Edited by suemc, 06 June 2010 - 09:02 AM.
fake alert removal [Solved]
#1
Posted 06 June 2010 - 09:02 AM
#2
Posted 06 June 2010 - 09:34 AM
My name is SweetTech. I would be glad to take a look at your log and help you with solving any malware problems.
If you have already received help elsewhere please inform me so that this topic can be closed.
If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:
- Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post.
- Please make sure to carefully read any instruction that I give you.
Reading too lightly will cause you to miss important steps, which could have destructive effects. - If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
- These instructions have been specifically tailored to your computer and the issues you are experiencing with your computer. It's important to note that these instructions are not suitable for any other computer, even if the issues are fairly similar.
- Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
- If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
- Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
- I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together
Because of this, you must reply within three days failure to reply will result in the topic being closed! - Please do not PM me directly for help. If you have any questions, post them in this topic. The only time you can and should PM me is when I have not been replying to you for several days (usually around 4 days) and you need an explanation. If that's the case, just send me a message on here.
- Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.
OTL Custom Scan
- Download OTL to your desktop.
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- When the window appears, underneath Output at the top change it to Minimal Output.
- Check the boxes beside LOP Check and Purity Check.
- Under Custom Scan paste this in
netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /180
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
- You may need two posts to fit them both in.
NEXT:
Scanning with GMER
Please download GMER from one of the following locations and save it to your desktop:
- Main Mirror
This version will download a randomly named file (Recommended) - Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
- Disconnect from the Internet and close all running programs.
- Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
- Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
- Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
- GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
- If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
- Now click the Scan button. If you see a rootkit warning window, click OK.
- When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
- Click the Copy button and paste the results into your next reply.
- Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning.
NEXT:
Please make sure you include the following items in your next post:
1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. The logs that were produced after running the OTL scans. (OTL.txt & Extras.txt)
3. The log that was produced after running GMER
4. An update on how your computer is currently running.
#3
Posted 06 June 2010 - 01:58 PM
I have tried without sucess to get rid of the Nospy which comes up everytime I try to load Microsoft Word and tells me I have a worm virus
Please can you help me
OTL logfile created on: 06/06/2010 20:23:39 - Run 1
OTL by OldTimer - Version 3.2.5.3 Folder = C:\Documents and Settings\Donna Sanderson\Desktop\sue
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
510.00 Mb Total Physical Memory | 117.00 Mb Available Physical Memory | 23.00% Memory free
989.00 Mb Paging File | 387.00 Mb Available in Paging File | 39.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.63 Gb Total Space | 4.87 Gb Free Space | 26.16% Space Free | Partition Type: NTFS
Drive D: | 18.63 Gb Total Space | 18.61 Gb Free Space | 99.92% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: YOUR-ZF9FR6OM66
Current User Name: Donna Sanderson
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan
========== Processes (SafeList) ==========
PRC - [2010/06/06 20:21:25 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Donna Sanderson\Desktop\sue\OTL.exe
PRC - [2009/11/25 00:51:40 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/25 00:51:35 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/25 00:51:21 | 000,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/25 00:48:48 | 000,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/25 00:43:56 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/11/11 18:39:40 | 001,463,296 | ---- | M] (T-Mobile) -- C:\Program Files\T-Mobile\web'n'walk Manager\web'n'walk Manager.exe
PRC - [2008/04/30 17:52:36 | 000,200,704 | ---- | M] (OptionNV) -- C:\Program Files\T-Mobile\web'n'walk Manager\GtDetectSc.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/04 11:39:00 | 000,700,416 | ---- | M] (Bytemobile, Inc.) -- C:\Program Files\T-Mobile\web'n'walk Manager\bmop.exe
PRC - [2008/02/04 11:39:00 | 000,376,832 | ---- | M] (Bytemobile, Inc.) -- C:\Program Files\T-Mobile\web'n'walk Manager\bmctl.exe
PRC - [2007/10/10 22:45:57 | 000,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2007/05/04 09:27:00 | 000,071,360 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
PRC - [2003/02/27 09:04:04 | 000,114,688 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2003/02/26 10:08:42 | 000,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
PRC - [2002/08/20 19:29:26 | 000,040,960 | ---- | M] (Easy Systems Japan Ltd.) -- C:\WINDOWS\system32\ezSP_Px.exe
PRC - [2002/03/15 01:46:58 | 000,045,056 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\ico.exe
========== Modules (SafeList) ==========
MOD - [2010/06/06 20:21:25 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Donna Sanderson\Desktop\sue\OTL.exe
MOD - [2008/04/14 01:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
========== Win32 Services (SafeList) ==========
SRV - File not found [On_Demand | Stopped] -- -- (gusvc)
SRV - [2009/11/25 00:51:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/25 00:51:21 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/25 00:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/25 00:43:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2008/04/30 17:52:36 | 000,200,704 | ---- | M] (OptionNV) [Auto | Running] -- C:\Program Files\T-Mobile\web'n'walk Manager\GtDetectSc.exe -- (GtDetectSc)
SRV - [2007/05/04 09:27:00 | 000,071,360 | ---- | M] () [Auto | Running] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU)
========== Driver Services (SafeList) ==========
DRV - [2009/11/25 00:50:59 | 000,094,160 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2009/11/25 00:50:12 | 000,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2009/11/25 00:50:00 | 000,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/11/25 00:49:07 | 000,048,560 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009/11/25 00:48:57 | 000,023,120 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009/11/25 00:47:54 | 000,027,408 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2008/11/07 13:03:18 | 000,008,064 | ---- | M] (Option N.V.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtuhsser.sys -- (GTUHSSER)
DRV - [2008/11/07 13:01:48 | 000,020,352 | ---- | M] (Option N.V.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtuhsoms.sys -- (GTUHSOMS)
DRV - [2008/11/07 12:58:56 | 000,105,984 | ---- | M] (Option N.V.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtuhs51.sys -- (GTUHSNDISIPXP)
DRV - [2008/11/07 12:57:38 | 000,062,592 | ---- | M] (Option N.V.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtuhsbus.sys -- (GTUHSBUS)
DRV - [2008/02/08 16:39:06 | 000,004,864 | ---- | M] (Option N.V.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\GtTdiFltr.sys -- (GtTdiFltr)
DRV - [2007/12/11 15:46:42 | 000,101,120 | R--- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2007/08/06 14:30:18 | 000,018,816 | ---- | M] (Bytemobile, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpipBM.sys -- (tcpipBM)
DRV - [2003/04/29 12:10:40 | 000,004,448 | ---- | M] (StarForce Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfhlp01.sys -- (sfhlp01)
DRV - [2003/04/28 11:12:21 | 000,094,464 | ---- | M] (StarForce Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\prohlp02.sys -- (prohlp02)
DRV - [2003/04/28 10:16:07 | 000,050,816 | ---- | M] (StarForce Technologies, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\prodrv06.sys -- (prodrv06)
DRV - [2003/04/04 08:41:46 | 000,006,848 | ---- | M] (StarForce Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\prosync1.sys -- (prosync1)
DRV - [2003/03/13 23:19:00 | 000,159,488 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWVIA.sys -- (HSFHWVIA)
DRV - [2003/03/13 23:17:00 | 000,622,592 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/03/13 23:15:00 | 001,106,944 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2003/02/27 20:36:04 | 000,090,852 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2002/12/10 14:06:28 | 000,076,416 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\viaudio.sys -- (VIAudio) VIA AC'97 Audio Controller (WDM)
DRV - [2002/11/08 12:25:00 | 001,004,410 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2002/10/04 09:04:10 | 000,046,976 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\R8139n51.sys -- (rtl8139)
DRV - [2000/12/06 01:18:02 | 000,003,952 | R--- | M] (Sony Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\DMICall.sys -- (DMICall)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Ask.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultUrl = http://www.mywebsear.......p;l=zu&o=sb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 9B DA 56 18 82 05 CB 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
O1 HOSTS File: ([2010/06/06 15:09:58 | 000,403,768 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 13967 more lines...
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (no name) - {D939265F-B992-4B69-AD8B-4E3325BD051F} - C:\WINDOWS\socks_bot.dll ()
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe (Easy Systems Japan Ltd.)
O4 - HKLM..\Run: [Mouse Suite 98 Daemon] C:\WINDOWS\System32\ico.exe (Primax Electronics Ltd.)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\web'n'walk Manager.lnk = C:\Program Files\T-Mobile\web'n'walk Manager\web'n'walk Manager.exe (T-Mobile)
O4 - Startup: C:\Documents and Settings\Donna Sanderson\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClassicShell = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: sony-europe.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: sonystyle-europe.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: vaio-link.com ([]* in Trusted sites)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1257943898612 (MUWebControl Class)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 149.254.201.126 149.254.192.126
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Donna Sanderson\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Donna Sanderson\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/04/03 02:08:59 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{03178d70-50b7-11dd-92c9-080046affde1}\Shell - "" = AutoRun
O33 - MountPoints2\{03178d70-50b7-11dd-92c9-080046affde1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{03178d70-50b7-11dd-92c9-080046affde1}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{1aac72c0-cfbe-11de-9472-c1e08c09b2f1}\Shell - "" = AutoRun
O33 - MountPoints2\{1aac72c0-cfbe-11de-9472-c1e08c09b2f1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{1aac72c0-cfbe-11de-9472-c1e08c09b2f1}\Shell\AutoRun\command - "" = F:\AutoRun.exe -- File not found
O33 - MountPoints2\{47f6cc90-cc94-11de-9464-080046affde1}\Shell - "" = AutoRun
O33 - MountPoints2\{47f6cc90-cc94-11de-9464-080046affde1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{47f6cc90-cc94-11de-9464-080046affde1}\Shell\AutoRun\command - "" = F:\AutoRun.exe -- File not found
O33 - MountPoints2\{50aa2ae0-fe6e-11dd-9400-080046affde1}\Shell - "" = AutoRun
O33 - MountPoints2\{50aa2ae0-fe6e-11dd-9400-080046affde1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{50aa2ae0-fe6e-11dd-9400-080046affde1}\Shell\AutoRun\command - "" = F:\setup.exe -- File not found
O33 - MountPoints2\{9f2a0ec0-cfbd-11de-9471-860bad78e8bd}\Shell - "" = AutoRun
O33 - MountPoints2\{9f2a0ec0-cfbd-11de-9471-860bad78e8bd}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9f2a0ec0-cfbd-11de-9471-860bad78e8bd}\Shell\AutoRun\command - "" = F:\AutoRun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2003/04/03 02:08:21 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
Drivers32: msacm.iac2 - C:\WINDOWS\System32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.dvsd - C:\Program Files\Common Files\Sony Shared\DVLib\sonydv.dll (Sony Corporation)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.VP60 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)
Drivers32: vidc.VP61 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)
CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)
========== Files/Folders - Created Within 90 Days ==========
[2010/06/06 17:18:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/06/06 17:17:39 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/06/06 17:09:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Donna Sanderson\Desktop\sue
========== Files - Modified Within 90 Days ==========
[2010/06/06 17:19:25 | 007,340,032 | -H-- | M] () -- C:\Documents and Settings\Donna Sanderson\NTUSER.DAT
[2010/06/06 17:17:47 | 000,000,771 | ---- | M] () -- C:\Documents and Settings\Donna Sanderson\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/06/06 17:17:40 | 000,000,615 | ---- | M] () -- C:\Documents and Settings\Donna Sanderson\Desktop\NTREGOPT.lnk
[2010/06/06 17:17:40 | 000,000,596 | ---- | M] () -- C:\Documents and Settings\Donna Sanderson\Desktop\ERUNT.lnk
[2010/06/06 17:09:11 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/06 17:08:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/06 17:08:27 | 535,351,296 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/06 17:07:09 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Donna Sanderson\ntuser.ini
[2010/06/06 16:11:43 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Donna Sanderson\Desktop\Microsoft Office Word 2007.lnk
[2010/06/06 15:21:29 | 000,000,442 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{695C0D22-D3C4-47F9-BB29-FDFEABC7A202}.job
[2010/06/06 15:09:58 | 000,403,768 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/06/06 14:14:42 | 000,000,937 | ---- | M] () -- C:\Documents and Settings\Donna Sanderson\Desktop\Spybot - Search & Destroy.lnk
[2010/06/06 12:34:27 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/30 12:54:27 | 000,005,666 | ---- | M] () -- C:\Documents and Settings\Donna Sanderson\My Documents\google_co_uk
[2010/05/26 21:43:25 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/05/26 21:15:40 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\Meeting with Cumbria Partnership NHSFT.doc
[2010/05/26 21:02:17 | 000,013,042 | ---- | M] () -- C:\Documents and Settings\Donna Sanderson\Desktop\Meeting with Cumbria Partnership NHSFT.docx
[2010/04/25 11:41:21 | 000,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk
[2010/03/29 12:53:55 | 000,445,238 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/29 12:53:55 | 000,072,756 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/29 12:53:54 | 000,525,770 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
========== Files Created - No Company Name ==========
[2010/06/06 17:17:47 | 000,000,771 | ---- | C] () -- C:\Documents and Settings\Donna Sanderson\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/06/06 17:17:40 | 000,000,615 | ---- | C] () -- C:\Documents and Settings\Donna Sanderson\Desktop\NTREGOPT.lnk
[2010/06/06 17:17:40 | 000,000,596 | ---- | C] () -- C:\Documents and Settings\Donna Sanderson\Desktop\ERUNT.lnk
[2010/06/06 14:14:42 | 000,000,937 | ---- | C] () -- C:\Documents and Settings\Donna Sanderson\Desktop\Spybot - Search & Destroy.lnk
[2010/05/30 12:54:24 | 000,005,666 | ---- | C] () -- C:\Documents and Settings\Donna Sanderson\My Documents\google_co_uk
[2010/05/26 21:15:38 | 000,024,576 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\Meeting with Cumbria Partnership NHSFT.doc
[2010/05/26 21:02:16 | 000,013,042 | ---- | C] () -- C:\Documents and Settings\Donna Sanderson\Desktop\Meeting with Cumbria Partnership NHSFT.docx
[2010/04/25 11:41:21 | 000,001,507 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk
[2008/09/10 20:45:15 | 000,159,744 | ---- | C] () -- C:\WINDOWS\socks_bot.dll____
[2008/02/06 22:51:45 | 000,000,022 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2008/02/06 22:40:15 | 000,000,025 | ---- | C] () -- C:\WINDOWS\CDE RX420EI.ini
[2008/02/04 20:29:51 | 000,159,744 | ---- | C] () -- C:\WINDOWS\socks_bot.dll___
[2008/02/04 20:29:51 | 000,159,744 | ---- | C] () -- C:\WINDOWS\socks_bot.dll__
[2008/02/04 20:29:51 | 000,159,744 | ---- | C] () -- C:\WINDOWS\socks_bot.dll
[2007/11/21 00:03:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\webica.ini
[2007/06/03 14:44:40 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A6W.INI
[2005/04/16 17:46:43 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/03/27 00:26:32 | 000,000,112 | ---- | C] () -- C:\WINDOWS\ActiveSkin.INI
[2003/09/23 19:07:49 | 000,000,147 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2003/07/23 19:16:22 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/04/03 17:44:42 | 000,000,072 | ---- | C] () -- C:\WINDOWS\AcrobatSetupStatus.ini
[2003/04/03 09:05:59 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/04/03 02:19:55 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\UnAudioNT.dll
[2003/04/03 02:16:32 | 000,000,882 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/04/02 15:56:03 | 000,002,704 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[1999/03/23 14:46:24 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL
[1999/01/22 11:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
========== LOP Check ==========
[2008/12/02 15:16:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/02/06 23:07:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UDL
[2007/11/21 00:11:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Donna Sanderson\Application Data\ICAClient
[2003/04/03 17:44:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Donna Sanderson\Application Data\InterTrust
[2003/07/23 21:44:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Donna Sanderson\Application Data\InterVideo
[2008/10/09 10:12:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Donna Sanderson\Application Data\Template
[2010/06/06 15:21:29 | 000,000,442 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{695C0D22-D3C4-47F9-BB29-FDFEABC7A202}.job
========== Purity Check ==========
========== Custom Scans ==========
< %SYSTEMDRIVE%\*.* >
[2003/04/03 02:08:59 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/02/26 13:30:46 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2003/04/03 02:08:59 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/06/06 17:08:27 | 535,351,296 | -HS- | M] () -- C:\hiberfil.sys
[2003/04/03 02:08:59 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/06/06 20:21:09 | 000,717,527 | ---- | M] () -- C:\log.log
[2003/04/03 02:08:59 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/02/25 15:38:59 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/10/09 12:03:25 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/06/06 20:22:39 | 533,630,976 | -HS- | M] () -- C:\pagefile.sys
< %systemroot%\*. /mp /s >
< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 05:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 05:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
< %systemroot%\Tasks\*.job /lockedfiles >
< %systemroot%\System32\config\*.sav >
[2003/04/02 17:59:11 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2003/04/02 17:59:11 | 000,602,112 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2003/04/02 17:59:11 | 000,393,216 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
< %systemroot%\system32\user32.dll /md5 >
[2008/04/14 01:12:08 | 000,578,560 | ---- | M] (Microsoft Corporation) MD5=B26B135FF1B9F60C9388B4A7D16F600B -- C:\WINDOWS\system32\user32.dll
< %systemroot%\system32\ws2_32.dll /md5 >
[2008/04/14 01:12:10 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=2CCC474EB85CEAA3E1FA1726580A3E5A -- C:\WINDOWS\system32\ws2_32.dll
========== Alternate Data Streams ==========
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:93BD75FD
< End of report >
OTL Extras logfile created on: 06/06/2010 20:23:39 - Run 1
OTL by OldTimer - Version 3.2.5.3 Folder = C:\Documents and Settings\Donna Sanderson\Desktop\sue
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
510.00 Mb Total Physical Memory | 117.00 Mb Available Physical Memory | 23.00% Memory free
989.00 Mb Paging File | 387.00 Mb Available in Paging File | 39.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.63 Gb Total Space | 4.87 Gb Free Space | 26.16% Space Free | Partition Type: NTFS
Drive D: | 18.63 Gb Total Space | 18.61 Gb Free Space | 99.92% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: YOUR-ZF9FR6OM66
Current User Name: Donna Sanderson
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"56053:TCP" = 56053:TCP:*:Enabled:PORT_56053
"25461:TCP" = 25461:TCP:*:Enabled:PORT_25461
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"52536:TCP" = 52536:TCP:*:Enabled:PORT_52536
"52846:TCP" = 52846:TCP:*:Enabled:PORT_52846
"21023:TCP" = 21023:TCP:*:Enabled:PORT_21023
"10198:TCP" = 10198:TCP:*:Enabled:PORT_10198
"32938:TCP" = 32938:TCP:*:Enabled:PORT_32938
"24442:TCP" = 24442:TCP:*:Enabled:PORT_24442
"31552:TCP" = 31552:TCP:*:Enabled:PORT_31552
"23561:TCP" = 23561:TCP:*:Enabled:PORT_23561
"17340:TCP" = 17340:TCP:*:Enabled:PORT_17340
"5576:TCP" = 5576:TCP:*:Enabled:PORT_5576
"9188:TCP" = 9188:TCP:*:Enabled:PORT_9188
"58006:TCP" = 58006:TCP:*:Enabled:PORT_58006
"22550:TCP" = 22550:TCP:*:Enabled:PORT_22550
"8431:TCP" = 8431:TCP:*:Enabled:PORT_8431
"57704:TCP" = 57704:TCP:*:Enabled:PORT_57704
"27019:TCP" = 27019:TCP:*:Enabled:PORT_27019
"57266:TCP" = 57266:TCP:*:Enabled:PORT_57266
"18982:TCP" = 18982:TCP:*:Enabled:PORT_18982
"56669:TCP" = 56669:TCP:*:Enabled:PORT_56669
"33632:TCP" = 33632:TCP:*:Enabled:PORT_33632
"35562:TCP" = 35562:TCP:*:Enabled:PORT_35562
"40786:TCP" = 40786:TCP:*:Enabled:PORT_40786
"10031:TCP" = 10031:TCP:*:Enabled:PORT_10031
"55158:TCP" = 55158:TCP:*:Enabled:PORT_55158
"59432:TCP" = 59432:TCP:*:Enabled:PORT_59432
"5963:TCP" = 5963:TCP:*:Enabled:PORT_5963
"36954:TCP" = 36954:TCP:*:Enabled:PORT_36954
"46173:TCP" = 46173:TCP:*:Enabled:PORT_46173
"22924:TCP" = 22924:TCP:*:Enabled:PORT_22924
"38712:TCP" = 38712:TCP:*:Enabled:PORT_38712
"46580:TCP" = 46580:TCP:*:Enabled:PORT_46580
"14184:TCP" = 14184:TCP:*:Enabled:PORT_14184
"39513:TCP" = 39513:TCP:*:Enabled:PORT_39513
"48983:TCP" = 48983:TCP:*:Enabled:PORT_48983
"52398:TCP" = 52398:TCP:*:Enabled:PORT_52398
"30280:TCP" = 30280:TCP:*:Enabled:PORT_30280
"59214:TCP" = 59214:TCP:*:Enabled:PORT_59214
"60388:TCP" = 60388:TCP:*:Enabled:PORT_60388
"17107:TCP" = 17107:TCP:*:Enabled:PORT_17107
"48170:TCP" = 48170:TCP:*:Enabled:PORT_48170
"10149:TCP" = 10149:TCP:*:Enabled:PORT_10149
"58661:TCP" = 58661:TCP:*:Enabled:PORT_58661
"36663:TCP" = 36663:TCP:*:Enabled:PORT_36663
"43840:TCP" = 43840:TCP:*:Enabled:PORT_43840
"29655:TCP" = 29655:TCP:*:Enabled:PORT_29655
"61661:TCP" = 61661:TCP:*:Enabled:PORT_61661
"63264:TCP" = 63264:TCP:*:Enabled:PORT_63264
"33463:TCP" = 33463:TCP:*:Enabled:PORT_33463
"57744:TCP" = 57744:TCP:*:Enabled:PORT_57744
"28257:TCP" = 28257:TCP:*:Enabled:PORT_28257
"17848:TCP" = 17848:TCP:*:Enabled:PORT_17848
"19901:TCP" = 19901:TCP:*:Enabled:PORT_19901
"52930:TCP" = 52930:TCP:*:Enabled:PORT_52930
"14139:TCP" = 14139:TCP:*:Enabled:PORT_14139
"16136:TCP" = 16136:TCP:*:Enabled:PORT_16136
"23415:TCP" = 23415:TCP:*:Enabled:PORT_23415
"40414:TCP" = 40414:TCP:*:Enabled:PORT_40414
"32514:TCP" = 32514:TCP:*:Enabled:PORT_32514
"27274:TCP" = 27274:TCP:*:Enabled:PORT_27274
"56692:TCP" = 56692:TCP:*:Enabled:PORT_56692
"30703:TCP" = 30703:TCP:*:Enabled:PORT_30703
"34654:TCP" = 34654:TCP:*:Enabled:PORT_34654
"24803:TCP" = 24803:TCP:*:Enabled:PORT_24803
"24850:TCP" = 24850:TCP:*:Enabled:PORT_24850
"20732:TCP" = 20732:TCP:*:Enabled:PORT_20732
"50495:TCP" = 50495:TCP:*:Enabled:PORT_50495
"36382:TCP" = 36382:TCP:*:Enabled:PORT_36382
"50266:TCP" = 50266:TCP:*:Enabled:PORT_50266
"41400:TCP" = 41400:TCP:*:Enabled:PORT_41400
"14246:TCP" = 14246:TCP:*:Enabled:PORT_14246
"49241:TCP" = 49241:TCP:*:Enabled:PORT_49241
"16218:TCP" = 16218:TCP:*:Enabled:PORT_16218
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Real\RealOne Player\realplay.exe" = C:\Program Files\Real\RealOne Player\realplay.exe:*:Enabled:RealOne Player -- (RealNetworks, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{02DFF6B1-1654-411C-8D7B-FD6052EF016F}" = Apple Software Update
"{06E73C0B-7DE7-4F41-860B-587033B75BD9}" = iPod Updater 2004-11-15
"{08CA9554-B5FE-4313-938F-D4A417B81175}" = QuickTime
"{14C35072-D7D0-4B29-B5BF-C94E426D77E9}" = Sky Broadband
"{1D057E97-A116-4BF9-B307-83C3FBD86515}" = VAIO Clock Screen Saver
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2366D960-F00F-11D3-99D3-00C04FCCB775}" = VAIO System Information
"{3147661C-2807-49EC-B971-3B0F23D95018}" = VAIO DeepSea Wallpaper
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35B91753-5789-4517-9CF1-2CCE3A8CF4F1}" = Apple Mobile Device Support
"{3D9E0F32-83ED-4D59-B27F-EEA19744A51E}" = Fire Chief
"{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}" = Bonjour
"{4D1D6640-CD43-4AD9-A52F-E48265DB28E0}" = VAIO BrightColor Wallpaper
"{500D04BB-543A-49DF-A939-A67ABAA8238B}" = Hazard Perception Training 2002-2003
"{668B1BD6-4593-4959-970E-249AFFE6F35C}" = VOR
"{66C8BE35-8BBB-472B-96C7-C7C9A499F988}" = PhotoImpression 5
"{6990A2BF-D1D2-11D3-81BC-00609789C908}" = Sony DV Shared Library
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{7BD0A2D8-4EA0-43C6-BDF8-DDA87B8031C6}" = PIF DESIGNER2.1
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{874F0C23-7CA8-4639-9D77-E032E272A3FD}" = Emergency 2
"{8F4BB224-F0EB-433C-BF93-62AAB092D414}" = VAIO Nature Screen Saver
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{98E8A2EF-4EAE-43B8-A172-74842B764777}" = InterVideo WinDVD 4
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C93D4502-35D3-46D6-AEC8-BDF52A94D35A}" = web'n'walk Manager
"{C93D4502-35D3-46D6-AEC8-BDF52A94D35A}_x" = web'n'walk Manager
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DBEA1034-5882-4A88-8033-81C4EF0CFA29}" = Google Toolbar for Internet Explorer
"{EF6C4600-306D-4F6A-A119-C2A877D25B4A}" = iTunes
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Photoshop Elements 2.0" = Adobe Photoshop Elements 2.0
"Adobe Premiere 6 LE" = Adobe Premiere 6 LE
"avast!" = avast! Antivirus
"CNXT_MODEM_PCI_VEN_1106&DEV_3068&SUBSYS_8143104D" = SoftK56 Data Fax
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ERUNT_is1" = ERUNT 1.1j
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{06E73C0B-7DE7-4F41-860B-587033B75BD9}" = iPod Updater 2004-11-15
"InstallShield_{668B1BD6-4593-4959-970E-249AFFE6F35C}" = VAIO Online Registration (English)
"MetaFrame Presentation Server Web Client for Win32" = MetaFrame Presentation Server Web Client for Win32
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MouseSuite98" = Sony USB Mouse
"Network Play System (Patching)" = Network Play System (Patching)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"RealPlayer 6.0" = RealOne Player
"VIA Audio Driver Setup Program" = VIA Audio Driver Setup Program
"web'n'walk stick manager" = web'n'walk stick manager
"Windows XP Service Pack" = Windows XP Service Pack 3
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
========== Last 10 Event Log Errors ==========
[ Antivirus Events ]
Error - 09/10/2008 05:05:21 | Computer Name = YOUR-ZF9FR6OM66 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\DOCUME~1\DONNAS~1\LOCALS~1\TEMP\~DF6CF8.TMP failed, 00000005.
Error - 13/11/2009 19:07:59 | Computer Name = YOUR-ZF9FR6OM66 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Program Files\InstallShield Installation Information\{06E73C0B-7DE7-4F41-860B-587033B75BD9}\Setup.ilg
failed, 00000005.
Error - 13/11/2009 19:08:25 | Computer Name = YOUR-ZF9FR6OM66 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Program Files\InstallShield Installation Information\{874F0C23-7CA8-4639-9D77-E032E272A3FD}\setup.ilg
failed, 00000005.
Error - 13/11/2009 19:08:26 | Computer Name = YOUR-ZF9FR6OM66 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Program Files\InstallShield Installation Information\{BE20E2F5-1903-4AAE-B1AF-2046E586C925}\Setup.ilg
failed, 00000005.
[ Application Events ]
Error - 31/03/2010 05:33:00 | Computer Name = YOUR-ZF9FR6OM66 | Source = ESENT | ID = 489
Description = wuauclt (3960) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).
Error - 31/03/2010 05:33:00 | Computer Name = YOUR-ZF9FR6OM66 | Source = ESENT | ID = 455
Description = wuaueng.dll (3960) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.
Error - 04/04/2010 05:17:06 | Computer Name = YOUR-ZF9FR6OM66 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 04/04/2010 05:19:41 | Computer Name = YOUR-ZF9FR6OM66 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 04/04/2010 05:19:55 | Computer Name = YOUR-ZF9FR6OM66 | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.
Error - 04/04/2010 05:21:57 | Computer Name = YOUR-ZF9FR6OM66 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 04/04/2010 05:22:02 | Computer Name = YOUR-ZF9FR6OM66 | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.
Error - 04/04/2010 05:38:35 | Computer Name = YOUR-ZF9FR6OM66 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 01/05/2010 09:12:27 | Computer Name = YOUR-ZF9FR6OM66 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 01/05/2010 09:12:36 | Computer Name = YOUR-ZF9FR6OM66 | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.
[ OSession Events ]
Error - 09/03/2008 17:48:31 | Computer Name = YOUR-ZF9FR6OM66 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 111
seconds with 0 seconds of active time. This session ended with a crash.
[ System Events ]
Error - 06/06/2010 09:03:36 | Computer Name = YOUR-ZF9FR6OM66 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126
Error - 06/06/2010 12:04:52 | Computer Name = YOUR-ZF9FR6OM66 | Source = Service Control Manager | ID = 7031
Description = The Apple Mobile Device service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.
Error - 06/06/2010 12:04:52 | Computer Name = YOUR-ZF9FR6OM66 | Source = Service Control Manager | ID = 7034
Description = The Bonjour Service service terminated unexpectedly. It has done
this 1 time(s).
Error - 06/06/2010 12:04:52 | Computer Name = YOUR-ZF9FR6OM66 | Source = Service Control Manager | ID = 7034
Description = The GtDetectSc service terminated unexpectedly. It has done this
1 time(s).
Error - 06/06/2010 12:04:52 | Computer Name = YOUR-ZF9FR6OM66 | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Driver Helper Service service terminated unexpectedly.
It has done this 1 time(s).
Error - 06/06/2010 12:04:52 | Computer Name = YOUR-ZF9FR6OM66 | Source = Service Control Manager | ID = 7034
Description = The NMSAccessU service terminated unexpectedly. It has done this
1 time(s).
Error - 06/06/2010 12:04:56 | Computer Name = YOUR-ZF9FR6OM66 | Source = Service Control Manager | ID = 7034
Description = The iPod Service service terminated unexpectedly. It has done this
1 time(s).
Error - 06/06/2010 12:10:54 | Computer Name = YOUR-ZF9FR6OM66 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the avast! Web Scanner service
to connect.
Error - 06/06/2010 12:10:54 | Computer Name = YOUR-ZF9FR6OM66 | Source = Service Control Manager | ID = 7000
Description = The avast! Web Scanner service failed to start due to the following
error: %%1053
Error - 06/06/2010 12:11:38 | Computer Name = YOUR-ZF9FR6OM66 | Source = Service Control Manager | ID = 7034
Description = The avast! Web Scanner service terminated unexpectedly. It has done
this 1 time(s).
< End of report >
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-06 20:20:18
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\DONNAS~1\LOCALS~1\Temp\kwxdyuob.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF68726B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF6872574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF6872A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF687214C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF687264E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF687208C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF68720F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF687276E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF687272E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF68728AE]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[1404] WININET.dll!InternetCreateUrlA 3D94F328 5 Bytes JMP 03F626F1 C:\WINDOWS\socks_bot.dll
.text C:\WINDOWS\Explorer.EXE[1404] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 03F627F1 C:\WINDOWS\socks_bot.dll
.text C:\WINDOWS\Explorer.EXE[1404] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 03F62774 C:\WINDOWS\socks_bot.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2060] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2060] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2060] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2060] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2060] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2060] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2060] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2060] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2060] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2604] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2604] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2604] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2604] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2604] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2604] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2604] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2604] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2604] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2604] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2604] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2604] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2604] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2604] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2604] WININET.dll!InternetCreateUrlA 3D94F328 5 Bytes JMP 03E926F1 C:\WINDOWS\socks_bot.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2604] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 03E927F1 C:\WINDOWS\socks_bot.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2604] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 03E92774 C:\WINDOWS\socks_bot.dll
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp tcpipBM.SYS (Bytemobile Kernel Network Provider/Bytemobile, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\prodrv06 \Device\ProDrv06 E1A45458
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 prosync1.sys (StarForce Protection Synchronization Driver/StarForce Technologies, Inc.)
Device \Driver\atapi \Device\Ide\IdePort0 prosync1.sys (StarForce Protection Synchronization Driver/StarForce Technologies, Inc.)
Device \Driver\atapi \Device\Ide\IdePort1 prosync1.sys (StarForce Protection Synchronization Driver/StarForce Technologies, Inc.)
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e prosync1.sys (StarForce Protection Synchronization Driver/StarForce Technologies, Inc.)
Device \Driver\prohlp02 \Device\ProHlp02 E1013C98
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
---- EOF - GMER 1.0.15 ----
Edited by Rorschach112, 06 June 2010 - 02:05 PM.
#4
Posted 06 June 2010 - 02:28 PM
This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.
I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?
NEXT:
OTL Fix
We need to run an OTL Fix
- Please reopen on your desktop.
- Copy and Paste the following code into the textbox. Do not include the word "Code"
:Services :OTL PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) SRV - File not found [On_Demand | Stopped] -- -- (gusvc) O2 - BHO: (no name) - {D939265F-B992-4B69-AD8B-4E3325BD051F} - C:\WINDOWS\socks_bot.dll () O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found. O15 - HKCU\..Trusted Domains: ([]msn in My Computer) O15 - HKCU\..Trusted Domains: sony-europe.com ([]* in Trusted sites) O15 - HKCU\..Trusted Domains: sonystyle-europe.com ([]* in Trusted sites) O15 - HKCU\..Trusted Domains: vaio-link.com ([]* in Trusted sites) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.) O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.) O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.) [2008/09/10 20:45:15 | 000,159,744 | ---- | C] () -- C:\WINDOWS\socks_bot.dll____ [2008/02/04 20:29:51 | 000,159,744 | ---- | C] () -- C:\WINDOWS\socks_bot.dll___ [2008/02/04 20:29:51 | 000,159,744 | ---- | C] () -- C:\WINDOWS\socks_bot.dll__ [2008/02/04 20:29:51 | 000,159,744 | ---- | C] () -- C:\WINDOWS\socks_bot.dll :Commands [purity] [emptytemp] [EMPTYFLASH] [start explorer] [Reboot]
- Push
- OTL may ask to reboot the machine. Please do so if asked.
- Click .
- A report will open. Copy and Paste that report in your next reply.
- If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
NEXT:
Running ComboFix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
- Double click on ComboFix.exe & follow the prompts.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
- Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
- Click on Yes, to continue scanning for malware.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now
#5
Posted 07 June 2010 - 01:04 PM
at the moment it seems to have gone
I will attach the combofix log
I have yet to reboot and check that it doesnt reoccur
I dont know what I would have done without you
#6
Posted 07 June 2010 - 01:09 PM
Absence of symptoms does not mean that your not still infected.
#7
Posted 08 June 2010 - 11:15 AM
ComboFix 10-06-07.01 - Donna Sanderson 07/06/2010 19:44:23.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.510.193 [GMT 1:00]
Running from: c:\documents and settings\Donna Sanderson\Desktop\sue\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100607-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((( Files Created from 2010-05-07 to 2010-06-07 )))))))))))))))))))))))))))))))
.
2010-06-07 17:41 . 2010-06-07 17:41 -------- d-----w- C:\_OTL
2010-06-06 16:17 . 2010-06-06 16:17 -------- d-----w- c:\program files\ERUNT
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-06 13:18 . 2008-09-18 12:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-06 13:16 . 2008-09-18 12:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-06 13:03 . 2007-10-05 20:23 -------- d-----w- c:\program files\Sky Broadband
2010-05-26 20:44 . 2008-03-05 13:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-10 06:15 . 2003-04-02 14:55 420352 ----a-w- c:\windows\system32\vbscript.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-10 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-02-27 114688]
"Mouse Suite 98 Daemon"="ICO.EXE" [2002-03-15 45056]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"nwiz"="nwiz.exe" [2002-11-08 372736]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
c:\documents and settings\Donna Sanderson\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-4-3 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
web'n'walk Manager.lnk - c:\program files\T-Mobile\web'n'walk Manager\web'n'walk Manager.exe [2008-11-11 1463296]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56053:TCP"= 56053:TCP:PORT_56053
"25461:TCP"= 25461:TCP:PORT_25461
"52536:TCP"= 52536:TCP:PORT_52536
"52846:TCP"= 52846:TCP:PORT_52846
"21023:TCP"= 21023:TCP:PORT_21023
"10198:TCP"= 10198:TCP:PORT_10198
"32938:TCP"= 32938:TCP:PORT_32938
"24442:TCP"= 24442:TCP:PORT_24442
"31552:TCP"= 31552:TCP:PORT_31552
"23561:TCP"= 23561:TCP:PORT_23561
"17340:TCP"= 17340:TCP:PORT_17340
"5576:TCP"= 5576:TCP:PORT_5576
"9188:TCP"= 9188:TCP:PORT_9188
"58006:TCP"= 58006:TCP:PORT_58006
"22550:TCP"= 22550:TCP:PORT_22550
"8431:TCP"= 8431:TCP:PORT_8431
"57704:TCP"= 57704:TCP:PORT_57704
"27019:TCP"= 27019:TCP:PORT_27019
"57266:TCP"= 57266:TCP:PORT_57266
"18982:TCP"= 18982:TCP:PORT_18982
"56669:TCP"= 56669:TCP:PORT_56669
"33632:TCP"= 33632:TCP:PORT_33632
"35562:TCP"= 35562:TCP:PORT_35562
"40786:TCP"= 40786:TCP:PORT_40786
"10031:TCP"= 10031:TCP:PORT_10031
"55158:TCP"= 55158:TCP:PORT_55158
"59432:TCP"= 59432:TCP:PORT_59432
"5963:TCP"= 5963:TCP:PORT_5963
"36954:TCP"= 36954:TCP:PORT_36954
"46173:TCP"= 46173:TCP:PORT_46173
"22924:TCP"= 22924:TCP:PORT_22924
"38712:TCP"= 38712:TCP:PORT_38712
"46580:TCP"= 46580:TCP:PORT_46580
"14184:TCP"= 14184:TCP:PORT_14184
"39513:TCP"= 39513:TCP:PORT_39513
"48983:TCP"= 48983:TCP:PORT_48983
"52398:TCP"= 52398:TCP:PORT_52398
"30280:TCP"= 30280:TCP:PORT_30280
"59214:TCP"= 59214:TCP:PORT_59214
"60388:TCP"= 60388:TCP:PORT_60388
"17107:TCP"= 17107:TCP:PORT_17107
"48170:TCP"= 48170:TCP:PORT_48170
"10149:TCP"= 10149:TCP:PORT_10149
"58661:TCP"= 58661:TCP:PORT_58661
"36663:TCP"= 36663:TCP:PORT_36663
"43840:TCP"= 43840:TCP:PORT_43840
"29655:TCP"= 29655:TCP:PORT_29655
"61661:TCP"= 61661:TCP:PORT_61661
"63264:TCP"= 63264:TCP:PORT_63264
"33463:TCP"= 33463:TCP:PORT_33463
"57744:TCP"= 57744:TCP:PORT_57744
"28257:TCP"= 28257:TCP:PORT_28257
"17848:TCP"= 17848:TCP:PORT_17848
"19901:TCP"= 19901:TCP:PORT_19901
"52930:TCP"= 52930:TCP:PORT_52930
"14139:TCP"= 14139:TCP:PORT_14139
"16136:TCP"= 16136:TCP:PORT_16136
"23415:TCP"= 23415:TCP:PORT_23415
"40414:TCP"= 40414:TCP:PORT_40414
"32514:TCP"= 32514:TCP:PORT_32514
"27274:TCP"= 27274:TCP:PORT_27274
"56692:TCP"= 56692:TCP:PORT_56692
"30703:TCP"= 30703:TCP:PORT_30703
"34654:TCP"= 34654:TCP:PORT_34654
"24803:TCP"= 24803:TCP:PORT_24803
"24850:TCP"= 24850:TCP:PORT_24850
"20732:TCP"= 20732:TCP:PORT_20732
"50495:TCP"= 50495:TCP:PORT_50495
"36382:TCP"= 36382:TCP:PORT_36382
"50266:TCP"= 50266:TCP:PORT_50266
"41400:TCP"= 41400:TCP:PORT_41400
"14246:TCP"= 14246:TCP:PORT_14246
"49241:TCP"= 49241:TCP:PORT_49241
"16218:TCP"= 16218:TCP:PORT_16218
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [18/09/2008 15:15 114768]
R1 GtTdiFltr;GtTdiFltr;c:\windows\system32\drivers\GtTdiFltr.sys [08/02/2008 16:39 4864]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [18/09/2008 15:15 20560]
R2 GtDetectSc;GtDetectSc;c:\program files\T-Mobile\web'n'walk Manager\GtDetectSc.exe [30/04/2008 17:52 200704]
R3 GTUHSBUS;GT UHS BUS;c:\windows\system32\drivers\gtuhsbus.sys [07/11/2008 12:57 62592]
R3 GTUHSNDISIPXP;GT UHS IP NDIS;c:\windows\system32\drivers\gtuhs51.sys [07/11/2008 12:58 105984]
R3 GTUHSOMS;GT UHS OMS;c:\windows\system32\drivers\gtuhsoms.sys [07/11/2008 13:01 20352]
R3 GTUHSSER;GT UHS SER;c:\windows\system32\drivers\gtuhsser.sys [07/11/2008 13:03 8064]
R3 HSFHWVIA;HSFHWVIA;c:\windows\system32\drivers\HSFHWVIA.sys [03/04/2003 02:48 159488]
.
Contents of the 'Scheduled Tasks' folder
2010-01-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
2010-06-07 c:\windows\Tasks\User_Feed_Synchronization-{695C0D22-D3C4-47F9-BB29-FDFEABC7A202}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 04:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUxdm080YYGB&fl=0&ptb=t6gyXHhMvj_1hd2fXFqG.A&url=http://www.uk.ask.com/web&q={searchTerms}&l=zu&o=sb
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-07 19:49
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2172)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-06-07 19:53:40
ComboFix-quarantined-files.txt 2010-06-07 18:53
ComboFix2.txt 2010-06-07 18:30
Pre-Run: 5,026,263,040 bytes free
Post-Run: 4,984,582,144 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
- - End Of File - - F2B50B3DF79B24B5ADE41097E3DEB527
#8
Posted 08 June 2010 - 11:18 AM
#9
Posted 08 June 2010 - 11:23 AM
#10
Posted 08 June 2010 - 11:24 AM
- Right click on START on the left end of your Windows toolbar (lower left corner of your screen)
- Click on Explore
- Click on Local Disk (C:) in the left-hand window pane
- Click on Qoobox in the left-hand window pane
- Look for ComboFix2.txt in the right-hand window pane and right click on it
- Put your cursor (arrow) on Open With
- Move your cursor to the new menu that opens and click on Choose Program...
- Click on Notepad
When file opens, Copy/Paste text here.
#11
Posted 08 June 2010 - 11:31 AM
Locating ComboFix Log
ComboFix 10-06-07.01 - Donna Sanderson 07/06/2010 19:11:42.1.1 - x86
- Right click on START on the left end of your Windows toolbar (lower left corner of your screen)
- Click on Explore
- Click on Local Disk (C:) in the left-hand window pane
- Click on Qoobox in the left-hand window pane
- Look for ComboFix2.txt in the right-hand window pane and right click on it
- Put your cursor (arrow) on Open With
- Move your cursor to the new menu that opens and click on Choose Program...
- Click on Notepad
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.510.277 [GMT 1:00]
Running from: c:\documents and settings\Donna Sanderson\Desktop\sue\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100607-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2010-05-07 to 2010-06-07 )))))))))))))))))))))))))))))))
.
2010-06-07 17:41 . 2010-06-07 17:41 -------- d-----w- C:\_OTL
2010-06-06 16:17 . 2010-06-06 16:17 -------- d-----w- c:\program files\ERUNT
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-06 13:18 . 2008-09-18 12:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-06 13:16 . 2008-09-18 12:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-06 13:03 . 2007-10-05 20:23 -------- d-----w- c:\program files\Sky Broadband
2010-05-26 20:44 . 2008-03-05 13:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-10 06:15 . 2003-04-02 14:55 420352 ----a-w- c:\windows\system32\vbscript.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-10 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-02-27 114688]
"Mouse Suite 98 Daemon"="ICO.EXE" [2002-03-15 45056]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"nwiz"="nwiz.exe" [2002-11-08 372736]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
c:\documents and settings\Donna Sanderson\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-4-3 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
web'n'walk Manager.lnk - c:\program files\T-Mobile\web'n'walk Manager\web'n'walk Manager.exe [2008-11-11 1463296]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56053:TCP"= 56053:TCP:PORT_56053
"25461:TCP"= 25461:TCP:PORT_25461
"52536:TCP"= 52536:TCP:PORT_52536
"52846:TCP"= 52846:TCP:PORT_52846
"21023:TCP"= 21023:TCP:PORT_21023
"10198:TCP"= 10198:TCP:PORT_10198
"32938:TCP"= 32938:TCP:PORT_32938
"24442:TCP"= 24442:TCP:PORT_24442
"31552:TCP"= 31552:TCP:PORT_31552
"23561:TCP"= 23561:TCP:PORT_23561
"17340:TCP"= 17340:TCP:PORT_17340
"5576:TCP"= 5576:TCP:PORT_5576
"9188:TCP"= 9188:TCP:PORT_9188
"58006:TCP"= 58006:TCP:PORT_58006
"22550:TCP"= 22550:TCP:PORT_22550
"8431:TCP"= 8431:TCP:PORT_8431
"57704:TCP"= 57704:TCP:PORT_57704
"27019:TCP"= 27019:TCP:PORT_27019
"57266:TCP"= 57266:TCP:PORT_57266
"18982:TCP"= 18982:TCP:PORT_18982
"56669:TCP"= 56669:TCP:PORT_56669
"33632:TCP"= 33632:TCP:PORT_33632
"35562:TCP"= 35562:TCP:PORT_35562
"40786:TCP"= 40786:TCP:PORT_40786
"10031:TCP"= 10031:TCP:PORT_10031
"55158:TCP"= 55158:TCP:PORT_55158
"59432:TCP"= 59432:TCP:PORT_59432
"5963:TCP"= 5963:TCP:PORT_5963
"36954:TCP"= 36954:TCP:PORT_36954
"46173:TCP"= 46173:TCP:PORT_46173
"22924:TCP"= 22924:TCP:PORT_22924
"38712:TCP"= 38712:TCP:PORT_38712
"46580:TCP"= 46580:TCP:PORT_46580
"14184:TCP"= 14184:TCP:PORT_14184
"39513:TCP"= 39513:TCP:PORT_39513
"48983:TCP"= 48983:TCP:PORT_48983
"52398:TCP"= 52398:TCP:PORT_52398
"30280:TCP"= 30280:TCP:PORT_30280
"59214:TCP"= 59214:TCP:PORT_59214
"60388:TCP"= 60388:TCP:PORT_60388
"17107:TCP"= 17107:TCP:PORT_17107
"48170:TCP"= 48170:TCP:PORT_48170
"10149:TCP"= 10149:TCP:PORT_10149
"58661:TCP"= 58661:TCP:PORT_58661
"36663:TCP"= 36663:TCP:PORT_36663
"43840:TCP"= 43840:TCP:PORT_43840
"29655:TCP"= 29655:TCP:PORT_29655
"61661:TCP"= 61661:TCP:PORT_61661
"63264:TCP"= 63264:TCP:PORT_63264
"33463:TCP"= 33463:TCP:PORT_33463
"57744:TCP"= 57744:TCP:PORT_57744
"28257:TCP"= 28257:TCP:PORT_28257
"17848:TCP"= 17848:TCP:PORT_17848
"19901:TCP"= 19901:TCP:PORT_19901
"52930:TCP"= 52930:TCP:PORT_52930
"14139:TCP"= 14139:TCP:PORT_14139
"16136:TCP"= 16136:TCP:PORT_16136
"23415:TCP"= 23415:TCP:PORT_23415
"40414:TCP"= 40414:TCP:PORT_40414
"32514:TCP"= 32514:TCP:PORT_32514
"27274:TCP"= 27274:TCP:PORT_27274
"56692:TCP"= 56692:TCP:PORT_56692
"30703:TCP"= 30703:TCP:PORT_30703
"34654:TCP"= 34654:TCP:PORT_34654
"24803:TCP"= 24803:TCP:PORT_24803
"24850:TCP"= 24850:TCP:PORT_24850
"20732:TCP"= 20732:TCP:PORT_20732
"50495:TCP"= 50495:TCP:PORT_50495
"36382:TCP"= 36382:TCP:PORT_36382
"50266:TCP"= 50266:TCP:PORT_50266
"41400:TCP"= 41400:TCP:PORT_41400
"14246:TCP"= 14246:TCP:PORT_14246
"49241:TCP"= 49241:TCP:PORT_49241
"16218:TCP"= 16218:TCP:PORT_16218
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [18/09/2008 15:15 114768]
R1 GtTdiFltr;GtTdiFltr;c:\windows\system32\drivers\GtTdiFltr.sys [08/02/2008 16:39 4864]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [18/09/2008 15:15 20560]
R2 GtDetectSc;GtDetectSc;c:\program files\T-Mobile\web'n'walk Manager\GtDetectSc.exe [30/04/2008 17:52 200704]
R3 GTUHSBUS;GT UHS BUS;c:\windows\system32\drivers\gtuhsbus.sys [07/11/2008 12:57 62592]
R3 GTUHSNDISIPXP;GT UHS IP NDIS;c:\windows\system32\drivers\gtuhs51.sys [07/11/2008 12:58 105984]
R3 GTUHSOMS;GT UHS OMS;c:\windows\system32\drivers\gtuhsoms.sys [07/11/2008 13:01 20352]
R3 GTUHSSER;GT UHS SER;c:\windows\system32\drivers\gtuhsser.sys [07/11/2008 13:03 8064]
R3 HSFHWVIA;HSFHWVIA;c:\windows\system32\drivers\HSFHWVIA.sys [03/04/2003 02:48 159488]
.
Contents of the 'Scheduled Tasks' folder
2010-01-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
2010-06-07 c:\windows\Tasks\User_Feed_Synchronization-{695C0D22-D3C4-47F9-BB29-FDFEABC7A202}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 04:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUxdm080YYGB&fl=0&ptb=t6gyXHhMvj_1hd2fXFqG.A&url=http://www.uk.ask.com/web&q={searchTerms}&l=zu&o=sb
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-07 19:22
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2964)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\System32\nvsvc32.exe
c:\windows\system32\ICO.EXE
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Apoint\Apntex.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\T-Mobile\web'n'walk Manager\bmctl.exe
.
**************************************************************************
.
Completion time: 2010-06-07 19:30:57 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-07 18:30
Pre-Run: 5,184,786,432 bytes free
Post-Run: 5,041,164,288 bytes free
- - End Of File - - 7585B7E6B318E06DC74C5A0706EB52F0
When file opens, Copy/Paste text here.
#12
Posted 08 June 2010 - 11:55 AM
I'm going to close all of the open ports on your computer.
ComboFix Script
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
- They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:
Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')
KillAll:: Registry:: [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "56053:TCP"=- "25461:TCP"=- "52536:TCP"=- "52846:TCP"=- "21023:TCP"=- "10198:TCP"=- "32938:TCP"=- "24442:TCP"=- "31552:TCP"=- "23561:TCP"=- "17340:TCP"=- "5576:TCP"=- "9188:TCP"=- "58006:TCP"=- "22550:TCP"=- "8431:TCP"=- "57704:TCP"=- "27019:TCP"=- "57266:TCP"=- "18982:TCP"=- "56669:TCP"=- "33632:TCP"=- "35562:TCP"=- "40786:TCP"=- "10031:TCP"=- "55158:TCP"=- "59432:TCP"=- "5963:TCP"=- "36954:TCP"=- "46173:TCP"=- "22924:TCP"=- "38712:TCP"=- "46580:TCP"=- "14184:TCP"=- "39513:TCP"=- "48983:TCP"=- "52398:TCP"=- "30280:TCP"=- "59214:TCP"=- "60388:TCP"=- "17107:TCP"=- "48170:TCP"=- "10149:TCP"=- "58661:TCP"=- "36663:TCP"=- "43840:TCP"=- "29655:TCP"=- "61661:TCP"=- "63264:TCP"=- "33463:TCP"=- "57744:TCP"=- "28257:TCP"=- "17848:TCP"=- "19901:TCP"=- "52930:TCP"=- "14139:TCP"=- "16136:TCP"=- "23415:TCP"=- "40414:TCP"=- "32514:TCP"=- "27274:TCP"=- "56692:TCP"=- "30703:TCP"=- "34654:TCP"=- "24803:TCP"=- "24850:TCP"=- "20732:TCP"=- "50495:TCP"=- "36382:TCP"=- "50266:TCP"=- "41400:TCP"=- "14246:TCP"=- "49241:TCP"=- "16218:TCP"=-
Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')
Save this file to your desktop, Save this as "CFScript"
Here's how to do that:
1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it shall produce a log for you.
- Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
NEXT:
Scanning with MalwareBytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select Perform quick scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected.
- When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
NEXT:
ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan
Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.
- Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan - Click the button.
- For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on to download the ESET Smart Installer. Save it to your desktop.
- Double click on the icon on your desktop.
- Check
- Click the button.
- Accept any security warnings from your browser.
- Check
- Make sure that the option "Remove found threats" is Unchecked
- Push the Start button.
- ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time. - When the scan completes, push
- Push , and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply. - Push the button.
- Push
NEXT:
OTL Custom Scan
We need to run an OTL Custom Scan
- Please reopen on your desktop.
- Copy and Paste the following bolded text into the textbox.
netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /180
- Push
- A report will open. Copy and Paste that report in your next reply.
NEXT:
Please make sure you include the following items in your next post:
1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. The log that was produced after running the ComboFix scan.
3. The log that was produced after running the updated MalwareBytes' Anti-Malware scan.
4. The log that was produced after running the ESET Online Virus Scanner.
5. The log that was produced after running the OTL scan.
6. An update on how your computer is currently running.
Cheers,
SweetTech.
#13
Posted 08 June 2010 - 03:59 PM
2.ComboFix 10-06-07.04 - Donna Sanderson 08/06/2010 19:27:53.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.510.253 [GMT 1:00]
Running from: c:\documents and settings\Donna Sanderson\Desktop\sue\ComboFix.exe
Command switches used :: c:\documents and settings\Donna Sanderson\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100608-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((( Files Created from 2010-05-08 to 2010-06-08 )))))))))))))))))))))))))))))))
.
2010-06-07 17:41 . 2010-06-07 17:41 -------- d-----w- C:\_OTL
2010-06-06 16:17 . 2010-06-06 16:17 -------- d-----w- c:\program files\ERUNT
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-06 13:18 . 2008-09-18 12:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-06 13:16 . 2008-09-18 12:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-06 13:03 . 2007-10-05 20:23 -------- d-----w- c:\program files\Sky Broadband
2010-05-26 20:44 . 2008-03-05 13:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-10 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-02-27 114688]
"Mouse Suite 98 Daemon"="ICO.EXE" [2002-03-15 45056]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"nwiz"="nwiz.exe" [2002-11-08 372736]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
c:\documents and settings\Donna Sanderson\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-4-3 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
web'n'walk Manager.lnk - c:\program files\T-Mobile\web'n'walk Manager\web'n'walk Manager.exe [2008-11-11 1463296]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [18/09/2008 15:15 114768]
R1 GtTdiFltr;GtTdiFltr;c:\windows\system32\drivers\GtTdiFltr.sys [08/02/2008 16:39 4864]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [18/09/2008 15:15 20560]
R2 GtDetectSc;GtDetectSc;c:\program files\T-Mobile\web'n'walk Manager\GtDetectSc.exe [30/04/2008 17:52 200704]
R3 GTUHSBUS;GT UHS BUS;c:\windows\system32\drivers\gtuhsbus.sys [07/11/2008 12:57 62592]
R3 GTUHSNDISIPXP;GT UHS IP NDIS;c:\windows\system32\drivers\gtuhs51.sys [07/11/2008 12:58 105984]
R3 GTUHSOMS;GT UHS OMS;c:\windows\system32\drivers\gtuhsoms.sys [07/11/2008 13:01 20352]
R3 GTUHSSER;GT UHS SER;c:\windows\system32\drivers\gtuhsser.sys [07/11/2008 13:03 8064]
R3 HSFHWVIA;HSFHWVIA;c:\windows\system32\drivers\HSFHWVIA.sys [03/04/2003 02:48 159488]
.
Contents of the 'Scheduled Tasks' folder
2010-01-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
2010-06-08 c:\windows\Tasks\User_Feed_Synchronization-{695C0D22-D3C4-47F9-BB29-FDFEABC7A202}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 04:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUxdm080YYGB&fl=0&ptb=t6gyXHhMvj_1hd2fXFqG.A&url=http://www.uk.ask.com/web&q={searchTerms}&l=zu&o=sb
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-08 19:37
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(416)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\ICO.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Apoint\Apntex.exe
c:\program files\T-Mobile\web'n'walk Manager\bmctl.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-06-08 19:48:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-08 18:48
ComboFix2.txt 2010-06-07 18:53
ComboFix3.txt 2010-06-07 18:30
Pre-Run: 4,881,338,368 bytes free
Post-Run: 4,844,646,400 bytes free
- - End Of File - - CB40A9BC6B11FEF2041811A40D6B1D0C
3.Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4180
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
08/06/2010 21:42:26
mbam-log-2010-06-08 (21-42-26).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 245243
Time elapsed: 1 hour(s), 42 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
4. Couldnt access scanner.
5.OTL logfile created on: 08/06/2010 22:10:04 - Run 2
OTL by OldTimer - Version 3.2.5.3 Folder = C:\Documents and Settings\Donna Sanderson\Desktop\sue
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
510.00 Mb Total Physical Memory | 111.00 Mb Available Physical Memory | 22.00% Memory free
864.00 Mb Paging File | 340.00 Mb Available in Paging File | 39.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.63 Gb Total Space | 4.35 Gb Free Space | 23.36% Space Free | Partition Type: NTFS
Drive D: | 18.63 Gb Total Space | 18.61 Gb Free Space | 99.92% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: YOUR-ZF9FR6OM66
Current User Name: Donna Sanderson
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
========== Processes (SafeList) ==========
PRC - [2010/06/06 20:21:25 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Donna Sanderson\Desktop\sue\OTL.exe
PRC - [2010/04/29 15:39:32 | 001,090,952 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2009/11/25 00:51:40 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/25 00:51:35 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/25 00:51:21 | 000,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/25 00:43:56 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2008/11/11 18:39:40 | 001,463,296 | ---- | M] (T-Mobile) -- C:\Program Files\T-Mobile\web'n'walk Manager\web'n'walk Manager.exe
PRC - [2008/04/30 17:52:36 | 000,200,704 | ---- | M] (OptionNV) -- C:\Program Files\T-Mobile\web'n'walk Manager\GtDetectSc.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/04 11:39:00 | 000,700,416 | ---- | M] (Bytemobile, Inc.) -- C:\Program Files\T-Mobile\web'n'walk Manager\bmop.exe
PRC - [2008/02/04 11:39:00 | 000,376,832 | ---- | M] (Bytemobile, Inc.) -- C:\Program Files\T-Mobile\web'n'walk Manager\bmctl.exe
PRC - [2007/10/10 22:45:57 | 000,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2007/05/04 09:27:00 | 000,071,360 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
PRC - [2003/02/27 09:04:04 | 000,114,688 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2003/02/26 10:08:42 | 000,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
PRC - [2002/03/15 01:46:58 | 000,045,056 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\ico.exe
========== Modules (SafeList) ==========
MOD - [2010/06/06 20:21:25 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Donna Sanderson\Desktop\sue\OTL.exe
MOD - [2008/04/14 01:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
========== Win32 Services (SafeList) ==========
SRV - [2009/11/25 00:51:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/25 00:51:21 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Start_Pending] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/25 00:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Start_Pending] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/25 00:43:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2008/04/30 17:52:36 | 000,200,704 | ---- | M] (OptionNV) [Auto | Running] -- C:\Program Files\T-Mobile\web'n'walk Manager\GtDetectSc.exe -- (GtDetectSc)
SRV - [2007/05/04 09:27:00 | 000,071,360 | ---- | M] () [Auto | Running] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU)
========== Driver Services (SafeList) ==========
DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2009/11/25 00:50:59 | 000,094,160 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2009/11/25 00:50:12 | 000,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2009/11/25 00:50:00 | 000,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/11/25 00:49:07 | 000,048,560 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009/11/25 00:48:57 | 000,023,120 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009/11/25 00:47:54 | 000,027,408 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2008/11/07 13:03:18 | 000,008,064 | ---- | M] (Option N.V.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtuhsser.sys -- (GTUHSSER)
DRV - [2008/11/07 13:01:48 | 000,020,352 | ---- | M] (Option N.V.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtuhsoms.sys -- (GTUHSOMS)
DRV - [2008/11/07 12:58:56 | 000,105,984 | ---- | M] (Option N.V.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtuhs51.sys -- (GTUHSNDISIPXP)
DRV - [2008/11/07 12:57:38 | 000,062,592 | ---- | M] (Option N.V.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtuhsbus.sys -- (GTUHSBUS)
DRV - [2008/02/08 16:39:06 | 000,004,864 | ---- | M] (Option N.V.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\GtTdiFltr.sys -- (GtTdiFltr)
DRV - [2007/12/11 15:46:42 | 000,101,120 | R--- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2007/08/06 14:30:18 | 000,018,816 | ---- | M] (Bytemobile, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpipBM.sys -- (tcpipBM)
DRV - [2003/04/29 12:10:40 | 000,004,448 | ---- | M] (StarForce Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfhlp01.sys -- (sfhlp01)
DRV - [2003/04/28 11:12:21 | 000,094,464 | ---- | M] (StarForce Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\prohlp02.sys -- (prohlp02)
DRV - [2003/04/28 10:16:07 | 000,050,816 | ---- | M] (StarForce Technologies, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\prodrv06.sys -- (prodrv06)
DRV - [2003/04/04 08:41:46 | 000,006,848 | ---- | M] (StarForce Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\prosync1.sys -- (prosync1)
DRV - [2003/03/13 23:19:00 | 000,159,488 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWVIA.sys -- (HSFHWVIA)
DRV - [2003/03/13 23:17:00 | 000,622,592 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/03/13 23:15:00 | 001,106,944 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2003/02/27 20:36:04 | 000,090,852 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2002/12/10 14:06:28 | 000,076,416 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\viaudio.sys -- (VIAudio) VIA AC'97 Audio Controller (WDM)
DRV - [2002/11/08 12:25:00 | 001,004,410 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2002/10/04 09:04:10 | 000,046,976 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\R8139n51.sys -- (rtl8139)
DRV - [2000/12/06 01:18:02 | 000,003,952 | R--- | M] (Sony Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\DMICall.sys -- (DMICall)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Ask.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultUrl = http://www.mywebsear.......p;l=zu&o=sb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 9B DA 56 18 82 05 CB 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
O1 HOSTS File: ([2010/06/08 19:37:00 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe (Easy Systems Japan Ltd.)
O4 - HKLM..\Run: [Mouse Suite 98 Daemon] C:\WINDOWS\System32\ico.exe (Primax Electronics Ltd.)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\web'n'walk Manager.lnk = C:\Program Files\T-Mobile\web'n'walk Manager\web'n'walk Manager.exe (T-Mobile)
O4 - Startup: C:\Documents and Settings\Donna Sanderson\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1257943898612 (MUWebControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 149.254.201.126 149.254.192.126
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Donna Sanderson\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Donna Sanderson\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/04/03 02:08:59 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2003/04/03 02:08:21 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)
========== Files/Folders - Created Within 30 Days ==========
[2010/06/08 19:58:42 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/06/08 19:58:39 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/06/08 19:58:39 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/06/08 19:57:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/06/08 19:25:51 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/06/07 19:41:55 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/06/07 18:56:00 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/06/07 18:56:00 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/06/07 18:56:00 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/06/07 18:55:09 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/06/07 18:41:10 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/06/06 17:18:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/06/06 17:17:39 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/06/06 17:09:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Donna Sanderson\Desktop\sue
========== Files - Modified Within 30 Days ==========
[2010/06/08 22:07:08 | 007,340,032 | -H-- | M] () -- C:\Documents and Settings\Donna Sanderson\NTUSER.DAT
[2010/06/08 20:09:58 | 000,000,442 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{695C0D22-D3C4-47F9-BB29-FDFEABC7A202}.job
[2010/06/08 19:58:49 | 000,000,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/08 19:37:42 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/06/08 19:37:12 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/08 19:37:00 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/06/08 19:36:34 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/08 19:36:33 | 535,351,296 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/08 19:35:20 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Donna Sanderson\ntuser.ini
[2010/06/08 18:18:24 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Donna Sanderson\Desktop\Microsoft Office Word 2007.lnk
[2010/06/07 19:42:05 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/06/06 17:17:47 | 000,000,771 | ---- | M] () -- C:\Documents and Settings\Donna Sanderson\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/06/06 14:14:42 | 000,000,937 | ---- | M] () -- C:\Documents and Settings\Donna Sanderson\Desktop\Spybot - Search & Destroy.lnk
[2010/06/06 12:34:27 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/30 12:54:27 | 000,005,666 | ---- | M] () -- C:\Documents and Settings\Donna Sanderson\My Documents\google_co_uk
[2010/05/26 21:43:25 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/05/26 21:15:40 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\Meeting with Cumbria Partnership NHSFT.doc
[2010/05/26 21:02:17 | 000,013,042 | ---- | M] () -- C:\Documents and Settings\Donna Sanderson\Desktop\Meeting with Cumbria Partnership NHSFT.docx
========== Files Created - No Company Name ==========
[2010/06/08 19:58:49 | 000,000,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/07 19:42:05 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/06/07 19:42:01 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/06/07 18:56:00 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/06/07 18:56:00 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/06/07 18:56:00 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/06/07 18:56:00 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/06/07 18:56:00 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/06/06 17:17:47 | 000,000,771 | ---- | C] () -- C:\Documents and Settings\Donna Sanderson\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/06/06 14:14:42 | 000,000,937 | ---- | C] () -- C:\Documents and Settings\Donna Sanderson\Desktop\Spybot - Search & Destroy.lnk
[2010/05/30 12:54:24 | 000,005,666 | ---- | C] () -- C:\Documents and Settings\Donna Sanderson\My Documents\google_co_uk
[2010/05/26 21:15:38 | 000,024,576 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\Meeting with Cumbria Partnership NHSFT.doc
[2010/05/26 21:02:16 | 000,013,042 | ---- | C] () -- C:\Documents and Settings\Donna Sanderson\Desktop\Meeting with Cumbria Partnership NHSFT.docx
[2008/02/06 22:51:45 | 000,000,022 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2008/02/06 22:40:15 | 000,000,025 | ---- | C] () -- C:\WINDOWS\CDE RX420EI.ini
[2007/11/21 00:03:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\webica.ini
[2007/06/03 14:44:40 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A6W.INI
[2005/04/16 17:46:43 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/03/27 00:26:32 | 000,000,112 | ---- | C] () -- C:\WINDOWS\ActiveSkin.INI
[2003/09/23 19:07:49 | 000,000,147 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2003/07/23 19:16:22 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/04/03 17:44:42 | 000,000,072 | ---- | C] () -- C:\WINDOWS\AcrobatSetupStatus.ini
[2003/04/03 09:05:59 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/04/03 02:19:55 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\UnAudioNT.dll
[2003/04/03 02:16:32 | 000,000,882 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/04/02 15:56:03 | 000,002,704 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[1999/03/23 14:46:24 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL
[1999/01/22 11:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
========== Custom Scans ==========
< %SYSTEMDRIVE%\*.* >
[2003/04/03 02:08:59 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/02/26 13:30:46 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/06/07 19:42:05 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2010/06/08 19:48:44 | 000,007,277 | ---- | M] () -- C:\ComboFix.txt
[2003/04/03 02:08:59 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/06/08 19:36:33 | 535,351,296 | -HS- | M] () -- C:\hiberfil.sys
[2003/04/03 02:08:59 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/06/07 18:39:27 | 000,810,189 | ---- | M] () -- C:\log.log
[2003/04/03 02:08:59 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/02/25 15:38:59 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/10/09 12:03:25 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/06/08 19:36:30 | 402,653,184 | -HS- | M] () -- C:\pagefile.sys
< %systemroot%\*. /mp /s >
< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 05:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 05:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[2010/02/25 07:24:35 | 000,184,320 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\iepeers.dll
< %systemroot%\Tasks\*.job /lockedfiles >
< %systemroot%\System32\config\*.sav >
[2003/04/02 17:59:11 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2003/04/02 17:59:11 | 000,602,112 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2003/04/02 17:59:11 | 000,393,216 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
< %systemroot%\system32\drivers\*.sys /180 >
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
[2010/02/24 14:11:07 | 000,455,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys
[2009/12/31 17:50:03 | 000,353,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\srv.sys
[2010/02/11 13:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\tcpip6.sys
========== Alternate Data Streams ==========
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:93BD75FD
< End of report >
PRC - [2010/06/06 20:21:25 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Donna Sanderson\Desktop\sue\OTL.exe
PRC - [2010/04/29 15:39:32 | 001,090,952 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2009/11/25 00:51:40 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/25 00:51:35 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/25 00:51:21 | 000,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/25 00:43:56 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2008/11/11 18:39:40 | 001,463,296 | ---- | M] (T-Mobile) -- C:\Program Files\T-Mobile\web'n'walk Manager\web'n'walk Manager.exe
PRC - [2008/04/30 17:52:36 | 000,200,704 | ---- | M] (OptionNV) -- C:\Program Files\T-Mobile\web'n'walk Manager\GtDetectSc.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/04 11:39:00 | 000,700,416 | ---- | M] (Bytemobile, Inc.) -- C:\Program Files\T-Mobile\web'n'walk Manager\bmop.exe
PRC - [2008/02/04 11:39:00 | 000,376,832 | ---- | M] (Bytemobile, Inc.) -- C:\Program Files\T-Mobile\web'n'walk Manager\bmctl.exe
PRC - [2007/10/10 22:45:57 | 000,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2007/05/04 09:27:00 | 000,071,360 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
PRC - [2003/02/27 09:04:04 | 000,114,688 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2003/02/26 10:08:42 | 000,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
PRC - [2002/03/15 01:46:58 | 000,045,056 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\ico.exe
========== Modules (SafeList) ==========
MOD - [2010/06/06 20:21:25 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Donna Sanderson\Desktop\sue\OTL.exe
MOD - [2009/03/06 05:33:26 | 000,961,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveUtil.dll
MOD - [2009/02/12 16:19:38 | 000,178,040 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
MOD - [2009/02/12 16:19:32 | 002,217,848 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
MOD - [2008/10/25 12:44:34 | 000,022,872 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveNew.dll
MOD - [2008/07/25 12:17:20 | 000,635,904 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcr80.dll
MOD - [2008/04/14 01:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2008/04/13 18:37:57 | 000,208,384 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rsaenh.dll
MOD - [2007/08/23 01:18:08 | 000,096,256 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
========== Win32 Services (SafeList) ==========
SRV - [2009/11/25 00:51:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/25 00:51:21 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/25 00:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/25 00:43:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2008/04/30 17:52:36 | 000,200,704 | ---- | M] (OptionNV) [Auto | Running] -- C:\Program Files\T-Mobile\web'n'walk Manager\GtDetectSc.exe -- (GtDetectSc)
SRV - [2007/05/04 09:27:00 | 000,071,360 | ---- | M] () [Auto | Running] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU)
========== Driver Services (SafeList) ==========
DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2009/11/25 00:50:59 | 000,094,160 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2009/11/25 00:50:12 | 000,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2009/11/25 00:50:00 | 000,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/11/25 00:49:07 | 000,048,560 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009/11/25 00:48:57 | 000,023,120 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009/11/25 00:47:54 | 000,027,408 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2008/11/07 13:03:18 | 000,008,064 | ---- | M] (Option N.V.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtuhsser.sys -- (GTUHSSER)
DRV - [2008/11/07 13:01:48 | 000,020,352 | ---- | M] (Option N.V.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtuhsoms.sys -- (GTUHSOMS)
DRV - [2008/11/07 12:58:56 | 000,105,984 | ---- | M] (Option N.V.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtuhs51.sys -- (GTUHSNDISIPXP)
DRV - [2008/11/07 12:57:38 | 000,062,592 | ---- | M] (Option N.V.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtuhsbus.sys -- (GTUHSBUS)
DRV - [2008/02/08 16:39:06 | 000,004,864 | ---- | M] (Option N.V.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\GtTdiFltr.sys -- (GtTdiFltr)
DRV - [2007/12/11 15:46:42 | 000,101,120 | R--- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2007/08/06 14:30:18 | 000,018,816 | ---- | M] (Bytemobile, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpipBM.sys -- (tcpipBM)
DRV - [2003/04/29 12:10:40 | 000,004,448 | ---- | M] (StarForce Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfhlp01.sys -- (sfhlp01)
DRV - [2003/04/28 11:12:21 | 000,094,464 | ---- | M] (StarForce Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\prohlp02.sys -- (prohlp02)
DRV - [2003/04/28 10:16:07 | 000,050,816 | ---- | M] (StarForce Technologies, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\prodrv06.sys -- (prodrv06)
DRV - [2003/04/04 08:41:46 | 000,006,848 | ---- | M] (StarForce Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\prosync1.sys -- (prosync1)
DRV - [2003/03/13 23:19:00 | 000,159,488 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWVIA.sys -- (HSFHWVIA)
DRV - [2003/03/13 23:17:00 | 000,622,592 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/03/13 23:15:00 | 001,106,944 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2003/02/27 20:36:04 | 000,090,852 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2002/12/10 14:06:28 | 000,076,416 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\viaudio.sys -- (VIAudio) VIA AC'97 Audio Controller (WDM)
DRV - [2002/11/08 12:25:00 | 001,004,410 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2002/10/04 09:04:10 | 000,046,976 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\R8139n51.sys -- (rtl8139)
DRV - [2000/12/06 01:18:02 | 000,003,952 | R--- | M] (Sony Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\DMICall.sys -- (DMICall)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Ask.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultUrl = http://www.mywebsear.......p;l=zu&o=sb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 9B DA 56 18 82 05 CB 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
O1 HOSTS File: ([2010/06/08 19:37:00 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe (Easy Systems Japan Ltd.)
O4 - HKLM..\Run: [Mouse Suite 98 Daemon] C:\WINDOWS\System32\ico.exe (Primax Electronics Ltd.)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\web'n'walk Manager.lnk = C:\Program Files\T-Mobile\web'n'walk Manager\web'n'walk Manager.exe (T-Mobile)
O4 - Startup: C:\Documents and Settings\Donna Sanderson\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1257943898612 (MUWebControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 149.254.201.126 149.254.192.126
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Donna Sanderson\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Donna Sanderson\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/04/03 02:08:59 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2010/06/08 19:58:42 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/06/08 19:58:39 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/06/08 19:58:39 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/06/08 19:57:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/06/08 19:25:51 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/06/07 19:41:55 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/06/07 18:56:00 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/06/07 18:56:00 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/06/07 18:56:00 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/06/07 18:55:09 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/06/07 18:41:10 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/06/06 17:18:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/06/06 17:17:39 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/06/06 17:09:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Donna Sanderson\Desktop\sue
========== Files - Modified Within 30 Days ==========
[2010/06/08 22:07:08 | 007,340,032 | -H-- | M] () -- C:\Documents and Settings\Donna Sanderson\NTUSER.DAT
[2010/06/08 20:09:58 | 000,000,442 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{695C0D22-D3C4-47F9-BB29-FDFEABC7A202}.job
[2010/06/08 19:58:49 | 000,000,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/08 19:37:42 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/06/08 19:37:12 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/08 19:37:00 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/06/08 19:36:34 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/08 19:36:33 | 535,351,296 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/08 19:35:20 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Donna Sanderson\ntuser.ini
[2010/06/08 18:18:24 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Donna Sanderson\Desktop\Microsoft Office Word 2007.lnk
[2010/06/07 19:42:05 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/06/06 17:17:47 | 000,000,771 | ---- | M] () -- C:\Documents and Settings\Donna Sanderson\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/06/06 14:14:42 | 000,000,937 | ---- | M] () -- C:\Documents and Settings\Donna Sanderson\Desktop\Spybot - Search & Destroy.lnk
[2010/06/06 12:34:27 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/30 12:54:27 | 000,005,666 | ---- | M] () -- C:\Documents and Settings\Donna Sanderson\My Documents\google_co_uk
[2010/05/26 21:43:25 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/05/26 21:15:40 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\Meeting with Cumbria Partnership NHSFT.doc
[2010/05/26 21:02:17 | 000,013,042 | ---- | M] () -- C:\Documents and Settings\Donna Sanderson\Desktop\Meeting with Cumbria Partnership NHSFT.docx
========== Files Created - No Company Name ==========
[2010/06/08 19:58:49 | 000,000,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/07 19:42:05 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/06/07 19:42:01 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/06/07 18:56:00 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/06/07 18:56:00 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/06/07 18:56:00 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/06/07 18:56:00 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/06/07 18:56:00 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/06/06 17:17:47 | 000,000,771 | ---- | C] () -- C:\Documents and Settings\Donna Sanderson\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/06/06 14:14:42 | 000,000,937 | ---- | C] () -- C:\Documents and Settings\Donna Sanderson\Desktop\Spybot - Search & Destroy.lnk
[2010/05/30 12:54:24 | 000,005,666 | ---- | C] () -- C:\Documents and Settings\Donna Sanderson\My Documents\google_co_uk
[2010/05/26 21:15:38 | 000,024,576 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\Meeting with Cumbria Partnership NHSFT.doc
[2010/05/26 21:02:16 | 000,013,042 | ---- | C] () -- C:\Documents and Settings\Donna Sanderson\Desktop\Meeting with Cumbria Partnership NHSFT.docx
[2008/02/06 22:51:45 | 000,000,022 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2008/02/06 22:40:15 | 000,000,025 | ---- | C] () -- C:\WINDOWS\CDE RX420EI.ini
[2007/11/21 00:03:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\webica.ini
[2007/06/03 14:44:40 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A6W.INI
[2005/04/16 17:46:43 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/03/27 00:26:32 | 000,000,112 | ---- | C] () -- C:\WINDOWS\ActiveSkin.INI
[2003/09/23 19:07:49 | 000,000,147 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2003/07/23 19:16:22 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/04/03 17:44:42 | 000,000,072 | ---- | C] () -- C:\WINDOWS\AcrobatSetupStatus.ini
[2003/04/03 09:05:59 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/04/03 02:19:55 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\UnAudioNT.dll
[2003/04/03 02:16:32 | 000,000,882 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/04/02 15:56:03 | 000,002,704 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[1999/03/23 14:46:24 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL
[1999/01/22 11:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
========== Custom Scans ==========
< %SYSTEMDRIVE%\*.* >
[2003/04/03 02:08:59 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/02/26 13:30:46 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/06/07 19:42:05 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2010/06/08 19:48:44 | 000,007,277 | ---- | M] () -- C:\ComboFix.txt
[2003/04/03 02:08:59 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/06/08 19:36:33 | 535,351,296 | -HS- | M] () -- C:\hiberfil.sys
[2003/04/03 02:08:59 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/06/07 18:39:27 | 000,810,189 | ---- | M] () -- C:\log.log
[2003/04/03 02:08:59 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/02/25 15:38:59 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/10/09 12:03:25 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/06/08 19:36:30 | 402,653,184 | -HS- | M] () -- C:\pagefile.sys
< %systemroot%\*. /mp /s >
< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 05:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 05:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[2010/02/25 07:24:35 | 000,184,320 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\iepeers.dll
< %systemroot%\Tasks\*.job /lockedfiles >
< %systemroot%\System32\config\*.sav >
[2003/04/02 17:59:11 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2003/04/02 17:59:11 | 000,602,112 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2003/04/02 17:59:11 | 000,393,216 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
< %systemroot%\system32\drivers\*.sys /180 >
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
[2010/02/24 14:11:07 | 000,455,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys
[2009/12/31 17:50:03 | 000,353,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\srv.sys
[2010/02/11 13:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\tcpip6.sys
========== Alternate Data Streams ==========
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:93BD75FD
< End of report >
6. The computer seems to be working ok
Thanks once again for all your help
#14
Posted 08 June 2010 - 04:06 PM
Using Internet Explorer or Firefox, visit Kaspersky Online Scanner
1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
- Close any open programs
- Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.
- Once the update is complete, click on Settings.
- Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, adware, dialers, and other riskware
- Archives
- E-mail databases
- Click on My Computer under the green Scan bar to the left to start the scan.
- Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
- Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
- Click View report... at the bottom.
- Click the Save report... button.
- Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply
#15
Posted 10 June 2010 - 04:39 PM
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users