[kiketto]

Hi. I would appreciate some help, again
On Friday 22 March my laptop went mad!! I went away for 10 minutes and when I was back several pages of Chrome were open, Outlook was open, Dropbox, my webcam, etc.... It looked like my computer was used by someone else! Malwarebytes did recognise a trojan and deleted it, but my antivirus keeps on finding it since. Avira has already quarantined TR/Trash.Gen Trojan 4 times, last time just this morning. Also note that I have not been online since the first contamination!
This is my OTL log. I have run it with AVIRA and Malwarebytes both deactivated

Thanks for your help!

OTL logfile created on: 24/03/2012 14:40:50 - Run 2
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\Annarita\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

759.36 Mb Total Physical Memory | 295.66 Mb Available Physical Memory | 38.93% Memory free
1.82 Gb Paging File | 1.30 Gb Available in Paging File | 71.39% Paging File free
Paging file location(s): C:\pagefile.sys 1140 2280 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.81 Gb Total Space | 21.71 Gb Free Space | 38.90% Space Free | Partition Type: NTFS
Drive E: | 249.72 Mb Total Space | 1.83 Mb Free Space | 0.73% Space Free | Partition Type: FAT

Computer Name: DOTTORELLA | User Name: Annarita | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/03/24 14:32:50 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Annarita\Desktop\OTL.exe
PRC - [2012/02/14 23:03:14 | 024,246,216 | ---- | M] (Dropbox, Inc.) -- C:\Documents and Settings\Annarita\Application Data\Dropbox\bin\Dropbox.exe
PRC - [2012/01/13 14:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/01/13 14:53:18 | 000,460,872 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011/07/13 07:39:57 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/04/21 06:54:05 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2011/04/21 06:53:48 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2011/04/21 06:53:33 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2009/10/01 16:03:14 | 001,858,144 | ---- | M] (Emsi Software GmbH) -- C:\Program Files\a-squared Free\a2service.exe
PRC - [2008/08/14 17:15:46 | 002,407,184 | ---- | M] () -- C:\Program Files\Logitech\QuickCam\Quickcam.exe
PRC - [2008/08/14 17:11:48 | 000,565,008 | ---- | M] () -- C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
PRC - [2008/08/14 17:11:14 | 000,447,248 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
PRC - [2008/07/26 08:25:36 | 000,150,040 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
PRC - [2008/07/26 08:23:42 | 000,186,904 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/14 17:41:17 | 000,081,920 | R--- | M] () -- C:\WINDOWS\system32\SupportAppXL\cdrom_mon.exe
PRC - [2007/03/26 12:06:24 | 000,292,864 | ---- | M] (Nokia.) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
PRC - [2007/03/23 12:20:52 | 000,227,328 | ---- | M] (Nokia) -- C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
PRC - [2005/05/10 12:31:22 | 000,241,664 | ---- | M] (Stardock) -- C:\Program Files\Common Files\stardock\SDMCP.exe
PRC - [2005/01/14 18:54:48 | 000,479,232 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
PRC - [2004/11/30 18:09:34 | 000,253,952 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
PRC - [2004/10/30 13:59:54 | 000,385,024 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
PRC - [2004/10/14 03:13:58 | 000,450,560 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
PRC - [2004/09/07 15:12:32 | 000,225,353 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
PRC - [2004/09/07 15:08:02 | 000,389,120 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2004/09/07 15:03:40 | 000,245,760 | ---- | M] (Intel) -- C:\Program Files\Intel\Wireless\Bin\1XConfig.exe
PRC - [2004/08/04 03:56:32 | 001,445,912 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2004/05/13 23:23:56 | 000,098,304 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2004/04/01 17:05:48 | 000,077,824 | ---- | M] (Broadcom Corp.) -- C:\WINDOWS\system32\BAsfIpM.exe


========== Modules (No Company Name) ==========

MOD - [2010/06/17 14:27:22 | 000,355,688 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2008/08/14 17:22:36 | 000,112,912 | ---- | M] () -- C:\Program Files\Logitech\QuickCam\LAppRes.DLL
MOD - [2008/08/14 17:15:46 | 002,407,184 | ---- | M] () -- C:\Program Files\Logitech\QuickCam\Quickcam.exe
MOD - [2008/08/14 17:13:30 | 000,149,264 | ---- | M] () -- C:\Program Files\Common Files\LogiShrd\LComMgr\LogiVOIPDevicePlugin.dll
MOD - [2008/08/14 17:13:08 | 000,165,136 | ---- | M] () -- C:\Program Files\Common Files\LogiShrd\LComMgr\LogiCordless4001.dll
MOD - [2008/08/14 17:13:08 | 000,138,000 | ---- | M] () -- C:\Program Files\Common Files\LogiShrd\LComMgr\LogiCordless.dll
MOD - [2008/08/14 17:12:10 | 000,167,184 | ---- | M] () -- C:\Program Files\Logitech\QuickCam\EFVal.dll
MOD - [2008/08/14 17:11:48 | 000,565,008 | ---- | M] () -- C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
MOD - [2008/08/14 17:11:48 | 000,345,872 | ---- | M] () -- C:\Program Files\Common Files\LogiShrd\LComMgr\DevMngr.dll
MOD - [2008/07/26 08:24:04 | 000,068,120 | ---- | M] () -- C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVCSPS.dll
MOD - [2008/01/14 17:41:17 | 000,081,920 | R--- | M] () -- C:\WINDOWS\system32\SupportAppXL\cdrom_mon.exe
MOD - [2005/07/26 22:06:19 | 000,051,716 | ---- | M] () -- C:\WINDOWS\system32\pdf995mon.dll
MOD - [2004/10/02 06:13:24 | 000,045,056 | ---- | M] () -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtLoad.dll
MOD - [2004/09/23 02:09:06 | 000,065,536 | ---- | M] () -- C:\WINDOWS\system32\TosCommAPI.dll
MOD - [2004/09/07 15:03:46 | 000,073,728 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\D8021Xps.DLL
MOD - [2004/07/21 09:04:02 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\TosBtHcrpAPI.dll
MOD - [2003/07/30 07:33:26 | 000,061,440 | ---- | M] () -- C:\WINDOWS\system32\TosHidAPI.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2012/01/13 14:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/07/13 07:39:57 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/04/21 06:53:48 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009/10/01 16:03:14 | 001,858,144 | ---- | M] (Emsi Software GmbH) [Auto | Running] -- C:\Program Files\a-squared Free\a2service.exe -- (a2free)
SRV - [2008/07/26 08:25:36 | 000,150,040 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2008/07/26 08:23:42 | 000,186,904 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe -- (LVCOMSer)
SRV - [2008/01/14 17:41:17 | 000,081,920 | R--- | M] () [Auto | Running] -- C:\WINDOWS\system32\SupportAppXL\cdrom_mon.exe -- (Autorun CDROM Monitor)
SRV - [2007/03/26 12:06:24 | 000,292,864 | ---- | M] (Nokia.) [On_Demand | Running] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2004/09/07 15:12:32 | 000,225,353 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER)
SRV - [2004/08/04 03:56:32 | 001,445,912 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2004/04/01 17:05:48 | 000,077,824 | ---- | M] (Broadcom Corp.) [Auto | Running] -- C:\WINDOWS\system32\BAsfIpM.exe -- (BAsfIpM)


========== Driver Services (SafeList) ==========

DRV - File not found [Adapter | On_Demand | Unknown] -- -- (Winsock - Google Desktop Search Backup Before Last Install)
DRV - File not found [Adapter | On_Demand | Unknown] -- -- (Winsock - Google Desktop Search Backup Before First Install)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Annarita\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (bvrp_pci)
DRV - [2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/07/13 07:40:05 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/07/13 07:40:04 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/06/17 14:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010/06/17 14:27:12 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/09/02 08:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2008/07/26 15:26:54 | 000,023,832 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvcflt.sys -- (FilterService)
DRV - [2008/07/26 15:26:42 | 004,658,584 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvc.sys -- (LVUVC) QuickCam Pro for Notebooks(UVC)
DRV - [2008/07/26 15:26:20 | 000,041,752 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2008/07/26 15:25:46 | 000,627,864 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvrs.sys -- (LVRS)
DRV - [2008/07/26 08:25:02 | 000,025,624 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2008/05/02 09:58:28 | 000,008,064 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys -- (UsbserFilt)
DRV - [2008/05/02 09:58:14 | 000,020,864 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmbo.sys -- (nmwcdc)
DRV - [2008/05/02 09:58:14 | 000,008,064 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerflt.sys -- (upperdev)
DRV - [2008/05/02 09:58:12 | 000,017,536 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmb.sys -- (nmwcd)
DRV - [2008/04/13 18:46:22 | 000,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mpe.sys -- (MPE)
DRV - [2008/04/03 13:36:54 | 000,110,080 | ---- | M] (ONDA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ONDAusbnet.sys -- (ONDAusbnet)
DRV - [2008/04/03 13:36:54 | 000,104,960 | ---- | M] (ONDA Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ONDAusbser6k.sys -- (ONDAusbser6k)
DRV - [2008/04/03 13:36:54 | 000,104,960 | ---- | M] (ONDA Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ONDAusbnmea.sys -- (ONDAusbnmea)
DRV - [2008/04/03 13:36:54 | 000,104,960 | ---- | M] (ONDA Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ONDAusbmdm6k.sys -- (ONDAusbmdm6k)
DRV - [2007/02/22 09:15:14 | 000,012,288 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmwcdcm.sys -- (nmwcdcm)
DRV - [2007/02/22 09:15:14 | 000,012,288 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmwcdcj.sys -- (nmwcdcj)
DRV - [2006/05/08 07:56:50 | 000,018,944 | R--- | M] (WideView Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BDA_Loader_225.sys -- (BDA_Loader_225)
DRV - [2006/04/04 15:36:30 | 000,014,592 | R--- | M] (WideViewer Electronics CO., LTD) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BDA_Capture_225.sys -- (BDA_Capture_225)
DRV - [2005/03/10 21:56:06 | 000,273,168 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)
DRV - [2005/02/23 13:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2005/01/17 12:13:28 | 000,098,304 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TosRfbd.sys -- (Tosrfbd)
DRV - [2005/01/08 17:15:40 | 000,051,582 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Tosporte.sys -- (tosporte)
DRV - [2005/01/07 05:42:42 | 000,018,612 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfnds.sys -- (tosrfnds)
DRV - [2004/12/22 03:38:12 | 000,034,816 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosrfusb.sys -- (Tosrfusb)
DRV - [2004/12/16 09:30:14 | 000,050,048 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TosRfSnd.sys -- (TosRfSnd) Bluetooth Audio Device (WDM)
DRV - [2004/11/16 14:51:54 | 000,050,048 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TosRfhid.sys -- (Tosrfhid)
DRV - [2004/10/21 19:56:04 | 003,210,496 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2004/10/05 02:33:02 | 000,062,799 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tosrfcom.sys -- (Tosrfcom)
DRV - [2004/09/03 16:23:38 | 000,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/08/31 07:53:04 | 000,011,354 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2004/08/18 13:53:54 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\APPDRV.SYS -- (APPDRV)
DRV - [2004/08/12 07:44:04 | 000,234,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\iwca.sys -- (IWCA)
DRV - [2004/08/04 03:54:32 | 000,269,387 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2004/07/09 09:07:34 | 000,036,531 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfbnp.sys -- (Tosrfbnp)
DRV - [2004/06/17 19:57:02 | 000,200,064 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2004/06/17 19:55:38 | 000,685,056 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/06/17 19:55:04 | 001,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/02/13 15:46:00 | 000,017,153 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (omci)
DRV - [2003/07/24 17:55:50 | 000,139,604 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2003/05/01 12:26:34 | 000,005,220 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2003/04/24 15:21:50 | 000,006,025 | ---- | M] (Broadcom Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\BASFND.sys -- (BASFND)
DRV - [2002/10/17 05:55:48 | 000,002,851 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Toshidpt.sys -- (toshidpt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.repubblica.it/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\SearchScopes,DefaultScope = {66FD1EFA-EEED-4E00-9AF9-65099D05DFDC}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKCU\..\SearchScopes\{66FD1EFA-EEED-4E00-9AF9-65099D05DFDC}: "URL" = http://www.google.co...1I7GGLG_enIT318
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google.co.uk"
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.46: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.46: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.46: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Annarita\Local Settings\Application Data\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Annarita\Local Settings\Application Data\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2008/04/06 09:26:10 | 000,000,000 | ---D | M]

[2006/12/21 22:13:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Annarita\Application Data\Mozilla\Firefox\Profiles\0frkzfjk.default\extensions
[2009/04/11 22:09:17 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2007/08/03 06:25:03 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}
[2008/04/06 09:26:10 | 000,000,000 | ---D | M] (RealPlayer Browser Record Plugin) -- C:\PROGRAM FILES\REAL\REALPLAYER\BROWSERRECORD
[2007/01/08 08:50:18 | 002,111,096 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\NPSWF32.dll
[2007/08/13 16:29:21 | 000,000,703 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\GoogleDesktopMozilla.png
[2007/08/13 16:29:21 | 000,000,531 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\GoogleDesktopMozilla.src

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Disabled) = C:\Documents and Settings\Annarita\Local Settings\Application Data\Google\Chrome\User Data\PepperFlash\11.1.31.203\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Annarita\Local Settings\Application Data\Google\Chrome\Application\17.0.963.79\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Annarita\Local Settings\Application Data\Google\Chrome\Application\17.0.963.79\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Annarita\Local Settings\Application Data\Google\Chrome\Application\17.0.963.79\pdf.dll
CHR - plugin: Microsoft\u00AE Windows Media Player Firefox Plugin (Enabled) = C:\PFiles\Plugins\np-mswmp.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Acrobat 7.0\Reader\Browser\nppdf32.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Java™ Platform SE 6 U30 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
CHR - plugin: RealPlayer Version Plugin (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
CHR - plugin: RealJukebox NS Plugin (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin

O1 HOSTS File: ([2012/03/23 14:43:19 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll File not found
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [LogitechCommunicationsManager] C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe ()
O4 - HKLM..\Run: [LogitechQuickCamRibbon] C:\Program Files\Logitech\QuickCam\Quickcam.exe ()
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe (Nokia)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk = C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TOSHIBA CORPORATION.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe (Cisco Systems, Inc.)
O4 - Startup: C:\Documents and Settings\Annarita\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Annarita\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} http://www.symantec....trl/tgctlsi.cab (Reg Error: Key error.)
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} http://www.symantec....trl/tgctlsr.cab (Reg Error: Key error.)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.euro....iler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} http://assets.photob...?20090923130347 (PhotoboxPhotowaysUploader5 Control)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} http://www.ipix.com/viewers/ipixx.cab (iPIX ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.micros...ntent/opuc3.cab (Office Update Installation Engine)
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} http://www.slide.com...ageUploader.cab (Slide Image Uploader Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1149329594265 (MUWebControl Class)
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} https://212.135.224....emote/msrdp.cab (Microsoft RDP Client Control (redist))
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} http://support.euro....er/PROFILER.CAB (DmiReader Class)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} http://messenger.msn...pdownloader.cab (MsnMessengerSetupDownloadControl Class)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} http://www.symantec....rl/SymAData.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\IntelWireless: DllName - (C:\Program Files\Intel\Wireless\Bin\LgNotify.dll) - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)
O20 - Winlogon\Notify\MCPClient: DllName - (C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll) - C:\Program Files\Common Files\stardock\MCPStub.dll (Stardock)
O21 - SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - C:\Program Files\Common Files\stardock\MCPCore.dll (Stardock)
O24 - Desktop Components:1 () - C:\Documents and Settings\Annarita\Desktop\desktop counter.html
O24 - Desktop WallPaper: C:\Documents and Settings\Annarita\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Annarita\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 16:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/24 14:39:28 | 000,593,920 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Annarita\Desktop\OTL.exe
[2012/03/23 14:20:28 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Annarita\Start Menu\Programs\Administrative Tools
[2012/03/22 14:53:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData

========== Files - Modified Within 30 Days ==========

[2578/07/10 16:44:28 | 000,003,120 | ---- | M] () -- C:\WINDOWS\MF_C421.lfa
[2578/07/10 16:44:28 | 000,003,120 | ---- | M] () -- C:\WINDOWS\MF_C420.lfa
[2012/03/24 14:52:13 | 000,000,990 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1200048463-1774062163-2153909904-1005UA.job
[2012/03/24 14:49:18 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/03/24 14:32:50 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Annarita\Desktop\OTL.exe
[2012/03/24 14:22:50 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/03/24 14:22:49 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/03/24 14:19:26 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/24 14:19:25 | 796,319,744 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/24 13:58:00 | 000,000,820 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2012/03/23 14:43:19 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/03/23 09:52:03 | 000,000,938 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1200048463-1774062163-2153909904-1005Core.job
[2012/03/15 12:21:48 | 000,162,728 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/15 11:29:06 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/03/14 14:15:28 | 000,133,928 | ---- | M] () -- C:\Documents and Settings\Annarita\Desktop\Renewal letter.PDF
[2012/03/12 22:00:16 | 000,002,287 | ---- | M] () -- C:\Documents and Settings\Annarita\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/03/12 22:00:15 | 000,002,309 | ---- | M] () -- C:\Documents and Settings\Annarita\Desktop\Google Chrome.lnk
[2012/03/12 20:55:30 | 000,087,960 | ---- | M] () -- C:\Documents and Settings\Annarita\My Documents\Sheilas' Wheels - Policy Details.pdf
[2012/03/11 17:42:18 | 000,001,027 | ---- | M] () -- C:\Documents and Settings\Annarita\Start Menu\Programs\Startup\Dropbox.lnk
[2012/03/11 17:42:17 | 000,001,027 | ---- | M] () -- C:\Documents and Settings\Annarita\Desktop\Dropbox.lnk

========== Files Created - No Company Name ==========

[2578/07/10 16:44:28 | 000,003,120 | ---- | C] () -- C:\WINDOWS\MF_C421.lfa
[2578/07/10 16:44:28 | 000,003,120 | ---- | C] () -- C:\WINDOWS\MF_C420.lfa
[2012/03/14 14:15:58 | 000,133,928 | ---- | C] () -- C:\Documents and Settings\Annarita\Desktop\Renewal letter.PDF
[2012/03/12 20:55:29 | 000,087,960 | ---- | C] () -- C:\Documents and Settings\Annarita\My Documents\Sheilas' Wheels - Policy Details.pdf
[2012/02/21 15:19:30 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/12/14 14:20:44 | 000,038,483 | ---- | C] () -- C:\Documents and Settings\Annarita\Application Data\Comma Separated Values (Windows).ADR
[2010/06/19 16:41:54 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

========== LOP Check ==========

[2007/09/05 22:18:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Installations
[2007/09/06 19:45:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
[2012/02/01 08:44:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2007/05/27 10:21:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RedLux
[2010/01/07 19:37:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spamihilator
[2010/02/22 20:25:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Trusteer
[2007/01/01 14:44:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2007/09/02 16:57:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annarita\Application Data\DataLayer
[2012/03/24 14:24:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annarita\Application Data\Dropbox
[2005/08/04 20:34:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annarita\Application Data\Leadertech
[2011/11/15 16:32:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annarita\Application Data\Nokia
[2007/09/06 19:44:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annarita\Application Data\Nokia Multimedia Player
[2010/04/01 08:50:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annarita\Application Data\Opera
[2009/04/04 21:22:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annarita\Application Data\PC Suite
[2005/07/26 22:11:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annarita\Application Data\pdf995
[2010/09/11 19:40:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annarita\Application Data\Spamihilator
[2006/02/03 19:22:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annarita\Application Data\Toshiba
[2010/02/22 20:26:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annarita\Application Data\Trusteer

========== Purity Check ==========



< End of report >

[Advertisements]

Hello and welcome to the Geeks to Go Virus, Spyware & Malware Removal forum. My name is Josh and I will be helping you remove your infection. I am only human not superman - I can make errors but will do my best to help you as best I can so we can solve your problems.

Some of the following instructions to begin the malware removal process can be hard to follow - let me know if you have any questions. Please read all of my responses through at least once before attempting to follow the procedures described. I would recommend printing them out, if you can, as you can check off each step as you complete it. Also please do not attempt any disinfection procedures without my instruction as things can go wrong that way.

One more thing - please refrain from using your computer until it is disinfected unless you absolutely have to (unless you are following my disinfection procedures) - when you are using it the current malware infection could propagate further infections - forcing us to do a second or even third round of disinfection after the first. If you do have to use it please disconnect it from the Internet - that way the current malware cannot propagate further infections.

I will get back to you soon with further instructions. Expect no more than 36 hours between your post and my response unless World War 3 breaks out and I will need at most 48 hours for initial analysis of your OTL log. Good luck!

[Crag_Hack]

Hello and welcome to the Geeks to Go Virus, Spyware & Malware Removal forum. My name is Josh and I will be helping you remove your infection. I am only human not superman - I can make errors but will do my best to help you as best I can so we can solve your problems.

Some of the following instructions to begin the malware removal process can be hard to follow - let me know if you have any questions. Please read all of my responses through at least once before attempting to follow the procedures described. I would recommend printing them out, if you can, as you can check off each step as you complete it. Also please do not attempt any disinfection procedures without my instruction as things can go wrong that way.

One more thing - please refrain from using your computer until it is disinfected unless you absolutely have to (unless you are following my disinfection procedures) - when you are using it the current malware infection could propagate further infections - forcing us to do a second or even third round of disinfection after the first. If you do have to use it please disconnect it from the Internet - that way the current malware cannot propagate further infections.

I will get back to you soon with further instructions. Expect no more than 36 hours between your post and my response unless World War 3 breaks out and I will need at most 48 hours for initial analysis of your OTL log. Good luck!

[kiketto]

Hi Josh. Thanks for your reply! I will wait for your next instructions then!

[Crag_Hack]

Hello kiketto. I finished analyzing your OTL log. There are several files we'll take a closer look at to make sure they're clean. Also we will run a utility called aswMBR to check for infections prevalent these days. Please do the following:

Step 1

• Double click on the OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click the None button.
• Paste this into the Custom Scans/Fixes section:
  

  C:\WINDOWS\system32\pdf995mon.dll /md5
  C:\WINDOWS\System32\iacenc.dll /md5
  C:\WINDOWS\System32\d3d9caps.dat /md5

• Click the Run Scan button. The scan wont take long.
• When the scan completes, it will open a notepad window - OTL.Txt.
• Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it in your topic

Step 2

• Download aswMBR.exe ( 1870KB ) to your desktop.
• Double click the aswMBR.exe to run it
• It will ask you if you want to download the latest Avast! virus definitions, answer no
  
  
  
• Click the Scan button to start scan
  
  
  
• On completion of the scan click Save log, save it to your desktop and post in your next reply

Things to see in your next post:
OTL log
aswMBR log

[kiketto]

Here they are

OTL logfile created on: 26/03/2012 21:59:35 - Run 3
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\Annarita\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

759.36 Mb Total Physical Memory | 251.20 Mb Available Physical Memory | 33.08% Memory free
1.82 Gb Paging File | 1.26 Gb Available in Paging File | 69.65% Paging File free
Paging file location(s): C:\pagefile.sys 1140 2280 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.81 Gb Total Space | 21.72 Gb Free Space | 38.92% Space Free | Partition Type: NTFS

Computer Name: DOTTORELLA | User Name: Annarita | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========

< C:\WINDOWS\System32\d3d9caps.dat /md5 >
[2012/01/15 15:28:40 | 000,000,664 | ---- | M] () MD5=11462A18840F5F5EA0C8F2E24A8C7DFD -- C:\WINDOWS\System32\d3d9caps.dat

< C:\WINDOWS\System32\iacenc.dll /md5 >
[2012/01/11 20:06:47 | 000,003,072 | ---- | M] () MD5=C30B851A482C4549125F4209788791E6 -- C:\WINDOWS\System32\iacenc.dll

< C:\WINDOWS\System32\pdf995mon.dll /md5 >
[2005/07/26 23:06:19 | 000,051,716 | ---- | M] () MD5=5239F6D7205474B5CC9DCDC6813AF98A -- C:\WINDOWS\System32\pdf995mon.dll

< End of report >

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-26 22:42:11
-----------------------------
22:42:11.390 OS Version: Windows 5.1.2600 Service Pack 3
22:42:11.390 Number of processors: 1 586 0xD06
22:42:11.390 ComputerName: DOTTORELLA UserName: Annarita
22:42:12.640 Initialize success
22:42:26.875 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
22:42:26.875 Disk 0 Vendor: TOSHIBA_MK6006GAH BZ002A Size: 57231MB BusType: 3
22:42:26.906 Disk 0 MBR read successfully
22:42:26.906 Disk 0 MBR scan
22:42:26.906 Disk 0 Windows XP default MBR code
22:42:26.906 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 78 MB offset 63
22:42:26.921 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 57145 MB offset 160650
22:42:26.921 Disk 0 scanning sectors +117194175
22:42:27.015 Disk 0 scanning C:\WINDOWS\system32\drivers
22:42:42.937 Service scanning
22:43:09.593 Modules scanning
22:43:26.140 Disk 0 trace - called modules:
22:43:26.187 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
22:43:26.187 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x83b8aab8]
22:43:26.718 3 CLASSPNP.SYS[f7616fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x83b2a940]
22:43:26.718 Scan finished successfully
22:43:52.515 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
22:43:52.796 The log file has been saved successfully to "E:\aswMBR.txt"

[Crag_Hack]

Hi kiketto, it looks like if there is malware it's hiding from us so we will pull out the big gun to see if that helps. Here's combofix! And also we will upload a file to see if it's legit or not.

Step 1

Download and Install Combofix - you can temporarily connect to the Internet for this procedure

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
Also please make sure to take note of anything ComboFix says during the course of its run especially if related to your infection and report to me in your next post.

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
• Accept the disclaimer and allow to update if it asks - if the update succeeds combofix will restart - if not it will continue with the current copy
  
  
  
  
  
  
  
• Answer yes to install the Recovery Console if it asks and yes to scan for malware afterwards if prompted
  
  
  
  
  
• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Step 2

There are several suspicious files on your machine that might or might not be malware. We will scan them to verify. Let me know if you have any trouble following these instructions. Please do the following:

• Go to this site
• Click the browse button on the top of the page
• Navigate to this file C:\WINDOWS\System32\pdf995mon.dll and click the open button
• Click the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button
• Once the Scan is completed, click on the Copy to Clipboard button at the bottom of the page. This will copy the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Things to see in your next post:
Combofix log
virscan upload result

[kiketto]

Hi Josh. I have run both applications as requested. After running Combofix the computer seems to be a bit slower.
These are the logs. Thanks again! Annarita


ComboFix 12-03-27.03 - Annarita 27/03/2012 22:05:36.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.759.287 [GMT 1:00]
Running from: c:\documents and settings\Annarita\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-02-27 to 2012-03-27 )))))))))))))))))))))))))))))))
.
.
2012-03-22 14:53 . 2012-03-22 14:54 -------- d-----w- c:\windows\system32\NtmsData
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-23 09:18 . 2009-11-06 21:01 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-03 09:22 . 2004-08-11 16:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-21 15:19 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2004-08-11 16:11 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2007-08-13 16:29 . 2007-08-13 16:29 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Annarita\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Annarita\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Annarita\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Annarita\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-20 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\Christian\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [N/A]
.
c:\documents and settings\Annarita\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Annarita\Application Data\Dropbox\bin\Dropbox.exe [2012-2-15 24246216]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-1-14 479232]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2005-7-21 1445904]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-6-24 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= c:\documents and settings\Annarita\Desktop\desktop counter.html
FriendlyName=
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 15:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 14:13 49152 ----a-w- c:\progra~1\COMMON~1\stardock\MCPStub.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Annarita\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [18/12/2009 00:23 1858144]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [06/11/2009 21:49 136360]
R2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\SupportAppXL\cdrom_mon.exe [22/12/2008 18:43 81920]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [16/01/2010 00:39 652360]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [16/01/2010 00:38 20464]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/02/2010 19:20 135664]
S3 BDA_Capture_225;USB Digital-TV receiver Driver 2.0.1.8;c:\windows\system32\drivers\BDA_Capture_225.sys [04/07/2006 17:22 14592]
S3 BDA_Loader_225;USB Digital-TV Receiver Firmware Loader 6.5.8.0;c:\windows\system32\drivers\BDA_Loader_225.sys [04/07/2006 17:21 18944]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/02/2010 19:20 135664]
S3 ONDAusbmdm6k;ONDA Proprietary USB Driver;c:\windows\system32\drivers\ONDAusbmdm6k.sys [22/12/2008 18:46 104960]
S3 ONDAusbnet;ONDA USB-NDIS miniport;c:\windows\system32\drivers\ONDAusbnet.sys [22/12/2008 18:46 110080]
S3 ONDAusbnmea;ONDA NMEA Port;c:\windows\system32\drivers\ONDAusbnmea.sys [22/12/2008 18:46 104960]
S3 ONDAusbser6k;ONDA Diagnostic Port;c:\windows\system32\drivers\ONDAusbser6k.sys [22/12/2008 18:46 104960]
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-24 19:12]
.
2012-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 18:20]
.
2012-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 18:20]
.
2012-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1200048463-1774062163-2153909904-1005Core.job
- c:\documents and settings\Annarita\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-20 20:35]
.
2012-03-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1200048463-1774062163-2153909904-1005UA.job
- c:\documents and settings\Annarita\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-20 20:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.repubblica.it/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20090923130347
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-27 22:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1156)
c:\progra~1\COMMON~1\Stardock\mcpstub.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
- - - - - - - > 'explorer.exe'(7712)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\documents and settings\Annarita\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\progra~1\COMMON~1\stardock\MCPCore.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\progra~1\COMMON~1\Stardock\SDMCP.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\basfipm.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
.
**************************************************************************
.
Completion time: 2012-03-27 22:40:38 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-27 21:40
ComboFix2.txt 2012-03-24 11:29
.
Pre-Run: 23,241,273,344 bytes free
Post-Run: 23,197,073,408 bytes free
.
- - End Of File - - AC4C3C7F3AE368AA098661B5BD59BE33

VirSCAN.org Scanned Report :
Scanned time : 2012/03/27 22:58:23 (BST)
Scanner results: Scanners did not find malware!
File Name : pdf995mon.dll
File Size : 51716 byte
File Type : PE32 executable for MS Windows (DLL) (native) Intel 80386 32
MD5 : 5239f6d7205474b5cc9dcdc6813af98a
SHA1 : 7358428f2fc8714294cf90d1546b59a90b960899
Online report : http://r.virscan.org...1f2a45b737d5fe4

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.4 20120327210248 2012-03-27 6.74 -
AhnLab V3 2012.03.26.00 2012.03.26 2012-03-26 3.28 -
AntiVir 8.2.10.24 7.11.25.222 2012-03-22 0.18 -
Antiy 2.0.18 2.0.18. 0002-18-00 0.27 -
Arcavir 2011 201203271258 2012-03-27 3.79 -
Authentium 5.1.1 201203271624 2012-03-27 1.44 -
AVAST! 4.7.4 120327-1 2012-03-27 0.17 -
AVG 12.0.1782 2114/4897 2012-03-27 0.26 -
BitDefender 7.90123.6969119 7.41595 2012-03-25 3.54 -
ClamAV 0.97.3 14709 2012-03-28 0.17 -
Comodo 5.1 11922 2012-03-27 2.72 -
CP Secure 1.3.0.5 2012.03.28 2012-03-28 0.21 -
Dr.Web 7.0.1.2210 2012.03.26 2012-03-26 13.68 -
F-Prot 4.6.2.117 20120327 2012-03-27 0.83 -
F-Secure 7.02.73807 2012.02.07.03 2012-02-07 2.54 -
Fortinet 4.3.392 15.356 2012-03-27 0.22 -
GData 22.4441 20120328 2012-03-28 6.30 -
ViRobot 20120327 2012.03.27 2012-03-27 0.50 -
Ikarus T3.1.32.20.0 2012.03.27.80819 2012-03-27 4.91 -
JiangMin 13.0.900 2012.03.27 2012-03-27 2.92 -
Kaspersky 5.5.10 2012.03.27 2012-03-27 0.29 -
KingSoft 2009.2.5.15 2012.3.27.14 2012-03-27 1.17 -
McAfee 5400.1158 6662 2012-03-27 8.65 -
Microsoft 1.8202 2012.03.27 2012-03-27 3.93 -
NOD32 3.0.21 7004 2012-03-27 0.19 -
Panda 9.05.01 2012.03.27 2012-03-27 2.83 -
Trend Micro 9.500-1005 8.868.03 2012-03-27 0.20 -
Quick Heal 11.00 2012.03.27 2012-03-27 1.19 -
Rising 20.0 24.03.01.01 2012-03-27 3.10 -
Sophos 3.29.0 4.75 2012-03-28 5.62 -
Sunbelt 3.9.2530.2 11718 2012-03-27 0.95 -
Symantec 1.3.0.24 20120325.018 2012-03-25 0.29 -
nProtect 20120327.01 10996282 2012-03-27 1.48 -
The Hacker 6.7.0.1 v00433 2012-03-25 0.71 -
VBA32 3.12.16.4 20120327.0721 2012-03-27 3.28 -
VirusBuster 5.4.1.9 14.1.282.0/82429732012-03-27 0.18 -

[Crag_Hack]

Hello kiketto. There are no obvious signs of infection so we will run a scan using ESET's online scanner and MBAM to see what they pick up. For ESET we will upgrade your Java. Afterwards try using your computer and see if you still have any symptoms.

The following instructions are for running a scan using ESET anti-virus via an online implementation and a scan with Malwarebytes' Anti-Malware (they are free). These scans will find any remaining infections that aren't already cleaned.

Step 1

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Step 2

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older versions of Java components and upgrade the application.

Upgrading Java :
Please download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.
• Open JavaRa.exe again and select Search For Updates.
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button.
• Scroll to the middle of the page where it says Java SE 6 Update 31. Click the download button below where it says JRE
• Click to accept the license agreement
• Click the download link to the right of where it says Windows x86 Offline
• Once downloaded install

Step 3

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
• Click Start
• When asked, allow the ActiveX control to install
• Click Start
• Make sure that the options Remove found threats and the options Scan unwanted applications and Enable Anti-Stealth technology (both under Advanced settings) are checked
• Click Start (This scan can take several hours, so please be patient)
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic

Things to see in your next post:
MBAM log
ESET log

[kiketto]

Thanks Josh. I have already got a licenced version of MBAM. shall i just proceed with, a scan as usual? Thanks!

[Crag_Hack]

Make sure your MBAM program version and definitions are up to date. Then go for it!

[kiketto]

Hi Josh

Before running MBAM I downloaded Javra, but by mistake I also downloaded (and not installed it) a pdf creator. MBAM deteted a malware. This is the log

2012/03/30 08:57:55 +0100 DOTTORELLA Annarita DETECTION C:\Documents and Settings\Annarita\My Documents\Downloads\PDFReaderSetup (1).exe Adware.Agent ALLOW
2012/03/30 08:57:56 +0100 DOTTORELLA Annarita DETECTION C:\Documents and Settings\Annarita\My Documents\Downloads\PDFReaderSetup (1).exe Adware.Agent ALLOW
2012/03/30 08:57:57 +0100 DOTTORELLA Annarita DETECTION C:\Documents and Settings\Annarita\My Documents\Downloads\PDFReaderSetup (1).exe Adware.Agent ALLOW
2012/03/30 08:58:10 +0100 DOTTORELLA Annarita DETECTION C:\Documents and Settings\Annarita\My Documents\Downloads\PDFReaderSetup.exe Adware.Agent ALLOW
2012/03/30 08:58:14 +0100 DOTTORELLA Annarita DETECTION C:\Documents and Settings\Annarita\My Documents\Downloads\PDFReaderSetup (1).exe Adware.Agent ALLOW
2012/03/30 08:58:25 +0100 DOTTORELLA Annarita DETECTION C:\Documents and Settings\Annarita\My Documents\Downloads\PDFReaderSetup (1).exe Adware.Agent ALLOW
2012/03/30 08:58:25 +0100 DOTTORELLA Annarita DETECTION C:\Documents and Settings\Annarita\My Documents\Downloads\PDFReaderSetup (1).exe Adware.Agent ALLOW
2012/03/30 08:58:27 +0100 DOTTORELLA Annarita DETECTION C:\Documents and Settings\Annarita\My Documents\Downloads\PDFReaderSetup (1).exe Adware.Agent ALLOW
2012/03/30 08:58:33 +0100 DOTTORELLA Annarita DETECTION C:\Documents and Settings\Annarita\My Documents\Downloads\PDFReaderSetup.exe Adware.Agent ALLOW
2012/03/30 08:58:33 +0100 DOTTORELLA Annarita DETECTION C:\Documents and Settings\Annarita\My Documents\Downloads\PDFReaderSetup.exe Adware.Agent ALLOW
2012/03/30 08:58:36 +0100 DOTTORELLA Annarita DETECTION c:\documents and settings\annarita\my documents\downloads\pdfreadersetup.exe Adware.Agent ALLOW

I could not update Java, I got the following error message internal error 2753. regutils.dll
I had no problem in running ESET. I have attached the logs in the next post. Thanks for your help.

[Crag_Hack]

Please do not attach the logs rather copy the contents into your post thanks.

[kiketto]

Malwarebytes Anti-Malware (PRO) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.30.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Annarita :: DOTTORELLA [administrator]

Protection: Enabled

30/03/2012 09:43:21
mbam-log-2012-03-30 (09-43-21).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 219465
Time elapsed: 13 minute(s), 49 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=f62a445ebd914240ab01877036025b1b
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-03-30 02:22:21
# local_time=2012-03-30 03:22:21 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 16775125 100 100 16922 108000198 13170 0
# compatibility_mode=8192 67108863 100 0 435 435 0 0
# scanned=89504
# found=3
# cleaned=3
# scan_time=6510
C:\Documents and Settings\Annarita\Application Data\Sun\Java\Deployment\cache\6.0\50\38104072-7c437adf probably a variant of Java/TrojanDownloader.Agent.AB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000177.exe a variant of Win32/InstallCore.N application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000178.exe a variant of Win32/InstallCore.N application (deleted - quarantined) 00000000000000000000000000000000 C

[Crag_Hack]

Hi Kiketto. Your MBAM log is obviously clean while your ESET log picked up a trojan. Could be the culprit. We will now clear your temporary files and see what problems remain. Please do the following then use your computer for a couple hours and see if any symptoms remain.

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Then post the produced log (it will be in C:\_OTL\MovedFiles with a filename beginning with the date)

[kiketto]

Hi Josh

Things don't seem to have gone as expected. I run OTL copying and pasting your commands, and soon after I got an error message form MBAM saying that Malwarebytes had incurred an error and had to close. This message appeared several times. I did not touch the pc and let it run overnight. This morning I could not access it and I had to force close it. OTl had produced no log, but the folder that should have contained it was created. I am not sure myself what went wrong... any help would be appreciated
Thanks