c...valvrplugin.php (DevalVR Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\symres {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll (Symantec Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (vrlogon.dll) - C:\Windows\system32\vrlogon.dll (UPEK Inc.)
O20 - Winlogon\Notify\psfus: DllName - C:\Windows\system32\psqlpwd.dll - C:\Windows\system32\psqlpwd.dll (UPEK Inc.)
O22 - SharedTaskScheduler: {E31004D1-A431-41B8-826F-E902F9D95C81} - Windows DreamScene - C:\Windows\System32\DreamScene.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\autoexec.bat () - [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/04/13 00:03:37 | 00,000,116 | ---- | C] () -- D:\Donald\Skrivbord\Hugh O’Malley Fashion Photographer London.url
[2009/04/13 00:03:33 | 00,000,167 | ---- | C] () -- D:\Donald\Skrivbord\Styling and Fashion Photography 101 Fashion Photography Blog - A Resource for Fashion Photographers, Created by One..url
[2009/04/13 00:03:29 | 00,000,123 | ---- | C] () -- D:\Donald\Skrivbord\Fashion Photography Blog - A Resource for Fashion Photographers, Created by One..url
[2009/04/11 01:25:16 | 00,000,000 | ---D | C] -- C:\Windows\System32\WindowsPowerShell
[2009/04/11 00:27:11 | 00,000,000 | ---D | C] -- C:\Program Files\Nitro PDF
[2009/04/10 23:54:26 | 00,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2009/04/10 23:54:26 | 00,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\admparse.dll
[2009/04/10 23:54:26 | 00,066,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtmled.dll
[2009/04/10 23:54:26 | 00,059,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\icardie.dll
[2009/04/10 23:54:26 | 00,048,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtmler.dll
[2009/04/10 23:54:25 | 00,156,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msls31.dll
[2009/04/10 23:54:25 | 00,066,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tdc.ocx
[2009/04/10 23:54:25 | 00,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2009/04/10 23:54:25 | 00,018,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\corpol.dll
[2009/04/10 23:54:24 | 00,348,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxtmsft.dll
[2009/04/10 23:54:24 | 00,125,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieakeng.dll
[2009/04/10 23:54:24 | 00,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2009/04/10 23:54:24 | 00,034,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\imgutil.dll
[2009/04/10 23:54:22 | 01,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2009/04/10 23:54:22 | 00,216,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxtrans.dll
[2009/04/10 23:54:21 | 00,183,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2009/04/10 23:54:21 | 00,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2009/04/10 23:54:20 | 00,236,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\webcheck.dll
[2009/04/10 23:54:20 | 00,229,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll
[2009/04/10 23:54:20 | 00,193,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msrating.dll
[2009/04/10 23:54:20 | 00,109,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\occache.dll
[2009/04/10 23:54:20 | 00,094,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inseng.dll
[2009/04/10 23:54:20 | 00,043,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2009/04/10 23:54:19 | 00,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2009/04/10 23:54:19 | 00,208,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WinFXDocObj.exe
[2009/04/10 23:54:19 | 00,163,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieakui.dll
[2009/04/10 23:54:19 | 00,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2009/04/10 23:54:19 | 00,066,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wextract.exe
[2009/04/10 23:54:19 | 00,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2009/04/10 23:54:18 | 00,594,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2009/04/10 23:54:18 | 00,128,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\advpack.dll
[2009/04/10 23:54:18 | 00,046,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\pngfilt.dll
[2009/04/10 23:54:17 | 00,445,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dll
[2009/04/10 23:54:17 | 00,057,667 | ---- | C] () -- C:\Windows\System32\ieuinit.inf
[2009/04/10 23:54:16 | 00,726,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2009/04/10 23:54:16 | 00,420,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll
[2009/04/10 23:54:16 | 00,105,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2009/04/10 23:54:15 | 00,391,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2009/04/10 23:54:10 | 00,385,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2009/04/10 23:54:10 | 00,169,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iexpress.exe
[2009/04/10 23:54:10 | 00,045,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshta.exe
[2009/04/10 23:54:09 | 03,698,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dat
[2009/04/10 23:54:09 | 01,985,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iertutil.dll
[2009/04/10 23:54:09 | 00,914,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wininet.dll
[2009/04/10 23:54:09 | 00,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2009/04/10 23:54:09 | 00,132,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2009/04/10 23:54:09 | 00,109,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PDMSetup.exe
[2009/04/10 23:54:09 | 00,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2009/04/10 23:54:09 | 00,107,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RegisterIEPKEYs.exe
[2009/04/10 23:54:09 | 00,107,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\SetIEInstalledDate.exe
[2009/04/10 23:54:09 | 00,103,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\SetDepNx.exe
[2009/04/10 23:54:08 | 11,063,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieframe.dll
[2009/04/10 23:54:08 | 01,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2009/04/10 23:54:08 | 01,206,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\urlmon.dll
[2009/04/10 23:54:07 | 05,937,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.dll
[2009/04/10 06:23:00 | 00,000,000 | ---D | C] -- C:\Users\Donald\AppData\Local\Apple
[2009/04/09 02:10:31 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2009/04/07 15:18:02 | 00,000,000 | ---D | C] -- C:\Program Files\WinDirStat
[2009/04/07 15:07:46 | 00,000,000 | ---D | C] -- C:\Users\Donald\AppData\Local\Adobe
[2009/04/06 22:10:34 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/04/06 22:04:06 | 00,000,000 | ---D | C] -- C:\Windows\Minidump
[2009/04/06 21:43:23 | 00,000,000 | ---D | C] -- D:\Donald\Skrivbord\MalWare Tools
[2009/04/06 21:34:53 | 00,000,000 | ---D | C] -- C:\Users\Donald\AppData\Roaming\Malwarebytes
[2009/04/06 21:34:51 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/04/06 21:34:49 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/04/06 21:34:47 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009/04/06 21:34:47 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/04/06 21:01:20 | 00,029,696 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2009/04/06 21:01:19 | 00,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2009/04/06 21:01:19 | 00,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2009/04/06 21:01:19 | 00,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2009/04/06 21:01:19 | 00,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2009/04/06 21:01:19 | 00,089,504 | ---- | C] (Smallfrogs Studio) -- C:\Windows\fdsv.exe
[2009/04/06 21:01:19 | 00,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2009/04/06 21:01:19 | 00,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2009/04/06 21:01:19 | 00,049,152 | ---- | C] () -- C:\Windows\VFIND.exe
[2009/04/06 21:01:14 | 00,000,000 | ---D | C] -- C:\Windows\ERDNT
[2009/04/06 21:01:14 | 00,000,000 | ---D | C] -- C:\ComboFix
[2009/04/06 21:01:12 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/04/06 20:53:23 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/04/06 14:50:42 | 00,000,146 | ---- | C] () -- D:\Donald\Skrivbord\Something is eating my harddrive..url
[2009/04/06 14:48:17 | 00,000,161 | ---- | C] () -- D:\Donald\Skrivbord\Malware and Spyware Cleaning Guide.url
[2009/04/06 14:44:31 | 00,000,162 | ---- | C] () -- D:\Donald\Skrivbord\Hard-Drive-Space-eating-virus-t193111.url
[2009/04/06 14:38:10 | 00,000,163 | ---- | C] () -- D:\Donald\Skrivbord\Virus eating up my c- DRIVE! PLEASE HELP! - Tech Support Guy Forums.url
[2009/04/04 19:50:16 | 00,000,118 | ---- | C] () -- D:\Donald\Skrivbord\Explore Windows Live.url
[2009/04/03 18:26:30 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Office Outlook Connector
[2009/04/02 00:48:55 | 00,041,874 | ---- | C] () -- D:\Donald\Documents\Adressetiketter.docx
[2009/04/01 20:57:17 | 00,344,002 | ---- | C] () -- D:\Donald\Skrivbord\CRM.pdf
[2009/04/01 18:29:52 | 00,000,000 | ---D | C] -- C:\Users\Donald\AppData\Local\MigWiz
[2009/04/01 11:45:40 | 00,000,124 | ---- | C] () -- D:\Donald\Skrivbord\Inspiring entrepreneurs - webcasts and podcasts.url
[2009/04/01 11:43:26 | 00,000,116 | ---- | C] () -- D:\Donald\Skrivbord\Fishermans Friend.url
[2009/03/29 13:36:44 | 00,000,000 | ---D | C] -- D:\Donald\Documents\Mat
[2009/03/27 12:33:29 | 00,000,000 | ---D | C] -- C:\ProgramData\Windows Home Server
[2009/03/26 02:08:31 | 01,567,162 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1005000.087\Cat.DB
[2009/03/26 01:32:32 | 00,000,168 | ---- | C] () -- D:\Donald\Skrivbord\Adobe - Lightroom 2.0 tutorial Lightroom 2.0 video tutorials.url
[2009/03/26 01:08:37 | 00,000,123 | ---- | C] () -- D:\Donald\Skrivbord\#pd+Lightroom.url
[2009/03/24 20:20:55 | 00,000,000 | ---D | C] -- D:\Donald\Documents\Blog
[2009/03/21 18:35:18 | 38,541,72168 | ---- | C] () -- D:\Donald\Skrivbord\Les Arcs 2005.avi
[2009/03/21 13:54:05 | 00,000,000 | ---D | C] -- D:\Donald\Skrivbord\Mobil
[2009/03/21 13:53:41 | 00,000,000 | ---D | C] -- D:\Donald\Skrivbord\G7
[2009/03/21 13:03:28 | 29,704,38134 | ---- | C] () -- D:\Donald\Skrivbord\Les Arcs 2005-9.avi
[2009/03/20 23:24:35 | 00,000,000 | ---D | C] -- C:\Users\Donald\AppData\Local\Hewlett-Packard
[2009/03/20 20:06:19 | 00,217,392 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NIS\1005000.087\symtdi.sys
[2009/03/20 20:06:19 | 00,039,984 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NIS\1005000.087\symndisv.sys
[2009/03/20 20:06:19 | 00,037,296 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NIS\1005000.087\symndis.sys
[2009/03/20 20:06:19 | 00,009,423 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1005000.087\SymNet.cat
[2009/03/20 20:06:19 | 00,001,528 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1005000.087\SymNet.inf
[2009/03/20 20:06:18 | 00,310,320 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NIS\1005000.087\SymEFA.sys
[2009/03/20 20:06:18 | 00,307,760 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NIS\1005000.087\srtsp.sys
[2009/03/20 20:06:18 | 00,258,608 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NIS\1005000.087\BHDrvx86.sys
[2009/03/20 20:06:18 | 00,089,776 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NIS\1005000.087\symfw.sys
[2009/03/20 20:06:18 | 00,043,696 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NIS\1005000.087\srtspx.sys
[2009/03/20 20:06:18 | 00,034,736 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NIS\1005000.087\symids.sys
[2009/03/20 20:06:18 | 00,007,410 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1005000.087\SymEFA.cat
[2009/03/20 20:06:18 | 00,007,372 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1005000.087\srtspx.cat
[2009/03/20 20:06:18 | 00,007,364 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1005000.087\BHDrvx86.CAT
[2009/03/20 20:06:18 | 00,007,355 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1005000.087\srtsp.cat
[2009/03/20 20:06:18 | 00,007,347 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1005000.087\ccHPx86.cat
[2009/03/20 20:06:18 | 00,003,373 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1005000.087\SymEFA.inf
[2009/03/20 20:06:18 | 00,001,753 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1005000.087\ccHPx86.inf
[2009/03/20 20:06:18 | 00,001,389 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1005000.087\srtspx.inf
[2009/03/20 20:06:18 | 00,001,383 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1005000.087\srtsp.inf
[2009/03/20 20:06:18 | 00,000,640 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1005000.087\BHDrvx86.inf
[2009/03/20 20:05:53 | 00,482,352 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NIS\1005000.087\cchpx86.sys
[2009/03/20 20:05:52 | 00,000,172 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1005000.087\isolate.ini
[2009/03/20 20:05:52 | 00,000,000 | ---D | C] -- C:\Windows\System32\drivers\NIS\1005000.087
[2009/03/20 16:48:08 | 00,000,000 | ---D | C] -- C:\ProgramData\Symantec
[2009/03/20 16:47:38 | 00,000,000 | ---D | C] -- D:\Donald\Documents\Symantec
[2009/03/20 16:47:22 | 00,025,136 | R--- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\SymIMV.sys
[2009/03/20 16:47:16 | 00,124,464 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\SYMEVENT.SYS
[2009/03/20 16:47:16 | 00,000,000 | ---D | C] -- C:\Program Files\Symantec
[2009/03/20 16:46:48 | 00,000,000 | ---D | C] -- C:\Windows\System32\drivers\NIS
[2009/03/20 16:46:47 | 00,000,000 | ---D | C] -- C:\Program Files\Norton Internet Security
[2009/03/20 16:26:49 | 00,000,000 | ---D | C] -- C:\ProgramData\PCSettings
[2009/03/20 16:26:48 | 00,000,000 | ---D | C] -- C:\ProgramData\Norton
[2009/03/20 16:26:38 | 00,000,000 | ---D | C] -- C:\ProgramData\NortonInstaller
[2009/03/20 16:26:38 | 00,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2009/03/19 15:40:53 | 00,001,024 | ---- | C] () -- C:\Windows\System32\gncontent.cch
[2009/03/19 15:37:38 | 00,000,000 | ---D | C] -- C:\Users\Donald\AppData\Roaming\Sony
[2009/03/19 15:37:38 | 00,000,000 | ---D | C] -- C:\ProgramData\Sony
[2009/03/19 15:34:09 | 00,000,000 | ---D | C] -- C:\Users\Donald\AppData\Local\Sony
[2009/03/19 15:32:48 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Sony Shared
[2009/03/19 15:30:20 | 00,000,000 | ---D | C] -- C:\Program Files\Sony Setup
[2009/03/15 18:31:10 | 00,000,000 | ---D | C] -- C:\ProgramData\eSellerate
[2009/03/15 18:31:09 | 00,000,000 | ---D | C] -- C:\ProgramData\SmartSound Software Inc
[2009/03/15 18:30:55 | 00,000,000 | ---D | C] -- C:\Program Files\SmartSound Software
[2009/03/15 18:29:37 | 00,002,024 | ---- | C] () -- C:\Users\Public\Desktop\Premiere Elements.lnk
[2009/03/15 17:59:39 | 00,000,000 | ---D | C] -- C:\Users\Donald\AppData\Roaming\Download Manager
[2009/03/15 00:20:45 | 10,622,976 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmp.dll
[2009/03/15 00:20:43 | 00,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\spwmp.dll
[2009/03/15 00:20:43 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdxm.ocx
[2009/03/15 00:20:43 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxmasf.dll
[2009/03/15 00:20:42 | 08,147,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmploc.DLL
[2009/03/15 00:20:39 | 00,268,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\schannel.dll
[2009/03/15 00:20:37 | 02,033,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2009/02/21 09:25:20 | 00,691,592 | ---- | C] () -- C:\Windows\System32\OGACheckControl.DLL
[2009/02/20 15:47:21 | 00,044,344 | ---- | C] () -- C:\Windows\System32\drivers\i1display.sys
[2009/02/20 12:26:25 | 00,007,680 | ---- | C] () -- C:\Windows\System32\CNMVS6l.DLL
[2008/01/21 03:23:41 | 00,081,158 | ---- | C] () -- C:\Windows\System32\manage-bde.ini.en
[2007/07/25 17:40:02 | 00,999,424 | ---- | C] () -- C:\Windows\System32\WLIHVUI.dll
[2006/11/03 18:25:56 | 00,389,120 | ---- | C] () -- C:\Windows\System32\btwhidcs.dll
[2006/11/02 13:34:20 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 11:23:31 | 00,000,219 | ---- | C] () -- C:\Windows\win.ini
[2006/11/02 11:23:31 | 00,000,215 | ---- | C] () -- C:\Windows\system.ini
[2006/11/02 08:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2005/03/27 07:06:00 | 00,044,344 | ---- | C] () -- C:\Windows\System32\drivers\EyeOneDp.sys
[2001/11/14 13:56:00 | 01,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll

========== Files - Modified Within 30 Days ==========

[2009/04/13 00:03:37 | 00,000,116 | ---- | M] () -- D:\Donald\Skrivbord\Hugh O’Malley Fashion Photographer London.url
[2009/04/13 00:03:33 | 00,000,167 | ---- | M] () -- D:\Donald\Skrivbord\Styling and Fashion Photography 101 Fashion Photography Blog - A Resource for Fashion Photographers, Created by One..url
[2009/04/13 00:03:29 | 00,000,123 | ---- | M] () -- D:\Donald\Skrivbord\Fashion Photography Blog - A Resource for Fashion Photographers, Created by One..url
[2009/04/12 22:29:25 | 00,000,420 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{50496F2F-1211-476E-92B0-448D62CC19CE}.job
[2009/04/12 22:12:56 | 00,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/04/12 22:12:56 | 00,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/04/12 19:49:56 | 01,567,162 | ---- | M] () -- C:\Windows\System32\drivers\NIS\1005000.087\Cat.DB
[2009/04/12 18:12:41 | 00,082,446 | ---- | M] () -- C:\ProgramData\nvModes.001
[2009/04/12 18:12:38 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/04/12 10:11:16 | 00,002,541 | ---- | M] () -- D:\Donald\Skrivbord\Outlook.lnk
[2009/04/11 13:08:16 | 00,001,752 | -H-- | M] () -- D:\Donald\Documents\Default.rdp
[2009/04/11 11:57:55 | 01,403,266 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/04/11 11:57:55 | 00,600,656 | ---- | M] () -- C:\Windows\System32\perfh01D.dat
[2009/04/11 11:57:55 | 00,590,082 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/04/11 11:57:55 | 00,118,536 | ---- | M] () -- C:\Windows\System32\perfc01D.dat
[2009/04/11 11:57:55 | 00,102,094 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/04/11 11:51:46 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/04/11 11:51:41 | 37,560,64768 | -HS- | M] () -- C:\hiberfil.sys
[2009/04/11 11:50:37 | 00,003,803 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2009/04/11 11:49:49 | 03,645,059 | -H-- | M] () -- C:\Users\Donald\AppData\Local\IconCache.db
[2009/04/06 21:06:53 | 00,000,215 | ---- | M] () -- C:\Windows\system.ini
[2009/04/06 21:06:47 | 00,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2009/04/06 20:36:44 | 00,000,560 | ---- | M] () -- C:\Windows\tasks\Norton Internet Security - Kör fullständig systemsökning - Donald.job
[2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/04/06 14:50:42 | 00,000,146 | ---- | M] () -- D:\Donald\Skrivbord\Something is eating my harddrive..url
[2009/04/06 14:48:17 | 00,000,161 | ---- | M] () -- D:\Donald\Skrivbord\Malware and Spyware Cleaning Guide.url
[2009/04/06 14:44:31 | 00,000,162 | ---- | M] () -- D:\Donald\Skrivbord\Hard-Drive-Space-eating-virus-t193111.url
[2009/04/06 14:38:11 | 00,000,163 | ---- | M] () -- D:\Donald\Skrivbord\Virus eating up my c- DRIVE! PLEASE HELP! - Tech Support Guy Forums.url
[2009/04/05 05:09:23 | 00,082,446 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2009/04/04 19:50:16 | 00,000,118 | ---- | M] () -- D:\Donald\Skrivbord\Explore Windows Live.url
[2009/04/04 07:34:19 | 00,044,544 | ---- | M] () -- C:\Users\Donald\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/04 07:27:15 | 00,261,280 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/04/03 21:09:33 | 00,057,368 | ---- | M] () -- C:\Users\Donald\AppData\Local\GDIPFONTCACHEV1.DAT
[2009/04/02 08:53:37 | 00,041,874 | ---- | M] () -- D:\Donald\Documents\Adressetiketter.docx
[2009/04/01 20:57:17 | 00,344,002 | ---- | M] () -- D:\Donald\Skrivbord\CRM.pdf
[2009/04/01 11:45:40 | 00,000,124 | ---- | M] () -- D:\Donald\Skrivbord\Inspiring entrepreneurs - webcasts and podcasts.url
[2009/04/01 11:43:26 | 00,000,116 | ---- | M] () -- D:\Donald\Skrivbord\Fishermans Friend.url
[2009/03/26 04:15:13 | 00,001,971 | ---- | M] () -- C:\Users\Public\Desktop\Shared Folders on Server.lnk
[2009/03/26 04:15:05 | 00,002,513 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Windows Home Server.lnk
[2009/03/26 02:08:16 | 00,000,368 | -HS- | M] () -- C:\Users\Public\Desktop\desktop.ini
[2009/03/26 01:32:32 | 00,000,168 | ---- | M] () -- D:\Donald\Skrivbord\Adobe - Lightroom 2.0 tutorial Lightroom 2.0 video tutorials.url
[2009/03/26 01:08:37 | 00,000,123 | ---- | M] () -- D:\Donald\Skrivbord\#pd+Lightroom.url
[2009/03/25 22:59:18 | 00,124,464 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\drivers\SYMEVENT.SYS
[2009/03/25 22:59:18 | 00,007,386 | ---- | M] () -- C:\Windows\System32\drivers\SYMEVENT.CAT
[2009/03/25 22:59:18 | 00,000,805 | ---- | M] () -- C:\Windows\System32\drivers\SYMEVENT.INF
[2009/03/22 14:24:45 | 29,704,38134 | ---- | M] () -- D:\Donald\Skrivbord\Les Arcs 2005-9.avi
[2009/03/21 19:30:07 | 38,541,72168 | ---- | M] () -- D:\Donald\Skrivbord\Les Arcs 2005.avi
[2009/03/20 20:05:53 | 00,482,352 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\drivers\NIS\1005000.087\cchpx86.sys
[2009/03/20 20:05:52 | 00,000,172 | ---- | M] () -- C:\Windows\System32\drivers\NIS\1005000.087\isolate.ini
[2009/03/19 15:40:53 | 00,001,024 | ---- | M] () -- C:\Windows\System32\gncontent.cch
[2009/03/15 18:29:37 | 00,002,024 | ---- | M] () -- C:\Users\Public\Desktop\Premiere Elements.lnk
[2009/03/15 14:39:43 | 00,001,976 | ---- | M] () -- C:\Users\Public\Desktop\Lightroom.lnk

========== LOP Check ==========

[2009/04/06 20:36:44 | 00,000,560 | ---- | M] () -- C:\Windows\Tasks\Norton Internet Security - Kör fullständig systemsökning - Donald.job
[2009/04/11 11:51:46 | 00,000,006 | -H-- | M] () -- C:\Windows\Tasks\SA.DAT
[2009/04/11 11:50:37 | 00,032,616 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2009/04/12 22:29:25 | 00,000,420 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{50496F2F-1211-476E-92B0-448D62CC19CE}.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 64 bytes -> D:\Donald\Skrivbord\Les Arcs 2005-9.avi:TOC.WMV
< End of report >
------

Attached Thumbnails

#8
Jimmy2012

Posted 12 April 2009 - 11:24 PM

Trusted Helper

Retired Staff
6,238 posts

Hello dlinderyd,

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

#9
dlinderyd

Posted 13 April 2009 - 04:23 AM

Member

Topic Starter
Member
17 posts

Thanks Jimmy,

However, GMER crashes my laptop, hence I don't get any log file. It starts the scan and then tells me that is has found something and asks me if I want to run a full scan. I click "NO", as you suggested and follow your instructions. GMER starts scanning again and a couple of minutes in to the scan I get the "Blue Screen of Death", which I haven't seen since the XP-days. I've tried 3 times and made sure nothing is running when GMER is active.

Should I try to run GMER in "Safe Mode", or what do you suggest?

/Donald

Edited by dlinderyd, 13 April 2009 - 07:32 AM.

#10
Jimmy2012

Posted 13 April 2009 - 11:11 AM

Trusted Helper

Retired Staff
6,238 posts

Hello dlinderyd,
Please try the following.

Download RootRepeal.zip and unzip it to your Desktop.

Double click RootRepeal.exe to start the program
Click on the Report tab at the bottom of the program window
Click the Scan button
In the Select Scan dialog, check:
- Drivers
- Files
- Processes
- SSDT
- Stealth Objects
- Hidden Services
Click the OK button
In the next dialog, select all drives showing
Click OK to start the scan

Note: The scan can take some time. DO NOT run any other programs while the scan is running
When the scan is complete, the Save Report button will become available
Click this and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program

Please post the contents of RootRepeal.txt in your next reply.

#11
dlinderyd

Posted 13 April 2009 - 12:57 PM

Member

Topic Starter
Member
17 posts

Excellent news

RootRepeal crashed as well (but at least didn't crash Vista) and the only thing in the crash report is the below:
----
ROOTREPEAL CRASH REPORT
-------------------------
Exception Code: 0xc0000094
Exception Address: 0x004082d5
----

What should I do know? Feels like my laptop is in a much worse state than I thought.
Really need your help.

/Donald

Edited by dlinderyd, 13 April 2009 - 01:09 PM.

#12
Jimmy2012

Posted 13 April 2009 - 04:25 PM

Trusted Helper

Retired Staff
6,238 posts

Hello dlinderyd,
Please see if the following will work.

We will now do a deep search of your processes and files

Download avz4.zip from here

Unzip it to your desktop to a folder named avz4
Double click on AVZ.exe to run it.
Run an update by clicking the Auto Update button on the Right of the Log window:
Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

Start AVZ.
Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Investigation" check box.
Click on the “Execute selected scripts”.
Automatic scanning, healing and system check will be executed.
A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
All applications will work properly after the system restart.

When restarted

Start AVZ.
Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Investigation" check box.
Click on the "Execute selected scripts".
A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both zip files to your next post

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

#13
dlinderyd

Posted 13 April 2009 - 06:59 PM

Member

Topic Starter
Member
17 posts

Hi Jimmy,

Ran AVZ and followed your instructions but couldn't find any "Advanced System Investigation" script so ran "Advanced System Analysis" instead. I hope that's OK.

I've attached the two zip-files you asked for. What do you make of them?
/Donald
----

virusinfo_syscure.zip 35.48KB 173 downloads

virusinfo_syscheck.zip 34.95KB 179 downloads

#14
Jimmy2012

Posted 14 April 2009 - 01:59 PM

Trusted Helper

Retired Staff
6,238 posts

Hello dlinderyd,

What do you make of them?

They look clean.
Please try the following scans and see if they pick anything up.

Please start Malwarebytes' Anti-Malware and update it.
To update please do this, click Update and then click Check for Updates.
It will now install any updates it finds.
Once it is done updating please click Scanner and then click "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please do an online scan with Kaspersky WebScanner

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure the following is checked.
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.

~~~~~~~~~~~~~~~
In your next reply please have these logs.
The Malwarebytes log
And the Kaspersky log

#15
dlinderyd

Posted 14 April 2009 - 06:47 PM

Member

Topic Starter
Member
17 posts

Hi Jimmy,

Here are the results of the Malwarebytes scan (nothing to report):
-----
Malwarebytes' Anti-Malware 1.36
Database version: 1983
Windows 6.0.6001 Service Pack 1

14/04/2009 21:20:03
mbam-log-2009-04-14 (21-20-03).txt

Scan type: Quick Scan
Objects scanned: 87900
Time elapsed: 2 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
-----

And the Kaspersky Scan, which found two things from what I understand, unfortunately in my Oulook file:
-----
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, April 15, 2009
Operating System: Microsoft Windows Vista Ultimate Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, April 14, 2009 21:34:55
Records in database: 2044254
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 431830
Threat name: 1
Infected objects: 0
Suspicious objects: 2
Duration of the scan: 04:10:19

File name / Threat name / Threats count
D:\Donald\Outlook\Donald.bak Suspicious: Trojan-Spy.HTML.Fraud.gen 1
D:\Donald\Outlook\Donald.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1

The selected area was scanned.
------

I think I know what these refer to. Several years ago I recieved one of those phishing emails and kept it just for fun, as they were written in a terrible language back then. Can this really be eating up 30GB of hard drive and why would it show up now, after several years? I have however noticed (or think I have anyway because it all goes so quickly) that Outlook sometimes says "sending mail 8 of 8" or something similar in the bottom right corner, although I'm just sending one email (I don't send emals immediately).

What to do next?

/Donald

Edited by dlinderyd, 14 April 2009 - 06:55 PM.