Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Rootkit: hidden boot-sector: PC freezes trying to remove


  • This topic is locked This topic is locked

#1
750steve

750steve

    Member

  • Member
  • PipPipPip
  • 174 posts
My PC had a blue screen today, its happened a couple of times before.

I've ran OTL, log below. My MBAM is up to date & im running free Avast! MBAM can detect a rootkit something or other but it cant seem to remove it, when i run Avast scan it detects 1 threat but cannot remove it either, the PC then freezes.

Im using my laptop to post here because of my desktop freezing, using a mem stick downloaded OTL on the laptop & then transferred it to the desktop, saved the log file on the mem stick & put it in my laptop to post it up.



Avast picks up on this but cant remove it MBR\\.\PHYSICALDRIVE0\Partition4 Threat: Rootkit: hidden boot-sector




OTL logfile created on: 10/02/2012 23:24:41 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Stevie\Desktop
64bit- Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.25 Gb Total Physical Memory | 2.35 Gb Available Physical Memory | 72.50% Memory free
6.49 Gb Paging File | 5.56 Gb Available in Paging File | 85.60% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 60.55 Gb Total Space | 8.85 Gb Free Space | 14.61% Space Free | Partition Type: NTFS
Drive D: | 237.39 Gb Total Space | 157.63 Gb Free Space | 66.40% Space Free | Partition Type: NTFS
Drive G: | 29.32 Gb Total Space | 28.38 Gb Free Space | 96.77% Space Free | Partition Type: FAT32
Drive J: | 1.90 Gb Total Space | 1.28 Gb Free Space | 67.45% Space Free | Partition Type: FAT

Computer Name: STEVIE-PC | User Name: Stevie | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/10 23:12:46 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Stevie\Desktop\OTL.exe
PRC - [2012/02/09 22:51:54 | 000,572,128 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\12021001\Sf.bin
PRC - [2011/11/28 18:01:24 | 003,744,552 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2011/11/28 18:01:23 | 000,044,768 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2007/06/07 16:19:40 | 000,202,280 | R--- | M] (SupportSoft, Inc.) -- C:\Program Files (x86)\O2\bin\sprtsvc.exe


========== Modules (No Company Name) ==========

MOD - [2011/09/27 06:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 06:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2011/11/28 18:01:23 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV:64bit: - [2010/09/22 17:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV:64bit: - [2009/08/18 02:36:20 | 000,203,264 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2009/07/14 01:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2010/09/24 16:07:18 | 000,329,080 | ---- | M] (SupportSoft, Inc.) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\SupportSoft\bin\ssrc.exe -- (SupportSoft RemoteAssist)
SRV - [2010/03/18 12:16:28 | 000,130,384 | -H-- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/02/19 12:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2009/06/10 21:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2007/06/07 16:19:40 | 000,202,280 | R--- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files (x86)\O2\bin\sprtsvc.exe -- (sprtsvc_O2) SupportSoft Sprocket Service (O2)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/11/28 17:54:06 | 000,591,192 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\SysNative\drivers\aswSnx.sys -- (aswSnx)
DRV:64bit: - [2011/11/28 17:53:58 | 000,304,472 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswSP.sys -- (aswSP)
DRV:64bit: - [2011/11/28 17:52:22 | 000,042,328 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswRdr.sys -- (aswRdr)
DRV:64bit: - [2011/11/28 17:52:20 | 000,058,712 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswTdi.sys -- (aswTdi)
DRV:64bit: - [2011/11/28 17:52:11 | 000,066,904 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV:64bit: - [2011/11/28 17:51:53 | 000,024,408 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV:64bit: - [2011/05/13 14:37:54 | 000,048,488 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\fssfltr.sys -- (fssfltr)
DRV:64bit: - [2011/05/10 07:06:08 | 000,051,712 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2009/08/18 03:48:48 | 006,037,504 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag)
DRV:64bit: - [2009/07/14 01:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/14 01:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/14 01:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/14 01:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/14 01:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/14 01:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 20:35:20 | 000,278,016 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\e1e6032e.sys -- (e1express) Intel®
DRV:64bit: - [2009/06/10 20:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 20:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 20:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 20:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/05/18 12:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2007/12/26 02:46:26 | 000,340,992 | ---- | M] (NETGEAR Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\wg111v2.sys -- (RTL8187)
DRV - [2009/07/14 01:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.arccosine.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=937811"
FF - prefs.js..browser.search.selectedEngine: "Arccosine"
FF - prefs.js..browser.startup.homepage: "about:home"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: [email protected]:1.1.8
FF - prefs.js..keyword.URL: "http://search.babylo...ffID=100474&q="


FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_1_102.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2852: C:\Program Files (x86)\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.46: C:\Program Files (x86)\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1662: C:\Program Files (x86)\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.46: C:\Program Files (x86)\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKCU\Software\MozillaPlugins\@facebook.com/FBPlugin,version=1.0.3: C:\Users\Stevie\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll ( )

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files (x86)\AutocompletePro\[email protected] [2010/08/09 23:16:59 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\AVAST Software\Avast\WebRep\FF [2011/12/05 20:56:44 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/01/07 11:07:48 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2011/10/28 17:47:37 | 000,000,000 | ---D | M]

[2010/01/24 13:08:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Stevie\AppData\Roaming\Mozilla\Extensions
[2011/12/11 11:31:41 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Stevie\AppData\Roaming\Mozilla\Firefox\Profiles\ddhh1c2n.default\extensions
[2011/03/24 23:14:45 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Users\Stevie\AppData\Roaming\Mozilla\Firefox\Profiles\ddhh1c2n.default\extensions\[email protected]
[2011/09/01 21:59:00 | 000,000,000 | ---D | M] (Babylon) -- C:\Users\Stevie\AppData\Roaming\Mozilla\Firefox\Profiles\ddhh1c2n.default\extensions\[email protected]
[2012/01/27 23:00:38 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/01/27 23:00:38 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}
() (No name found) -- C:\USERS\STEVIE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\DDHH1C2N.DEFAULT\EXTENSIONS\[email protected]
[2012/01/07 11:07:47 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2011/11/10 05:54:13 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
[2011/08/30 20:41:12 | 000,001,538 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazon-en-GB.xml
[2012/01/02 21:19:26 | 000,005,142 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\arccosine.xml
[2011/09/01 21:58:54 | 000,002,288 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml
[2011/08/30 20:29:49 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2011/08/30 20:41:12 | 000,000,947 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\chambers-en-GB.xml
[2011/08/30 20:41:12 | 000,001,180 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-en-GB.xml
[2011/08/30 20:41:12 | 000,001,135 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/10/17 12:54:54 | 000,000,854 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 activate.adobe.com
O2:64bit: - BHO: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O2 - BHO: (AC-Pro) - {0FB6A909-6086-458F-BD92-1F8EE10042A0} - C:\Program Files (x86)\AutocompletePro\AutocompletePro.dll (SimplyGen)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3:64bit: - HKLM\..\Toolbar: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4:64bit: - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS5ServiceManager] C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKCU..\Run: [AdobeBridge] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: VerboseStatus = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInternetOpenWith = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMBalloonTip = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: northernbank.co.uk ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: o2.co.uk ([*.broadband] http in Trusted sites)
O15 - HKCU\..Trusted Domains: o2.co.uk ([*.broadband] https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{18E9FFF8-EDEF-432B-A88D-1990AA5CDE16}: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{270139D7-B3D5-4664-83DA-E1A566FE4B41}: DhcpNameServer = 192.168.1.254
O18:64bit: - Protocol\Handler\grooveLocalGWS - No CLSID value found
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) -C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{bf2bdaca-08e4-11df-a77e-001aa09237ef}\Shell - "" = AutoRun
O33 - MountPoints2\{bf2bdaca-08e4-11df-a77e-001aa09237ef}\Shell\AutoRun\command - "" = L:\LaunchU3.exe -a
O33 - MountPoints2\K\Shell - "" = AutoRun
O33 - MountPoints2\K\Shell\AutoRun\command - "" = K:\LaunchU3.exe -a
O33 - MountPoints2\L\Shell - "" = AutoRun
O33 - MountPoints2\L\Shell\AutoRun\command - "" = L:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/10 23:23:55 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\Stevie\Desktop\OTL.exe
[2012/02/10 18:32:20 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{A85062E3-4AA8-46E8-AC29-C3A3A21440A2}
[2012/02/10 18:32:07 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{C3AE2F6B-26EF-4F29-AC6B-BE98FB924D70}
[2012/02/10 06:23:56 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{96382F55-CE6B-4A6C-A2D8-DD6C55ABBC05}
[2012/02/09 21:07:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2012/02/09 21:06:56 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2012/02/09 21:06:56 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/02/09 18:23:18 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{EFC07BA3-6BF5-4DF0-BA29-F1DA09408385}
[2012/02/09 06:22:41 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{554D729A-EEEF-40BC-910D-0978D5C0986D}
[2012/02/08 18:22:06 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{87AF2290-3ED1-4E90-B156-70891BAC01CA}
[2012/02/08 06:21:28 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{289E52C7-AD38-4BAE-8341-4A4DDD384E48}
[2012/02/07 23:16:53 | 000,000,000 | ---D | C] -- C:\Users\Stevie\Desktop\Car Accident 06.02.2012
[2012/02/07 18:21:01 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{5890A35B-F85A-4EE2-BD23-285D86A4D460}
[2012/02/07 06:20:20 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{B8E7CBE9-BF59-4AD7-AFA2-532E4FB0976C}
[2012/02/06 18:19:53 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{70BB0DC8-AC94-418A-B159-7B61B0AFB5D7}
[2012/02/06 06:19:27 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{04E66ABA-0853-4806-83AE-0AC71F05138C}
[2012/02/05 18:19:01 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{92CB9586-D1CE-41FB-8199-EAD0A281F11F}
[2012/02/05 06:18:34 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{86C27137-E0CE-4F1A-A019-6FE397C74077}
[2012/02/04 18:18:07 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{7D98B668-C677-426D-9553-02A9A58D36E5}
[2012/02/04 06:17:41 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{14F09442-1388-473F-AE7C-DED1CDCC2D00}
[2012/02/03 18:17:14 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{3D7128B4-F6C3-4389-973B-1FCDE67687A2}
[2012/02/03 06:16:48 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{4F4D0C06-DAD4-4745-8942-25C3E3DB876D}
[2012/02/02 18:16:21 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{3A0B2075-2BD9-4AAD-A970-FD544D59CBE7}
[2012/02/02 06:15:54 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{492CAD96-95C1-40DB-B20D-125569D590A6}
[2012/02/02 06:15:40 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{1C25E0C8-2CE0-46C3-BF11-30DC7D3888B0}
[2012/02/01 18:15:11 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{C344F95F-4E69-4387-803D-10FFADC7177D}
[2012/02/01 06:14:45 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{6B9094AA-73AE-456A-9F33-1D92249D7D02}
[2012/01/31 18:14:18 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{A0459C26-C1AC-4296-BA59-716B451B01B6}
[2012/01/31 06:13:51 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{FD1F196B-9082-4797-A9F9-1C3C25543515}
[2012/01/31 06:13:39 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{7BA736A2-0840-4AE0-AC0B-326348DC6A0C}
[2012/01/30 18:13:12 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{F6AD0438-1747-4B47-BE45-AD47588AFAE5}
[2012/01/30 00:26:46 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{3C067789-4976-4259-939B-413833858A26}
[2012/01/29 12:26:20 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{0EC66874-B4BE-4DFE-B81A-9D3F1C73AF46}
[2012/01/28 16:34:21 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{687FC11C-3902-4D7D-90B1-D01765C5F352}
[2012/01/28 04:33:48 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{B7DCC6FD-4C62-4A8C-8C68-B31F653BE7A7}
[2012/01/28 04:33:35 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{4D57BE8A-7545-435B-A979-D6993ABE63D8}
[2012/01/27 23:00:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2012/01/27 22:37:46 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\DESIGNER
[2012/01/27 22:37:20 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Visual Studio
[2012/01/27 16:33:09 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{2A9E0E46-59AE-4E47-8B4E-7DF09C6EA85D}
[2012/01/27 04:32:42 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{5E9E7FC1-C9D3-4028-839A-942162067F2D}
[2012/01/27 04:32:29 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{79F3573F-9292-4926-A7B1-F1FEE84F33A8}
[2012/01/26 16:31:55 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{C1F8585F-7B85-4A0E-BC63-2D966CB59D3E}
[2012/01/26 04:31:29 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{891DB5F3-EA03-407E-BBC6-5B45D36E3296}
[2012/01/25 16:31:02 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{A4279BEC-298F-45A7-9128-9DC448DF6AAF}
[2012/01/25 04:30:34 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{BF312161-C43D-4973-8EDD-482ED3375919}
[2012/01/24 22:02:51 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\PackageAware
[2012/01/24 16:29:57 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{AF43F9C9-DCB8-4F89-AF07-EA105B01C2ED}
[2012/01/24 04:29:18 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{B2A5AA81-B071-47EA-B8B4-171B68083068}
[2012/01/23 16:28:42 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{C92924E9-6D08-4969-9E2B-3F9A263075B6}
[2012/01/23 04:28:06 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{5BE5DEEA-D8CF-4D7F-8889-9EF29B4B0FC9}
[2012/01/22 16:27:39 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{563593C0-8F60-4F04-92A6-A0A9BE223208}
[2012/01/22 04:27:13 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{1C9E9969-8E4E-4EAB-9433-B11D056CD691}
[2012/01/21 16:26:46 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{AB5165A8-4CCA-4B34-98FA-008F48F115D2}
[2012/01/21 04:26:19 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{1AB4A937-A620-4A4B-BCE8-7FFF60DAC9C9}
[2012/01/20 16:25:52 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{2BF39AFF-CBCE-4BFC-A8D5-2BE83276C7A2}
[2012/01/20 04:25:26 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{AB668BA4-1ECD-426E-8255-2E703DE73270}
[2012/01/19 16:24:59 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{9EC72B7D-7086-454F-8EE0-400D5EB3D880}
[2012/01/19 04:24:33 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{0AB950A7-F300-44C6-95D2-4CB9741973C7}
[2012/01/18 16:24:06 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{5DED2CD4-1DAA-42F5-8C0A-CE116126F7A8}
[2012/01/18 04:23:39 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{550D342E-C278-4FB3-8639-C070503E4435}
[2012/01/17 16:23:12 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{EABDF83F-65E5-40D1-B820-7BA1F1B9BAF3}
[2012/01/17 04:22:46 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{27D1748E-2EA5-42E6-98B5-B0D302FBD430}
[2012/01/16 16:22:11 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{94DE903A-AF8D-487E-8C48-F064D1D9145C}
[2012/01/16 04:21:45 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{0D979D13-832B-47E4-A457-4181CFE49419}
[2012/01/15 16:21:15 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{F1795F13-EAF9-4865-9E77-1B9F42FD78D4}
[2012/01/15 16:21:03 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{225851B5-2A2E-4786-9DF2-47E6F26410A4}
[2012/01/15 16:09:20 | 000,000,000 | ---D | C] -- C:\Users\Stevie\Desktop\Christmas
[2012/01/15 11:13:30 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{F9FFE42B-F1ED-4C7B-A647-6331FFDD6197}
[2012/01/15 04:20:36 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{6CB77CFF-C1C2-4BC7-83D9-48A7BFF50404}
[2012/01/14 16:20:09 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{671F017C-319A-4023-89F3-E0C352182357}
[2012/01/14 04:19:35 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{4F1773A3-4CBE-4D6E-9BD1-3791D814B21E}
[2012/01/13 16:19:09 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{0FDB153C-D59B-4451-A040-2EE7ABE56EEA}
[2012/01/13 04:18:40 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{07A88072-E750-4175-910F-6399DEA0D747}
[2012/01/12 16:18:13 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{FCBFD44C-DBD5-433D-AFFB-D362129BF14D}
[2012/01/12 04:17:46 | 000,000,000 | ---D | C] -- C:\Users\Stevie\AppData\Local\{C91DB2F9-DF3E-4D5A-A0FF-C4C76448965C}
[2011/07/03 20:51:15 | 003,085,984 | ---- | C] (Adobe Systems, Inc.) -- C:\Program Files (x86)\install_flash_player.exe
[2010/12/17 19:55:23 | 007,622,112 | ---- | C] (Malwarebytes Corporation ) -- C:\Program Files\mbam-setup.exe

========== Files - Modified Within 30 Days ==========

[2012/02/10 23:22:41 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/02/10 23:22:33 | 2615,808,000 | -HS- | M] () -- C:\hiberfil.sys
[2012/02/10 23:12:46 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Stevie\Desktop\OTL.exe
[2012/02/10 23:04:48 | 000,000,632 | RHS- | M] () -- C:\Users\Stevie\ntuser.pol
[2012/02/10 22:54:27 | 000,730,320 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/02/10 22:54:27 | 000,631,538 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/02/10 22:54:27 | 000,111,848 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/02/10 18:32:48 | 000,001,113 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/10 09:09:38 | 000,009,776 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/02/10 09:09:38 | 000,009,776 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/02/09 22:52:53 | 000,187,944 | ---- | M] () -- C:\Users\Stevie\Desktop\Car Accident 06.02.2012 Claim Form report.pdf
[2012/02/09 21:07:20 | 000,001,783 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/02/07 19:51:00 | 000,671,696 | ---- | M] () -- C:\Users\Stevie\Desktop\photo 2.JPG
[2012/02/07 19:51:00 | 000,662,595 | ---- | M] () -- C:\Users\Stevie\Desktop\photo 1.JPG
[2012/01/29 21:29:30 | 000,001,137 | ---- | M] () -- C:\Users\Stevie\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk
[2012/01/29 20:46:13 | 000,072,739 | ---- | M] () -- C:\Users\Stevie\Desktop\Stephen Weir CV.pdf
[2012/01/27 22:53:09 | 004,972,784 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/01/24 08:01:12 | 000,138,856 | R--- | M] () -- C:\Users\Stevie\Desktop\Kawasaki Wheel Bearing Fitments.pdf

========== Files Created - No Company Name ==========

[2012/02/09 22:52:52 | 000,187,944 | ---- | C] () -- C:\Users\Stevie\Desktop\Car Accident 06.02.2012 Claim Form report.pdf
[2012/02/09 21:07:20 | 000,001,783 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/02/07 19:51:00 | 000,671,696 | ---- | C] () -- C:\Users\Stevie\Desktop\photo 2.JPG
[2012/02/07 19:51:00 | 000,662,595 | ---- | C] () -- C:\Users\Stevie\Desktop\photo 1.JPG
[2012/01/29 20:46:12 | 000,072,739 | ---- | C] () -- C:\Users\Stevie\Desktop\Stephen Weir CV.pdf
[2012/01/24 08:01:13 | 000,138,856 | R--- | C] () -- C:\Users\Stevie\Desktop\Kawasaki Wheel Bearing Fitments.pdf
[2012/01/23 18:59:08 | 000,001,113 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/15 11:31:26 | 000,001,305 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Movie Maker.lnk
[2012/01/15 11:31:17 | 000,001,374 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Photo Gallery.lnk
[2012/01/15 11:30:55 | 000,002,486 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Messenger.lnk
[2012/01/15 11:30:39 | 000,001,458 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Mail.lnk
[2011/09/29 19:00:49 | 000,001,456 | ---- | C] () -- C:\Users\Stevie\AppData\Local\Adobe Save for Web 12.0 Prefs
[2011/08/21 20:48:02 | 000,098,304 | -H-- | C] () -- C:\Windows\SysWow64\redmonnt.dll
[2011/01/27 02:38:50 | 000,000,085 | -H-- | C] () -- C:\Windows\FI_Tool.INI
[2010/06/16 23:57:32 | 000,187,432 | -H-- | C] () -- C:\Windows\SysWow64\mlfcache.dat
[2010/01/24 15:53:56 | 000,722,382 | -H-- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010/01/24 13:08:05 | 000,000,000 | -H-- | C] () -- C:\Windows\nsreg.dat
[2010/01/24 13:02:13 | 000,000,752 | -H-- | C] () -- C:\Windows\{4507868A-A9CD-4ECC-BD54-0EAB6EE81D42}_WiseFW.ini
[2010/01/24 12:36:30 | 000,164,352 | -H-- | C] () -- C:\Windows\SysWow64\unrar.dll
[2010/01/24 12:36:30 | 000,000,038 | ---- | C] () -- C:\Windows\avisplitter.ini
[2010/01/24 12:36:29 | 000,755,027 | -H-- | C] () -- C:\Windows\SysWow64\xvidcore.dll
[2010/01/24 12:36:29 | 000,159,839 | -H-- | C] () -- C:\Windows\SysWow64\xvidvfw.dll
[2010/01/24 12:36:28 | 003,596,288 | -H-- | C] () -- C:\Windows\SysWow64\qt-dx331.dll
[2010/01/24 12:36:28 | 000,007,680 | -H-- | C] () -- C:\Windows\SysWow64\ff_vfw.dll
[2010/01/24 12:32:21 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2009/07/14 05:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 02:35:51 | 000,000,741 | -H-- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/14 02:34:42 | 000,215,943 | -H-- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/14 00:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 23:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 21:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 21:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat

========== LOP Check ==========

[2010/01/27 22:28:18 | 000,000,000 | ---D | M] -- C:\Users\Stevie\AppData\Roaming\.myibay
[2011/09/01 21:58:53 | 000,000,000 | ---D | M] -- C:\Users\Stevie\AppData\Roaming\Babylon
[2010/12/20 20:09:24 | 000,000,000 | ---D | M] -- C:\Users\Stevie\AppData\Roaming\Blitware
[2011/01/20 23:46:13 | 000,000,000 | ---D | M] -- C:\Users\Stevie\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/01/31 13:52:05 | 000,000,000 | ---D | M] -- C:\Users\Stevie\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/05/14 10:37:31 | 000,000,000 | ---D | M] -- C:\Users\Stevie\AppData\Roaming\Facebook
[2011/01/25 22:18:45 | 000,000,000 | ---D | M] -- C:\Users\Stevie\AppData\Roaming\Foxit Software
[2010/01/24 12:36:38 | 000,000,000 | ---D | M] -- C:\Users\Stevie\AppData\Roaming\GrabPro
[2010/01/25 21:04:58 | 000,000,000 | ---D | M] -- C:\Users\Stevie\AppData\Roaming\ImgBurn
[2010/01/24 13:20:12 | 000,000,000 | ---D | M] -- C:\Users\Stevie\AppData\Roaming\Notepad++
[2010/12/17 21:27:36 | 000,000,000 | ---D | M] -- C:\Users\Stevie\AppData\Roaming\Orbit
[2010/11/14 10:46:00 | 000,000,000 | ---D | M] -- C:\Users\Stevie\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
[2012/02/10 09:26:45 | 000,000,000 | ---D | M] -- C:\Users\Stevie\AppData\Roaming\uTorrent
[2011/07/09 16:12:17 | 000,000,000 | ---D | M] -- C:\Users\Stevie\AppData\Roaming\Windows Live Writer
[2009/07/14 05:08:49 | 000,027,646 | -H-- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >


EXTRAS

OTL Extras logfile created on: 10/02/2012 23:24:41 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Stevie\Desktop
64bit- Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.25 Gb Total Physical Memory | 2.35 Gb Available Physical Memory | 72.50% Memory free
6.49 Gb Paging File | 5.56 Gb Available in Paging File | 85.60% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 60.55 Gb Total Space | 8.85 Gb Free Space | 14.61% Space Free | Partition Type: NTFS
Drive D: | 237.39 Gb Total Space | 157.63 Gb Free Space | 66.40% Space Free | Partition Type: NTFS
Drive G: | 29.32 Gb Total Space | 28.38 Gb Free Space | 96.77% Space Free | Partition Type: FAT32
Drive J: | 1.90 Gb Total Space | 1.28 Gb Free Space | 67.45% Space Free | Partition Type: FAT

Computer Name: STEVIE-PC | User Name: Stevie | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [Bridge] -- C:\Program Files (x86)\Adobe\Adobe Bridge CS5\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [openNew] -- explorer %1 (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [runas] -- cmd.exe /c takeown /f "%1" /r /d y && icacls "%1" /grant administrators:F /t (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [Bridge] -- C:\Program Files (x86)\Adobe\Adobe Bridge CS5\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [openNew] -- explorer %1 (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [runas] -- cmd.exe /c takeown /f "%1" /r /d y && icacls "%1" /grant administrators:F /t (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{180C8888-50F1-426B-A9DC-AB83A1989C65}" = Windows Live Language Selector
"{1ACC8FFB-9D84-4C05-A4DE-D28A9BC91698}" = Windows Live ID Sign-in Assistant
"{1E9FC118-651D-4934-97BE-E53CAE5C7D45}" = Microsoft_VC80_MFCLOC_x86_x64
"{1FB31F44-D4D0-4D76-944A-A1A5D79FD321}" = Windows Live Family Safety
"{4569AD91-47F4-4D9E-8FC9-717EC32D7AE1}" = Microsoft_VC80_CRT_x86_x64
"{5E11C972-1E76-45FE-8F92-14E0D1140B1B}" = iTunes
"{656DEEDE-F6AC-47CA-A568-A1B4E34B5760}" = Windows Live Remote Service Resources
"{6DD01FF3-63CE-436B-96DB-61363EAA4EB8}" = MobileMe Control Panel
"{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}" = Bonjour
"{75104836-CAC7-444E-A39E-3F54151942F5}" = Apple Mobile Device Support
"{847B0532-55E3-4AAF-8D7B-E3A1A7CD17E5}" = Windows Live Remote Client Resources
"{8557397C-A42D-486F-97B3-A2CBC2372593}" = Microsoft_VC90_ATL_x86_x64
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007
"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
"{925D058B-564A-443A-B4B2-7E90C6432E55}" = Microsoft_VC80_ATL_x86_x64
"{92A3CA0D-55CD-4C5D-BA95-5C2600C20F26}" = Microsoft_VC90_CRT_x86_x64
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A472B9E4-0AFF-4F7B-B25D-F64F8E928AAB}" = Microsoft_VC90_MFC_x86_x64
"{C8C1BAD5-54E6-4146-AD07-3A8AD36569C3}" = Microsoft_VC80_MFC_x86_x64
"{CEA21F20-DBF4-464C-8B81-28B8508AFDDD}" = Windows Live Family Safety
"{D1829BE5-F305-4576-9593-C66FC7E0B008}" = iCloud
"{DA54F80E-261C-41A2-A855-549A144F2F59}" = Windows Live MIME IFilter
"{DF6D988A-EEA0-4277-AAB8-158E086E439B}" = Windows Live Remote Client
"{E02A6548-6FDE-40E2-8ED9-119D7D7E641F}" = Windows Live Remote Service
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin 64-bit
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"WinRAR archiver" = WinRAR archiver

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86
"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0D2DBE8A-43D0-7830-7AE7-CA6C99A832E7}" = Adobe Community Help
"{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}" = Microsoft_VC80_ATL_x86
"{15FEDA5F-141C-4127-8D7E-B962D1742728}" = Adobe Photoshop CS5
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{235BBFC6-D863-4066-A01A-3BD504C31033}" = Nero 7 Ultra Edition
"{2367FAB6-055A-4923-835F-F57F7BBBA363}_is1" = Paint XP version 1.1
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 30
"{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections
"{2A3FC24C-6EC0-4519-A52B-FDA4EA9B2D24}" = Windows Live Messenger
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{343666E2-A059-48AC-AD67-230BF74E2DB2}" = Apple Application Support
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{3F7D6F1F-AE40-46E7-95E4-9B2242A6EC6D}_is1" = Hawke ChairGun Pro 1.0.4f
"{4507868A-A9CD-4ECC-BD54-0EAB6EE81D42}" = O2 Broadband Assistant
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{50816F92-1652-4A7C-B9BC-48F682742C4B}" = Messenger Companion
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{78A96B4C-A643-4D0F-98C2-A8E16A6669F9}" = Windows Live Messenger Companion Core
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-002A-0000-1000-0000000FF1CE}_ENTERPRISE_{E64BA721-2310-4B55-BE5A-2925F9706192}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-002A-0409-1000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0116-0409-1000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{95140000-007A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D29159F-227D-45B9-BD70-94564CE259BD}" = O2InstV2Win7UpdateV1
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A78FE97A-C0C8-49CE-89D0-EDD524A17392}" = PDF Settings CS5
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
"{AC76BA86-7AD7-5760-0000-900000000003}" = Japanese Fonts Support For Adobe Reader 9
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64
"{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{DE3A9DC5-9A5D-6485-9662-347162C7E4CA}" = Adobe Media Player
"{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E5B21F11-6933-4E0B-A25C-7963E3C07D11}" = Windows Live Messenger
"{E7C97E98-4C2D-BEAF-5D2F-CC45A2F95D90}" = Acrobat.com
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F2AF3E5D-9697-485C-A5AC-E2B9468C446A}" = Safari
"{FCE7F6A7-4AE6-4926-A15F-7B4EF6881438}_is1" = Hawke ChairGun Pro 1.0.5a
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"7-Zip" = 7-Zip 4.65
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"AutocompletePro2_is1" = AutocompletePro
"avast" = avast! Free Antivirus
"chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"ENTERPRISE" = Microsoft Office Enterprise 2007
"FI_Tool" = Kawasaki FI Calibration Tool
"Foxit Reader" = Foxit Reader
"ImgBurn" = ImgBurn
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 4.1.4
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
"Mozilla Firefox 9.0.1 (x86 en-GB)" = Mozilla Firefox 9.0.1 (x86 en-GB)
"Notepad++" = Notepad++
"uTorrent" = µTorrent
"VLC media player" = VLC media player 1.0.3
"WinLiveSuite" = Windows Live Essentials

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Facebook Plug-In" = Facebook Plug-In
"JoinMe" = join.me

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/02/2012 19:01:57 | Computer Name = Stevie-PC | Source = Winlogon | ID = 4103
Description = Windows license activation failed. Error 0x80070005.

Error - 10/02/2012 19:03:04 | Computer Name = Stevie-PC | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe_Dnscache, version: 6.1.7600.16385,
time stamp: 0x4a5bc3c1 Faulting module name: ntdll.dll, version: 6.1.7600.16695,
time stamp: 0x4cc7b325 Exception code: 0xc0000005 Fault offset: 0x000000000008bee2
Faulting
process id: 0x454 Faulting application start time: 0x01cce847f760705b Faulting application
path: C:\Windows\system32\svchost.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report
Id: 630f9ad0-543b-11e1-861b-001aa09237ef

Error - 10/02/2012 19:04:31 | Computer Name = Stevie-PC | Source = Winlogon | ID = 4103
Description = Windows license activation failed. Error 0x80070005.

Error - 10/02/2012 19:05:35 | Computer Name = Stevie-PC | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe_Dnscache, version: 6.1.7600.16385,
time stamp: 0x4a5bc3c1 Faulting module name: ntdll.dll, version: 6.1.7600.16695,
time stamp: 0x4cc7b325 Exception code: 0xc0000005 Fault offset: 0x000000000008bee2
Faulting
process id: 0x478 Faulting application start time: 0x01cce8485292244d Faulting application
path: C:\Windows\system32\svchost.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report
Id: bd0e05bb-543b-11e1-b05d-001aa09237ef

Error - 10/02/2012 19:23:06 | Computer Name = Stevie-PC | Source = Winlogon | ID = 4103
Description = Windows license activation failed. Error 0x80070005.

Error - 10/02/2012 19:24:06 | Computer Name = Stevie-PC | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe_Dnscache, version: 6.1.7600.16385,
time stamp: 0x4a5bc3c1 Faulting module name: ntdll.dll, version: 6.1.7600.16695,
time stamp: 0x4cc7b325 Exception code: 0xc0000005 Fault offset: 0x000000000008bee2
Faulting
process id: 0x47c Faulting application start time: 0x01cce84ae73a61fe Faulting application
path: C:\Windows\system32\svchost.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report
Id: 530ba8e0-543e-11e1-ab34-001aa09237ef

Error - 10/02/2012 19:27:20 | Computer Name = Stevie-PC | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe_Dnscache, version: 6.1.7600.16385,
time stamp: 0x4a5bc3c1 Faulting module name: ntdll.dll, version: 6.1.7600.16695,
time stamp: 0x4cc7b325 Exception code: 0xc0000005 Fault offset: 0x000000000008bee2
Faulting
process id: 0xe0c Faulting application start time: 0x01cce84b16224ed6 Faulting application
path: C:\Windows\System32\svchost.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report
Id: c6645e17-543e-11e1-ab34-001aa09237ef

Error - 10/02/2012 19:29:49 | Computer Name = Stevie-PC | Source = Microsoft-Windows-LoadPerf | ID = 3001
Description = The performance counter name string value in the registry is not formatted
correctly. The malformed string is 9916. The first DWORD in the Data section contains
the index value to the malformed string while the second and third DWORDs in the
Data section contain the last valid index values.

Error - 10/02/2012 19:29:49 | Computer Name = Stevie-PC | Source = Microsoft-Windows-LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The first DWORD in the Data section contains the error code.

Error - 10/02/2012 19:29:52 | Computer Name = Stevie-PC | Source = Microsoft-Windows-LoadPerf | ID = 3001
Description = The performance counter name string value in the registry is not formatted
correctly. The malformed string is 9916. The first DWORD in the Data section contains
the index value to the malformed string while the second and third DWORDs in the
Data section contain the last valid index values.

[ Media Center Events ]
Error - 08/09/2010 05:30:42 | Computer Name = Stevie-PC | Source = MCUpdate | ID = 0
Description = 10:30:42 - Error connecting to the internet. 10:30:42 - Unable
to contact server..

Error - 08/09/2010 05:31:12 | Computer Name = Stevie-PC | Source = MCUpdate | ID = 0
Description = 10:31:11 - Error connecting to the internet. 10:31:11 - Unable
to contact server..

Error - 07/10/2010 02:24:05 | Computer Name = Stevie-PC | Source = MCUpdate | ID = 0
Description = 07:24:05 - Error connecting to the internet. 07:24:05 - Unable
to contact server..

Error - 07/10/2010 02:24:36 | Computer Name = Stevie-PC | Source = MCUpdate | ID = 0
Description = 07:24:34 - Error connecting to the internet. 07:24:34 - Unable
to contact server..

Error - 07/10/2010 03:25:25 | Computer Name = Stevie-PC | Source = MCUpdate | ID = 0
Description = 08:25:25 - Error connecting to the internet. 08:25:25 - Unable
to contact server..

Error - 07/10/2010 03:25:55 | Computer Name = Stevie-PC | Source = MCUpdate | ID = 0
Description = 08:25:54 - Error connecting to the internet. 08:25:54 - Unable
to contact server..

Error - 07/10/2010 04:26:44 | Computer Name = Stevie-PC | Source = MCUpdate | ID = 0
Description = 09:26:44 - Error connecting to the internet. 09:26:44 - Unable
to contact server..

Error - 07/10/2010 04:27:14 | Computer Name = Stevie-PC | Source = MCUpdate | ID = 0
Description = 09:27:13 - Error connecting to the internet. 09:27:13 - Unable
to contact server..

Error - 07/10/2010 05:28:04 | Computer Name = Stevie-PC | Source = MCUpdate | ID = 0
Description = 10:28:04 - Error connecting to the internet. 10:28:04 - Unable
to contact server..

Error - 07/10/2010 05:28:34 | Computer Name = Stevie-PC | Source = MCUpdate | ID = 0
Description = 10:28:33 - Error connecting to the internet. 10:28:33 - Unable
to contact server..

[ OSession Events ]
Error - 23/01/2011 11:26:34 | Computer Name = Stevie-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 0
seconds with 0 seconds of active time. This session ended with a crash.

Error - 23/01/2011 11:26:52 | Computer Name = Stevie-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 0
seconds with 0 seconds of active time. This session ended with a crash.

Error - 03/05/2011 14:05:46 | Computer Name = Stevie-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6555.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 0
seconds with 0 seconds of active time. This session ended with a crash.

Error - 03/05/2011 14:06:20 | Computer Name = Stevie-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6555.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 0
seconds with 0 seconds of active time. This session ended with a crash.

Error - 24/06/2011 18:01:07 | Computer Name = Stevie-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6557.5001, Microsoft Office Version: 12.0.6425.1000. This session lasted 0
seconds with 0 seconds of active time. This session ended with a crash.

Error - 24/06/2011 18:01:17 | Computer Name = Stevie-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6557.5001, Microsoft Office Version: 12.0.6425.1000. This session lasted 0
seconds with 0 seconds of active time. This session ended with a crash.

Error - 30/09/2011 17:33:04 | Computer Name = Stevie-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6562.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 0
seconds with 0 seconds of active time. This session ended with a crash.

Error - 30/09/2011 17:33:26 | Computer Name = Stevie-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6562.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 0
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 23/05/2011 09:14:51 | Computer Name = Stevie-PC | Source = volsnap | ID = 393252
Description = The shadow copies of volume C: were aborted because the shadow copy
storage could not grow due to a user imposed limit.

Error - 23/05/2011 09:15:55 | Computer Name = Stevie-PC | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.

Error - 23/05/2011 09:16:01 | Computer Name = Stevie-PC | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.

Error - 23/05/2011 09:16:24 | Computer Name = Stevie-PC | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.

Error - 23/05/2011 09:16:35 | Computer Name = Stevie-PC | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.

Error - 23/05/2011 09:16:41 | Computer Name = Stevie-PC | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.

Error - 23/05/2011 09:16:46 | Computer Name = Stevie-PC | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.

Error - 23/05/2011 09:17:06 | Computer Name = Stevie-PC | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.

Error - 23/05/2011 09:17:11 | Computer Name = Stevie-PC | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.

Error - 23/05/2011 16:55:56 | Computer Name = Stevie-PC | Source = atikmdag | ID = 43029
Description = Display is not active


< End of report >

Edited by 750steve, 10 February 2012 - 08:13 PM.

  • 0

Advertisements


#2
oldman960

oldman960

    Trusted Helper

  • Malware Removal
  • 123 posts
Hi 750steve,

Let's get a closer look at this critter.


Download Rogue Killerand save it to your usb device. Transfer it to the desktop of the sick computer.
  • double click the Rogue Killer icon to run it
  • After it has completed it's prescan click scan
  • When the scan is complete click report
Please post the log.

We will most likely need a blank CD which we will make bootable and a usb device to transfer a file. Do you have these available?
  • 0

#3
750steve

750steve

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 174 posts
Hi Oldman, thank you very much for helping me out. I'm in work here so it'll be 7 hours before i get home to run Rogue Killer & post the results, i'll add to the thread then.

We will most likely need a blank CD which we will make bootable and a usb device to transfer a file. Do you have these available?

Yes, i have these available

Incidentally when a run Avast! it picks up on the Rootkit, when i go to 'delete' it a message comes up saying "postponed until next reboot" but it won't remove on the next reboot. On starting the PC again the only way i can get windows to load is by hitting F12 & selecting the drive to load from. Sorry if i'm going on a bit but i'm just trying to give you as much info as possible.

I appreciate you giving up your time.

Edited by 750steve, 11 February 2012 - 03:31 AM.

  • 0

#4
oldman960

oldman960

    Trusted Helper

  • Malware Removal
  • 123 posts
Hi 750steve,

Ok, I'll check back later. :thumbsup:
  • 0

#5
750steve

750steve

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 174 posts
RK Report;


RogueKiller V7.0.4 [02/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User: Stevie [Admin rights]
Mode: Scan -- Date : 02/11/2012 15:50:56

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 10 ¤¤¤
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorUser (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowHelp (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 activate.adobe.com


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDT725032VLA360 ATA Device +++++
--- User ---
[MBR] b51a5b5b910168b89c4de2fb22c99892
[BSP] b7986a247bf948dd1ad3dc756b531f19 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112640 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 317440 | Size: 62000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 127293440 | Size: 243089 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] ea507522a0ce07f78df8580e0f94277e
[BSP] b7986a247bf948dd1ad3dc756b531f19 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 112640 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 317440 | Size: 62000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 127293440 | Size: 243089 Mo
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 625139712 | Size: 1 Mo

+++++ PhysicalDrive3: TEAC USB HS-MS Card USB Device +++++
--- User ---
[MBR] 5a48c25fa50120c76b8f726dd0187559
[BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown
Partition table:
0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 375 | Size: 1950 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt




Now, i hope i've done the correct thing in the next step, i googled the malware/virus & have ran aswMBR just to get the log file

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-11 19:16:54
-----------------------------
19:16:54.193 OS Version: Windows x64 6.1.7600
19:16:54.193 Number of processors: 2 586 0xF0B
19:16:54.193 ComputerName: STEVIE-PC UserName: Stevie
19:16:54.630 Initialize success
19:16:54.739 AVAST engine defs: 12021001
19:16:57.219 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
19:16:57.219 Disk 0 Vendor: Hitachi_HDT725032VLA360 V54OA73A Size: 305245MB BusType: 3
19:16:57.235 Disk 0 MBR read successfully
19:16:57.235 Disk 0 MBR scan
19:16:57.235 Disk 0 Windows 7 default MBR code
19:16:57.250 Disk 0 MBR hidden
19:16:57.250 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 100 MB offset 112640
19:16:57.266 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 62000 MB offset 317440
19:16:57.282 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 243089 MB offset 127293440
19:16:57.313 Disk 0 Partition 4 80 (A) 17 Hidd HPFS/NTFS NTFS 1 MB offset 625139712
19:16:57.313 Disk 0 Partition 4 **INFECTED** MBR:Alureon-K [Rtk]
19:16:57.328 Service scanning
19:16:58.732 Modules scanning
19:16:58.732 Disk 0 trace - called modules:
19:16:58.748 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8003700334]<<ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
19:16:58.748 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80036e3120]
19:16:58.748 3 CLASSPNP.SYS[fffff8800182743f] -> nt!IofCallDriver -> [0xfffffa8003242520]
19:16:58.764 5 ACPI.sys[fffff88000ed3781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800323e680]
19:16:58.764 \Driver\atapi[0xfffffa8003175420] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa8003700334
19:16:58.982 AVAST engine scan C:\Windows
19:17:00.355 AVAST engine scan C:\Windows\system32
19:18:39.228 AVAST engine scan C:\Windows\system32\drivers
19:18:45.546 AVAST engine scan C:\Users\Stevie
19:19:22.908 Disk 0 MBR has been saved successfully to "C:\Users\Stevie\Desktop\MBR.dat"
19:19:22.924 The log file has been saved successfully to "C:\Users\Stevie\Desktop\aswMBR.txt"

Edited by 750steve, 11 February 2012 - 01:23 PM.

  • 0

#6
oldman960

oldman960

    Trusted Helper

  • Malware Removal
  • 123 posts
Hi 750steve,

Please read through this before starting. Ask any questions you may have.

We'll use a CD that we will make bootable. We also need a USB flashdrive that has some space on it. We will not be changing any of the data on the usb device just using it for a file.

You will also need to use FireFox to download a file as Internet Explorer seems to mangle the download.

If you have an problems with these steps please let me know. These may look complicated but it's fairly straight forward and for the most part automated.

On your working computer

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe by double clicking it. (right click and run as adminstrator if you are using Vista or Win7)
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and when finished, it will open BurnCDCC which will be ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD

Next

You may want to print out this part as you will not be able to view these instructions.

  • Download tdl_fix.sh and save it to the flash drive you where using.
  • Make sure the flash drive is attached to the sick computer.
  • The computer must be set to boot from the CD,depending on your computer you can either do this by pressing F12 and selecting the CD as the first boot option or it can be set in the BIOS
  • Once you have the computer set to boot from the CD allow it to boot
  • Boot into xPUD with the CD then click the File tab.
  • Press File
  • Expand mnt
  • Click on the folder under mnt that represents your USB drive (sdb1 ?)
  • You should see the tdl_fix.sh file in the main window.
  • Select Tool from the Menu
  • Choose Open Terminal
  • Type bash tdl_fix.sh then press Enter

    (note there is a space after bash and that is an underscore after tdl)
  • Read the warning then type y and press Enter to continue.
  • Type sda then press Enter when prompted.
  • You will be shown a list of partitions to choose marking active.
  • Type 1 then press Enter.
  • If you are presented with a warning about no bootloader files, type n then press Enter to choose another. If this happens, please post back for further instructions. Just leave the computer running if you wish and use your other one to post.
  • If you receive no warning about bootloader files but are presented with another view of the partition structure and asked if it looks correct, type y then press Enter.
  • The script will complete and prompt you to reboot the computer.
  • Close the Terminal window and restart back into Windows.

When restarting the computer:
  • while the computer is rebooting press the F10 to bring up 'Edit Boot Options' screen. (if it's pressed too early you might get the bios screen instead. )


  • If it says /minint or int/min after /NOEXECUTE=OPTIN,

    tdl4_minint.png

    hit the Backspace key until that entry reads:

    /NOEXECUTE=OPTIN
  • hit enter

Once the computer has booted into Windows:

:
  • click start
  • type cmd into the search box
  • right click on cmd that appears at the top and click Run as adminstrator
  • type bcdedit /enum all >%userprofile%\desktop\log.log

    (note: there is a space after bcdedit, a space after enum and one after all)
  • hit enter
When it's finished a notepad named log.log will be on the desktop.

Post the contents of the tdl_fix.txt file that was created on your flash drive and the contents of log.log in your next reply.

Please let me know how the computer is behaving.

Extra Note - in the event the computer will not boot to windows and the Boot Option line looked correct:

Boot the computer with the xPUD CD and run the tdl_fix.sh script again using the following command.

bash tdl_fix.sh -restore

Make sure to leave a space to either side of tdl_fix.sh in the command.
This will prompt you to use the file tdl_mbr_sda.bin on drive sda.
Ok the procedure then restart when complete.
This is a backup of the original mbr and will restore it to it's current state.
  • 0

#7
750steve

750steve

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 174 posts

Next

You may want to print out this part as you will not be able to view these instructions.

[list]
[*]Download tdl_fix.sh and save it to the flash drive you where using.
[*]Make sure the flash drive is attached to the sick computer.
[*]The computer must be set to boot from the CD,depending on your computer you can either do this by pressing F12 and selecting the CD as the first boot option or it can be set in the BIOS
[*]Once you have the computer set to boot from the CD allow it to boot
[*]Boot into xPUD with the CD then click the File tab.
[*]Press File
[*]Expand mnt
[*]Click on the folder under mnt that represents your USB drive (sdb1 ?)
[*]You should see the tdl_fix.sh file in the main window.
[*]Select Tool from the Menu
[*]Choose Open Terminal
[*]Type bash tdl_fix.sh then press Enter

(note there is a space after bash and that is an underscore after tdl)

[*]Read the warning then type y and press Enter to continue.
[*]Type sda then press Enter when prompted.
[*]You will be shown a list of partitions to choose marking active.
[*]Type 1 then press Enter.
[*]If you are presented with a warning about no bootloader files, type n then press Enter to choose another. If this happens, please post back for further instructions. Just leave the computer running if you wish and use your other one to post.
[*]If you receive no warning about bootloader files but are presented with another view of the partition structure and asked if it looks correct, type y then press Enter.
[*]The script will complete and prompt you to reboot the computer.
[*]Close the Terminal window and restart back into Windows.


Pardon my daftness here but won't i still be able to see these instructions on my laptop?

Ok, i put the CD into the sick PC when it was still running, i switched it off but now F12 does nothing

Edited by 750steve, 11 February 2012 - 02:03 PM.

  • 0

#8
oldman960

oldman960

    Trusted Helper

  • Malware Removal
  • 123 posts
Hi 750steve,

Pardon my daftness here but won't i still be able to see these instructions on my laptop?

Yes you will. That line is a part of my canned and is intended for folks who only have one computer. I should have removed it but wasn't 100% certain if you had your laptop available.

You may need to set the boot order in the bios. One of the first screens will tell you which key you need to press to enter bios (sometimes called steup). Once you have entered the bios look for a heading similar to boot order. The instructions (which keys to use) for changing the order should be on the screen.
  • 0

#9
750steve

750steve

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 174 posts
Ok on the seeing instructions bit


I have the Dell startup screen F2 = Setup, F12 = Boot Menu, neither key works. I assume thats because i put the Boot CD in the sick PC when it was still switched on & it autoran which probably loaded the boot CD

What do i do now? I'm a computer numpty!!!
  • 0

#10
oldman960

oldman960

    Trusted Helper

  • Malware Removal
  • 123 posts
Hi750steve,

For either key to work it must be pressed before windows loads. I'm assumimg that is when you are pressing the key. If the boot cd loaded you would have been in xPUD.

Let's try this. Remove the CD and reboot the computer. Use the F2 key to enter the bios. Change the boot order to CD first harddrive second. The harddrive should be identified by the letter C:\

Once the changes are made and saved insert the cd and exit the bios. The computer should now boot to the CD.

Here's some example bios screens. They are not all the same but you should get an idea of what you are looking for.
  • 0

Advertisements


#11
750steve

750steve

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 174 posts
Hi again Oldman. I'm doing as you describe, im using the button on the PC to start up when the boot CD is not in the drive. The PC powers up & im furiously pressing F2 or F12 when & before the Dell screen appears. Neither kew works to access the boot menu or Bios. I had been using F12 before to boot up my sick PC as the Rootkit was not letting it load normally, those keys just dont work now & i have no idea as to why, it doesnt make sense.

I have just now powered the sick PC off from the mains.
  • 0

#12
750steve

750steve

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 174 posts
The wall power off has worked, the Boot menu has been accessed, i will continue with oyur instructions above & report back

thank you
  • 0

#13
750steve

750steve

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 174 posts

Type bash tdl_fix.sh then press Enter

(note there is a space after bash and that is an underscore after tdl)

Read the warning then type y and press Enter to continue.
Type sda then press Enter when prompted.
You will be shown a list of partitions to choose marking active.
Type 1 then press Enter.
If you are presented with a warning about no bootloader files, type n then press Enter to choose another. If this happens, please post back for further instructions. Just leave the computer running if you wish and use your other one to post.
If you receive no warning about bootloader files but are presented with another view of the partition structure and asked if it looks correct, type y then press Enter.
The script will complete and prompt you to reboot the computer.
Close the Terminal window and restart back into Windows.


Ok, i have done all of the above so far. Just so i dont mess things up how do i reboot from xPUD? Looks like i REALLY dont wanna mess this up so simple questions become big ones! lol
Do i remove the boot CD we made & use the power off/on button on the PC?

Or..... 'Home' in xPUD then 'power off' ? (& do i remove the boot CD?)

Edited by 750steve, 11 February 2012 - 05:00 PM.

  • 0

#14
oldman960

oldman960

    Trusted Helper

  • Malware Removal
  • 123 posts
Hi 750steve,

Sorry about that, those instructions seem to be missing.

-Click the Home icon at top
-Remove the CD and click Power off
-Click restart
  • 0

#15
750steve

750steve

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 174 posts
Oldman.........i grew some balls! lol, here are the files

How do you mean

Please let me know how the computer is behaving

Avast! has just thrown up a "Rootkit Found" message


tdl_fix.txt file

2012-02-11-22:51:25

The following drives were found
sda
sdb
User has chosen drive sda
backing up mbr to tdl_mbr_sda.bin


Disk /dev/sda: 320.0 GB, 320072933376 bytes
255 heads, 63 sectors/track, 38913 cylinders, total 625142448 sectors
Units = sectors of 1 * 512 = 512 bytes

Device Boot Start End Blocks Id System
/dev/sda1 112640 317439 102400 7 HPFS/NTFS
Partition 1 does not end on cylinder boundary
/dev/sda2 317440 127293439 63488000 7 HPFS/NTFS
/dev/sda3 127293440 625139711 248923136 7 HPFS/NTFS
/dev/sda4 * 625139712 625142431 1360 17 Hidden HPFS/NTFS

Model: ATA Hitachi HDT72503 (scsi)
Disk /dev/sda: 320GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags
1 57.7MB 163MB 105MB primary ntfs
2 163MB 65.2GB 65.0GB primary ntfs
3 65.2GB 320GB 255GB primary ntfs
4 320GB 320GB 1393kB primary ntfs boot, hidden


User has chosen to make partition 1 active

Model: ATA Hitachi HDT72503 (scsi)
Disk /dev/sda: 320GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags
1 57.7MB 163MB 105MB primary ntfs boot
2 163MB 65.2GB 65.0GB primary ntfs
3 65.2GB 320GB 255GB primary ntfs
4 320GB 320GB 1393kB primary ntfs hidden


User has accepted changes



log.log file


Windows Boot Manager
--------------------
identifier {bootmgr}
device partition=\Device\HarddiskVolume1
description Windows Boot Manager
locale en-US
inherit {globalsettings}
default {current}
resumeobject {2b47d2ca-0927-11df-9288-cd15d0be0c53}
displayorder {current}
toolsdisplayorder {memdiag}
timeout 30

Windows Boot Loader
-------------------
identifier {current}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7
locale en-US
inherit {bootloadersettings}
recoverysequence {2b47d2cc-0927-11df-9288-cd15d0be0c53}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {2b47d2ca-0927-11df-9288-cd15d0be0c53}
nx OptIn

Windows Boot Loader
-------------------
identifier {2b47d2cc-0927-11df-9288-cd15d0be0c53}
device ramdisk=[C:]\Recovery\2b47d2cc-0927-11df-9288-cd15d0be0c53\Winre.wim,{2b47d2cd-0927-11df-9288-cd15d0be0c53}
path \windows\system32\winload.exe
description Windows Recovery Environment
inherit {bootloadersettings}
osdevice ramdisk=[C:]\Recovery\2b47d2cc-0927-11df-9288-cd15d0be0c53\Winre.wim,{2b47d2cd-0927-11df-9288-cd15d0be0c53}
systemroot \windows
nx OptIn
winpe Yes

Resume from Hibernate
---------------------
identifier {2b47d2ca-0927-11df-9288-cd15d0be0c53}
device partition=C:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {resumeloadersettings}
filedevice partition=C:
filepath \hiberfil.sys
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {memdiag}
device partition=\Device\HarddiskVolume1
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {globalsettings}
badmemoryaccess Yes

EMS Settings
------------
identifier {emssettings}
bootems Yes

Debugger Settings
-----------------
identifier {dbgsettings}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {badmemory}

Global Settings
---------------
identifier {globalsettings}
inherit {dbgsettings}
{emssettings}
{badmemory}

Boot Loader Settings
--------------------
identifier {bootloadersettings}
inherit {globalsettings}
{hypervisorsettings}

Hypervisor Settings
-------------------
identifier {hypervisorsettings}
hypervisordebugtype Serial
hypervisordebugport 1
hypervisorbaudrate 115200

Resume Loader Settings
----------------------
identifier {resumeloadersettings}
inherit {globalsettings}

Device options
--------------
identifier {2b47d2cd-0927-11df-9288-cd15d0be0c53}
description Ramdisk Options
ramdisksdidevice partition=C:
ramdisksdipath \Recovery\2b47d2cc-0927-11df-9288-cd15d0be0c53\boot.sdi

Edited by 750steve, 11 February 2012 - 05:31 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP