Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Cannot run/update malware programs after removing Live Platinum Securi

Started by earthwing , Aug 09 2012 04:06 PM

  • Please log in to reply

#1
earthwing
Posted 09 August 2012 - 04:06 PM

earthwing

    New Member

  • Member
  • Pip
  • 9 posts
Hi,

My problems began when my PC picked up Live Platinum Security,which immediately played havoc with the comp,preventing programs,including Firefox and even task manager from running.After booting in safe mode,I was able to run an Avira scan which detected and quarantined several infections.Once back in normal mode everything seemed fine,except my desktop icons wouldnt remain in place,and my folder views were all messed up,and wouldn't 'remember'. Restoring the registry from an ERUNT file made a week earlier,however,fixed this issue and all was well..for a couple of hours when Avira suddenly - and briefly - alerted the presence of a rootkit,before shutting down by itself.Zone Alarm also shutdown,and neither would respond.
A reboot took a long time before any desktop appeared,and a look at task manager showed two items running I've never seen before - nxwainsm.exe and vscfglqg.exe - both of these eventually disappeared from taskmanager,although the former keeps returning to the temp folder with very reboot,even after deleting,and the latter remains on the msconfig startup list even after disabling.
As of this posting,a tdss killer scan showed an anomaly which it cleared,and the comp now boots faster,malwarebytes wont run unless I open the program folder and rename the mbam exe to something else - it then updates but a full scan showed nothing.
Superantispyware will open normally,but fails to update and again a scan shows nothing.Spybot will not open and Avira doesnt run automatically,has to be started manually at boot up.Finally,unable to access the home sites of malwarebytes,superantispyware,etc.
Your help would be greatly appreciated! OTL logs follow (for some reason two logs were created,one called extras,so both are provided)
Many thanks.

OTL logfile created on: 09/08/2012 22:34:21 - Run 1
OTL by OldTimer - Version 3.2.56.0 Folder = C:\Documents and Settings\CHRIS\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1023.48 Mb Total Physical Memory | 364.27 Mb Available Physical Memory | 35.59% Memory free
2.41 Gb Paging File | 1.69 Gb Available in Paging File | 70.11% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.80 Gb Total Space | 42.88 Gb Free Space | 38.36% Space Free | Partition Type: NTFS

Computer Name: CHRIS-3961AAA10 | User Name: CHRIS | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/08/09 22:28:36 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\CHRIS\Desktop\OTL.exe
PRC - [2012/08/08 21:48:47 | 000,348,664 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2012/06/14 23:20:13 | 000,913,888 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/05/08 22:20:08 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2012/05/08 22:20:06 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2012/05/08 22:20:06 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2011/12/21 00:41:44 | 006,676,808 | ---- | M] (COMODO) -- C:\Program Files\Comodo\COMODO Internet Security\cfp.exe
PRC - [2011/12/19 18:59:00 | 001,960,584 | ---- | M] (COMODO) -- C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
PRC - [2011/11/23 11:27:04 | 001,052,472 | ---- | M] (COMODO) -- C:\Program Files\Comodo\COMODO GeekBuddy\CLPSLS.exe
PRC - [2011/11/23 11:27:04 | 000,992,056 | ---- | M] (COMODO) -- C:\Program Files\Comodo\COMODO GeekBuddy\CLPS.exe
PRC - [2010/04/15 19:01:58 | 001,732,960 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2012/08/09 16:05:06 | 009,465,032 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_3_300_270.dll
MOD - [2012/06/14 23:20:15 | 002,042,848 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2012/05/08 22:20:08 | 000,398,288 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2011/11/23 11:27:10 | 004,284,728 | ---- | M] () -- C:\Program Files\Comodo\COMODO GeekBuddy\Components\Core\Socket\Adaptor.dll
MOD - [2011/11/23 11:27:10 | 002,085,688 | ---- | M] () -- C:\Program Files\Comodo\COMODO GeekBuddy\Components\Core\GuiListener\export.dll
MOD - [2011/11/23 11:27:10 | 001,764,664 | ---- | M] () -- C:\Program Files\Comodo\COMODO GeekBuddy\Components\Core\Socket\Export.dll
MOD - [2011/11/23 11:27:10 | 000,339,768 | ---- | M] () -- C:\Program Files\Comodo\COMODO GeekBuddy\Components\Core\RemoteDesktop\Export.dll
MOD - [2011/11/23 11:27:10 | 000,049,976 | ---- | M] () -- C:\Program Files\Comodo\COMODO GeekBuddy\Components\Core\RemoteDesktop\ShHook.dll
MOD - [2011/11/23 11:27:08 | 000,464,184 | ---- | M] () -- C:\Program Files\Comodo\COMODO GeekBuddy\Components\Core\CRF\export.dll
MOD - [2011/11/23 11:27:08 | 000,328,504 | ---- | M] () -- C:\Program Files\Comodo\COMODO GeekBuddy\Components\Core\EventMonitor\export.dll
MOD - [2011/11/23 11:27:08 | 000,126,776 | ---- | M] () -- C:\Program Files\Comodo\COMODO GeekBuddy\Components\Core\EventMonitor\EventMonitor.dll
MOD - [2011/11/23 11:27:06 | 001,131,320 | ---- | M] () -- C:\Program Files\Comodo\COMODO GeekBuddy\CLPS_RES.dll
MOD - [2011/11/23 11:27:06 | 000,020,280 | ---- | M] () -- C:\Program Files\Comodo\COMODO GeekBuddy\CLPSLANG.dll
MOD - [2010/03/15 11:28:22 | 000,141,824 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2007/09/19 20:15:00 | 000,161,792 | ---- | M] () -- C:\Program Files\Audio Converter Plus\audioconverter.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2012/08/09 16:05:14 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/06/14 23:20:14 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/05/08 22:20:08 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012/05/08 22:20:06 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/12/19 18:59:00 | 001,960,584 | ---- | M] (COMODO) [Auto | Running] -- C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe -- (cmdAgent)
SRV - [2011/11/23 11:27:04 | 001,052,472 | ---- | M] (COMODO) [Auto | Running] -- C:\Program Files\Comodo\COMODO GeekBuddy\CLPSLS.exe -- (CLPSLS)
SRV - [2011/08/21 17:28:48 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Disabled | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2011/07/13 15:00:16 | 000,036,352 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\HMA! Pro VPN\bin\openvpnserv.exe -- (OpenVPNService)
SRV - [2010/04/15 19:01:58 | 001,732,960 | ---- | M] (Diskeeper Corporation) [Auto | Running] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2010/04/08 09:14:22 | 000,632,792 | ---- | M] (PC Tools) [Disabled | Stopped] -- C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe -- (PCToolsSSDMonitorSvc)
SRV - [2008/11/11 09:38:06 | 000,620,544 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2003/05/14 18:45:04 | 000,065,795 | R--- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\CHRIS\LOCALS~1\Temp\dhamjims.sys -- (Micorsoft Windows Service)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/08/09 17:53:14 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2012/05/08 22:20:08 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2012/05/08 22:20:08 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2012/03/28 22:11:02 | 000,020,032 | ---- | M] (Devguru Co., Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\dgderdrv.sys -- (dgderdrv)
DRV - [2012/02/24 10:14:42 | 000,181,432 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssudmdm.sys -- (ssudmdm)
DRV - [2012/02/24 10:14:42 | 000,080,824 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssudbus.sys -- (dg_ssudbus)
DRV - [2011/12/20 08:39:28 | 000,100,368 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AtihdXP3.sys -- (AtiHDAudioService)
DRV - [2011/12/19 18:59:24 | 000,097,760 | ---- | M] (COMODO) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\inspect.sys -- (Inspect)
DRV - [2011/12/19 18:59:22 | 000,494,816 | ---- | M] (COMODO) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\cmdGuard.sys -- (cmdGuard)
DRV - [2011/12/19 18:59:22 | 000,031,704 | ---- | M] (COMODO) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cmdhlp.sys -- (cmdHlp)
DRV - [2011/12/06 04:42:18 | 007,490,560 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2011/10/11 15:00:32 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2011/08/07 13:00:05 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2011/08/07 13:00:04 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2011/07/13 15:00:14 | 000,026,112 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tap0901.sys -- (tap0901)
DRV - [2011/04/01 00:14:06 | 000,023,608 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\DrmRAudio.sys -- (DrmRAudio)
DRV - [2010/07/16 01:45:44 | 000,035,088 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\npf.sys -- (npf)
DRV - [2010/06/17 15:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010/05/01 07:51:28 | 000,036,640 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\FsUsbExDisk.Sys -- (FsUsbExDisk)
DRV - [2010/03/10 11:29:24 | 000,042,144 | ---- | M] (Diskeeper Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DKRtWrt.sys -- (DKRtWrt)
DRV - [2008/11/07 17:35:54 | 000,455,168 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\emOEM.sys -- (USB28xxOEM)
DRV - [2008/11/07 17:35:52 | 000,561,536 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\emBDA.sys -- (USB28xxBGA)
DRV - [2008/09/24 10:40:22 | 004,122,368 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM)
DRV - [2008/08/26 09:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2008/04/13 19:46:22 | 000,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MPE.sys -- (MPE)
DRV - [2005/11/14 07:19:28 | 000,027,264 | R--- | M] (Saitek) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SaiU5F0D.sys -- (SaiU5F0D)
DRV - [2005/11/14 07:19:26 | 000,176,640 | R--- | M] (Saitek) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SaiH5F0D.sys -- (SaiH5F0D)
DRV - [2005/07/22 03:38:20 | 000,033,792 | R--- | M] (Saitek) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SaiBus.sys -- (SaiNtBus)
DRV - [2005/07/22 03:38:20 | 000,013,312 | R--- | M] (Saitek) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SaiMini.sys -- (SaiMini)
DRV - [2004/10/08 12:59:11 | 000,326,656 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Camdrl.sys -- (CamDrL)
DRV - [2004/10/08 12:57:48 | 000,022,016 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2004/10/08 02:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2004/08/03 23:31:36 | 000,032,768 | ---- | M] (SiS Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sisnic.sys -- (SISNIC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.trle.net/
IE - HKCU\..\URLSearchHook: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\prxtbFree.dll (Conduit Ltd.)
IE - HKCU\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylo...search&AF=10588
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.condui...3&SSPV=IEAUTOBR
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_3_300_270.dll ()
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: File not found
FF - HKLM\Software\MozillaPlugins\@emusic.com/dlm-plugin: C:\Program Files\eMusic Download Manager\plugin\npemusic.dll (eMusic.com)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.4.1: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.450: C:\Program Files\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.448: C:\Program Files\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@emusic.com/dlm-plugin: C:\Program Files\eMusic Download Manager\plugin\npemusic.dll (eMusic.com)

FF - HKEY_LOCAL_MACHINE\software\mozilla\eMusic Download Manager\Extensions\\Components: C:\Program Files\eMusic Download Manager\xulrunner\components [2010/09/15 17:03:24 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\eMusic Download Manager\Extensions\\Plugins: C:\Program Files\eMusic Download Manager\xulrunner\plugins [2012/02/22 23:08:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/28 19:07:56 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/05/12 19:23:15 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]:

[2010/07/25 19:22:23 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\CHRIS\Application Data\Mozilla\Extensions
[2012/07/29 22:18:10 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\v7gq7w42.default\extensions
[2012/07/16 14:40:17 | 000,000,000 | ---D | M] (Freecorder Community Toolbar) -- C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\v7gq7w42.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}
[2010/07/31 18:39:04 | 000,000,000 | ---D | M] (IP Changer) -- C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\v7gq7w42.default\extensions\Proxybar@Proxy
[2012/06/28 19:07:56 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/09/15 17:03:25 | 000,000,000 | ---D | M] (eMusic - Apple iTunes Support) -- C:\PROGRAM FILES\EMUSIC DOWNLOAD MANAGER\XULRUNNER\EXTENSIONS\[email protected]
[2010/09/15 17:03:25 | 000,000,000 | ---D | M] (eMusic - Nullsoft Winamp Support) -- C:\PROGRAM FILES\EMUSIC DOWNLOAD MANAGER\XULRUNNER\EXTENSIONS\[email protected]
[2010/09/15 17:03:25 | 000,000,000 | ---D | M] (eMusic - Microsoft Media Player Support) -- C:\PROGRAM FILES\EMUSIC DOWNLOAD MANAGER\XULRUNNER\EXTENSIONS\[email protected]
[2012/06/14 23:20:49 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/06/27 11:23:03 | 000,226,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\npdrmv2.dll
[2010/06/27 11:22:32 | 000,364,544 | ---- | M] (Microsoft Corporation (written by Digital Renaissance Inc.)) -- C:\Program Files\mozilla firefox\plugins\npdsplay.dll
[2010/06/27 11:22:51 | 000,010,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\npwmsdrm.dll
[2011/01/16 21:13:11 | 000,002,226 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
[2012/06/14 23:19:40 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/06/14 23:19:40 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
CHR - homepage: http://www.google.com/
CHR - Extension: New Tab, New Window = C:\Documents and Settings\CHRIS\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dndlcbaomdoggooaficldplkcmkfpgff\2.0_0\
CHR - Extension: AdBlock = C:\Documents and Settings\CHRIS\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.4.27_0\

O1 HOSTS File: ([2012/08/08 18:36:40 | 000,443,278 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 123fporn.info
O1 - Hosts: 15251 more lines...
O2 - BHO: (Freecorder Toolbar) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\prxtbFree.dll (Conduit Ltd.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Freecorder Toolbar) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\prxtbFree.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (Freecorder Toolbar) - {1392B8D2-5C05-419F-A8F6-B9F15A596612} - C:\Program Files\Freecorder\prxtbFree.dll (Conduit Ltd.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [COMODO] C:\Program Files\Comodo\COMODO GeekBuddy\CLPSLA.exe (COMODO)
O4 - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)
O4 - HKLM..\Run: [CPA] C:\Program Files\Comodo\COMODO GeekBuddy\VALA.exe (COMODO)
O4 - HKCU..\Run: [VscFglqg] C:\Documents and Settings\CHRIS\Local Settings\Application Data\nmksvlhp\vscfglqg.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = DF 00 00 00 [binary data]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1280082859593 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_32)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{75ECFB8D-C3CD-4CA0-9932-871912AAC4E2}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O20 - AppInit_DLLs: (WLControl.dll) - File not found
O20 - AppInit_DLLs: (C:\WINDOWS\system32\guard32.dll) - C:\WINDOWS\system32\guard32.dll (COMODO)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\DOCUME~1\CHRIS\LOCALS~1\Temp\nxwainsm.exe) - File not found
O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\CHRIS\Local Settings\Application Data\nmksvlhp\vscfglqg.exe) - C:\Documents and Settings\CHRIS\Local Settings\Application Data\nmksvlhp\vscfglqg.exe File not found
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\CHRIS\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\CHRIS\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/07/25 16:36:28 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/08/09 22:28:35 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\CHRIS\Desktop\OTL.exe
[2012/08/09 22:23:22 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2012/08/09 22:07:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\CHRIS\Local Settings\Application Data\Comodo
[2012/08/09 22:05:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\CPA_VA
[2012/08/09 22:04:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Documents\COMODO
[2012/08/09 21:58:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Comodo
[2012/08/09 21:58:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Comodo
[2012/08/09 21:58:20 | 000,000,000 | ---D | C] -- C:\Program Files\Comodo
[2012/08/09 17:52:15 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012/08/09 15:46:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\CHRIS\DoctorWeb
[2012/08/09 00:09:08 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/08/08 14:27:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\CHRIS\Desktop\tdsskiller
[2012/08/07 16:32:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\6F638BBA00449709F212F0ED7B07D329
[2012/07/22 22:15:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\CHRIS\Desktop\Concrete Wave Evolutions 6
[2012/07/19 21:32:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\CHRIS\Application Data\PriceGong
[2012/07/18 15:53:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\CHRIS\Desktop\Concrete Wave Evolutions 4
[2012/07/12 23:55:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\CHRIS\Desktop\atlantis
[2010/07/26 11:15:03 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\CHRIS\Application Data\pcouffin.sys

========== Files - Modified Within 30 Days ==========

[2012/08/09 22:28:36 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\CHRIS\Desktop\OTL.exe
[2012/08/09 22:25:36 | 001,552,896 | ---- | M] () -- C:\Documents and Settings\CHRIS\Desktop\RogueKiller.exe
[2012/08/09 22:21:48 | 003,868,001 | ---- | M] () -- C:\Documents and Settings\CHRIS\Desktop\ComboFix.exe
[2012/08/09 22:14:51 | 000,000,000 | -HS- | M] () -- C:\DkHyperbootSync
[2012/08/09 22:04:22 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/08/09 22:02:48 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/08/09 21:59:08 | 000,001,653 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\COMODO Firewall.lnk
[2012/08/09 21:58:36 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\CHRIS\Application Data\Microsoft\Internet Explorer\Quick Launch\COMODO GeekBuddy.lnk
[2012/08/09 21:58:36 | 000,000,915 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\COMODO GeekBuddy.lnk
[2012/08/09 21:58:25 | 000,000,763 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Comodo Dragon.lnk
[2012/08/09 19:24:03 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\HP Usg Daily.job
[2012/08/09 17:53:14 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012/08/09 01:03:43 | 000,000,232 | -HS- | M] () -- C:\boot.ini
[2012/08/08 23:44:56 | 019,922,944 | ---- | M] () -- C:\Documents and Settings\CHRIS\NTUSER.bak
[2012/08/08 23:20:43 | 000,094,292 | ---- | M] () -- C:\Documents and Settings\CHRIS\0.641622245941756.exe
[2012/08/08 19:45:36 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/08/08 18:36:40 | 000,443,278 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/08/08 15:04:35 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes Anti-Malware.lnk
[2012/08/06 16:00:27 | 000,231,936 | ---- | M] () -- C:\Documents and Settings\CHRIS\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/08/02 03:14:06 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Movavi Video Converter 10.lnk
[2012/07/31 23:00:25 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2012/07/30 00:06:51 | 000,000,675 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\FLV Video Player.lnk
[2012/07/29 17:57:26 | 000,443,098 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120808-183640.backup
[2012/07/24 18:19:58 | 500,372,760 | ---- | M] () -- C:\Documents and Settings\CHRIS\Desktop\Rising Son - The Legend Of Skateboarder Christian Hosoi.flv
[2012/07/15 18:26:34 | 000,442,739 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120729-175726.backup

========== Files Created - No Company Name ==========

[2012/08/09 22:25:34 | 001,552,896 | ---- | C] () -- C:\Documents and Settings\CHRIS\Desktop\RogueKiller.exe
[2012/08/09 22:21:45 | 003,868,001 | ---- | C] () -- C:\Documents and Settings\CHRIS\Desktop\ComboFix.exe
[2012/08/09 22:14:51 | 000,000,000 | -HS- | C] () -- C:\DkHyperbootSync
[2012/08/09 21:59:08 | 000,001,653 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\COMODO Firewall.lnk
[2012/08/09 21:58:36 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\CHRIS\Application Data\Microsoft\Internet Explorer\Quick Launch\COMODO GeekBuddy.lnk
[2012/08/09 21:58:36 | 000,000,915 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\COMODO GeekBuddy.lnk
[2012/08/09 21:58:25 | 000,000,763 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Comodo Dragon.lnk
[2012/08/08 23:20:42 | 000,094,292 | ---- | C] () -- C:\Documents and Settings\CHRIS\0.641622245941756.exe
[2012/07/25 15:18:53 | 500,372,760 | ---- | C] () -- C:\Documents and Settings\CHRIS\Desktop\Rising Son - The Legend Of Skateboarder Christian Hosoi.flv
[2012/07/22 16:30:21 | 612,424,266 | ---- | C] () -- C:\Documents and Settings\CHRIS\Desktop\Concrete_Wave_Evolutions_5.mp4
[2012/03/28 22:11:08 | 000,030,568 | ---- | C] () -- C:\WINDOWS\MusiccityDownload.exe
[2012/03/11 15:51:23 | 000,000,770 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2012/01/30 16:53:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2012/01/30 16:52:04 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2012/01/30 16:52:02 | 000,608,507 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2012/01/30 16:52:02 | 000,000,003 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2011/12/09 21:22:53 | 000,079,872 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2011/12/05 23:04:00 | 000,059,904 | ---- | C] () -- C:\WINDOWS\System32\OpenVideo.dll
[2011/12/05 23:03:52 | 000,054,784 | ---- | C] () -- C:\WINDOWS\System32\OVDecode.dll
[2011/12/01 19:39:09 | 000,000,926 | ---- | C] () -- C:\WINDOWS\CDRipper.ini
[2011/11/14 16:39:35 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2011/09/25 22:27:56 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\binkw32.dll
[2011/06/27 23:28:00 | 000,000,427 | ---- | C] () -- C:\WINDOWS\ULEAD32.INI
[2011/06/27 22:46:34 | 000,004,972 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\ojobkspa.ako
[2011/05/24 22:53:24 | 000,180,624 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2011/02/18 17:40:44 | 000,000,028 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2011/01/29 17:00:22 | 000,974,848 | ---- | C] () -- C:\WINDOWS\System32\cis-2.4.dll
[2011/01/29 17:00:22 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\issacapi_bs-2.3.dll
[2011/01/29 17:00:22 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\issacapi_pe-2.3.dll
[2011/01/29 17:00:22 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\issacapi_se-2.3.dll
[2011/01/17 20:38:53 | 000,177,152 | ---- | C] () -- C:\WINDOWS\Res2_uninst.exe
[2010/10/08 16:24:32 | 000,380,928 | ---- | C] () -- C:\WINDOWS\System32\GTTunerCard.dll
[2010/10/08 16:24:32 | 000,175,104 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2010/10/08 16:24:32 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\ThumbExtract.dll
[2010/10/08 15:00:49 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll
[2010/09/02 15:12:47 | 000,020,801 | ---- | C] () -- C:\WINDOWS\HPHins02.dat
[2010/09/02 15:12:47 | 000,004,308 | ---- | C] () -- C:\WINDOWS\hphmdl02.dat
[2010/09/02 15:09:33 | 000,020,826 | ---- | C] () -- C:\WINDOWS\HPHins02.dat.temp
[2010/09/02 15:09:32 | 000,004,308 | ---- | C] () -- C:\WINDOWS\hphmdl02.dat.temp
[2010/08/30 15:53:22 | 000,003,728 | ---- | C] () -- C:\Documents and Settings\CHRIS\Application Data\wklnhst.dat
[2010/07/30 19:05:16 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\CHRIS\Local Settings\Application Data\PUTTY.RND
[2010/07/30 17:55:18 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\CHRIS\Application Data\$_hpcst$.hpc
[2010/07/27 11:49:11 | 000,231,936 | ---- | C] () -- C:\Documents and Settings\CHRIS\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/27 11:47:18 | 000,004,896 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\kbkwknay.ayh
[2010/07/26 11:15:03 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\CHRIS\Application Data\inst.exe
[2010/07/26 11:15:03 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\CHRIS\Application Data\pcouffin.cat
[2010/07/26 11:15:03 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\CHRIS\Application Data\pcouffin.inf
[2010/07/26 10:17:08 | 000,001,057 | ---- | C] () -- C:\Documents and Settings\CHRIS\Application Data\vso_ts_preview.xml
[2010/07/25 18:22:05 | 019,922,944 | ---- | C] () -- C:\Documents and Settings\CHRIS\NTUSER.bak
[2010/06/24 20:13:16 | 000,167,360 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2007/10/05 11:05:05 | 002,293,712 | ---- | C] () -- C:\Program Files\FLV PlayerFCSetup.exe
[2004/08/04 13:00:00 | 000,002,048 | -HS- | C] () -- C:\WINDOWS\Installer\{fbbe1b3c-81a7-ed04-4c48-d2d5689f1126}\@
[2004/08/04 13:00:00 | 000,002,048 | -HS- | C] () -- C:\Documents and Settings\CHRIS\Local Settings\Application Data\{fbbe1b3c-81a7-ed04-4c48-d2d5689f1126}\@

========== LOP Check ==========

[2011/08/07 13:00:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\!SASCORE
[2012/08/08 14:36:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\6F638BBA00449709F212F0ED7B07D329
[2012/08/09 00:22:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\CheckPoint
[2012/08/09 22:05:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\CPA_VA
[2010/07/27 15:57:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Diskeeper Corporation
[2010/07/31 18:15:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\EPS
[2010/07/30 17:59:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\PC Suite
[2012/04/15 21:53:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Samsung
[2012/07/29 18:48:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
[2010/07/27 11:24:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\AnvSoft
[2012/07/06 15:34:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\Aqyn
[2012/03/21 01:10:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\Binreader
[2012/01/09 22:32:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\calibre
[2011/03/18 01:26:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\cYo
[2010/09/12 19:09:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\dream-amr-converter
[2010/09/15 17:03:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\eMusic
[2012/04/22 20:47:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\GetRightToGo
[2010/07/27 10:45:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\iPodder
[2012/07/08 23:41:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\Kukuge
[2012/04/11 18:38:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\Leawo
[2011/06/27 22:46:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\MOVAVI
[2012/05/12 19:23:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\Oracle
[2010/07/30 17:58:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\PC Suite
[2012/07/19 21:32:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\PriceGong
[2011/07/16 14:58:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\PrimoPDF
[2010/08/08 17:26:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\Registry Mechanic
[2012/04/15 21:58:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\Samsung
[2010/08/30 15:53:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\Template
[2012/04/11 18:38:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\tiger-k
[2012/07/23 17:01:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\uTorrent
[2012/05/01 18:04:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\Vso

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 165 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 158 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:85AA7074

< End of report >


OTL Extras logfile created on: 09/08/2012 22:34:21 - Run 1
OTL by OldTimer - Version 3.2.56.0 Folder = C:\Documents and Settings\CHRIS\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1023.48 Mb Total Physical Memory | 364.27 Mb Available Physical Memory | 35.59% Memory free
2.41 Gb Paging File | 1.69 Gb Available in Paging File | 70.11% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.80 Gb Total Space | 42.88 Gb Free Space | 38.36% Space Free | Partition Type: NTFS

Computer Name: CHRIS-3961AAA10 | User Name: CHRIS | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\ZoneLabs\vsmon.exe" = C:\WINDOWS\system32\ZoneLabs\vsmon.exe:*:Enabled:vsmon
"C:\WINDOWS\system32\muzapp.exe" = C:\WINDOWS\system32\muzapp.exe:*:Enabled:MUZ AOD APP player -- (Musiccity Co.Ltd.)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02D5CE9B-6013-9D44-7C72-9D19A3878966}" = ccc-utility
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{04AA1207-D8C6-45DC-A96D-48358EBE09F3}" = PSShortcuts
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{1CB92574-96F2-467B-B793-5CEB35C40C29}" = Image Resizer Powertoy for Windows XP
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{26A24AE4-039D-4CA4-87B4-2F83216032FF}" = Java™ 6 Update 32
"{28450FDB-2FA1-7B62-D172-239C195180BE}" = CCC Help German
"{2ECA81CA-D932-4AD3-AD59-BF5CCF099C83}" = Catalyst Control Center - Branding
"{312FD9DA-E8DD-ED75-5F79-768AD2A4ECC1}" = CCC Help Chinese Standard
"{34610DE0-3C13-42CA-8E32-01FFA38AB6E8}" = PC Connectivity Solution
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
"{42FAD1F9-6170-992A-80AF-D320119AABEA}" = CCC Help Czech
"{441F3C2E-96AC-6E09-14F4-5C5195500B84}" = CCC Help Thai
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B8AC992-363F-722E-7AB0-27509ABCAA8F}" = CCC Help Turkish
"{512C8C5F-2BC4-1D04-56EF-DDDBBB38D2E6}" = CCC Help Danish
"{517B8FB2-26EE-43B0-AE1B-07408860AA69}" = DigitImg
"{532296F3-2B86-869E-6330-63B8658C83FA}" = CCC Help Russian
"{5DAAD148-7E3B-EFA4-00E3-F3BED24FA7F7}" = CCC Help Japanese
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{655EE3B7-0113-4C5E-B147-B82BA325643F}" = Saitek SST Programming Software
"{66712EEE-ECBC-4CA4-A474-dream-amr-converter}_is1" = Dream AMR Converter 3.0.3.2
"{67B988E3-8B5F-E19F-1F4E-8813237E3541}" = CCC Help Polish
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{71B358E3-3DA0-5DF5-F262-B47EC020246F}" = CCC Help Norwegian
"{758C8301-2696-4855-AF45-534B1200980A}" = Samsung Kies
"{75DC48BD-4273-E710-0C2F-8C037FE9D16C}" = CCC Help Italian
"{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
"{799C0C2B-6F66-5A39-EA5A-78955D590BC9}" = CCC Help Dutch
"{7AEBFFF0-15A1-48A9-88F3-06604486C7C9}" = WMPTagSupportExtender
"{8543A572-5993-4101-BACC-C83884E183A4}" = One Touch Grabber
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{8AF3E926-ED59-11D4-A44B-0000E86D2305}" = Ulead GIF Animator 5
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
"{90481BEA-8F52-4FE7-A0D6-BBFAB003D997}" = Movavi Video Converter 10
"{930399D6-7458-76C6-B13A-BAB70C9C9929}" = CCC Help Spanish
"{987AADD6-425E-545D-043E-D10CE7B12DDE}" = CCC Help Chinese Traditional
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9B1BABA2-F38E-4C6B-A1EF-B83221FBB7A6}" = Private Proxy
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9ECE13D2-C028-44CB-8A96-A65196E7BBE7}_is1" = Convert AVI to MP4 1.3
"{9FF24774-6E3A-47E3-ABA4-02B1B44910C5}" = USB Video Capture Device x86
"{A25FF1C0-80B6-4B8B-A551-DC525697A408}" = AMD APP SDK Runtime
"{A2763F0F-F905-3BA6-13EB-75713E7526E5}" = CCC Help Swedish
"{A2BD371F-54B4-48D1-A211-59B0567E8F26}_is1" = FLV Video Player 1.0
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A309171A-87A4-52B0-6426-A581F7274FF9}" = CCC Help English
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A67FC347-8673-3B77-1103-65C4AEDE3779}" = Catalyst Control Center Graphics Previews Common
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
"{B376402D-58EA-45EA-BD50-DD924EB67A70}" = HP Memories Disc
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B43A3B44-2FBE-45A4-86A3-1CB9D3BC230A}" = PS7200
"{B74D4E10-1033-0000-0000-000000000001}" = Adobe Bridge 1.0
"{B971E11B-DFEB-3D69-E03C-0932FA01B0E6}" = Catalyst Control Center
"{BE073173-C12B-2D33-2C50-E5875BB56CEC}" = CCC Help French
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C18F32CD-780C-BD89-C077-5D093D05171B}" = CCC Help Greek
"{C43048A9-742C-4DAD-90D2-E3B53C9DB825}" = Logitech QuickCam Software
"{C4C843CE-5851-41BC-A17B-E158B996B50D}" = Diskeeper 2010
"{C852EC6B-97DA-FF9F-D633-2EA375C3A799}" = AMD Catalyst Install Manager
"{CB100A6A-06BE-BBC1-9BCE-79A1013A91E1}" = CCC Help Korean
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}" = SAMSUNG USB Driver for Mobile Phones
"{D6AB1F5B-FED6-49A9-9747-327BD28FB3C7}" = COMODO Internet Security
"{D7B82BB6-1B8B-236E-7FB7-CB8CAD5FD228}" = CCC Help Portuguese
"{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}" = Photosmart 140,240,7200,7600,7700,7900 Series
"{DB6AB705-C9BD-40E3-8929-2EA57F36A4FF}_is1" = ConvertXtoDVD 4.0.12.327
"{DBAEDA31-4857-0CCF-13EC-D3EC8718010A}" = Catalyst Control Center InstallProxy
"{DDA2B32F-EB16-4C96-A130-4E4A4C1E6B12}" = HP Software Update
"{E1D3C91C-A7BB-A4D9-CBC8-897A01352EE4}" = CCC Help Hungarian
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"{EAEA47E5-18C4-442D-33C0-8901F313405E}" = CCC Help Finnish
"{EFE26D3B-2789-4068-A5BB-77E389FAEB98}" = PSUsage
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F904C173-ADC8-AC9B-9FFF-3AAABF093D1F}" = Catalyst Control Center Localization All
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"504244733D18C8F63FF584AEB290E3904E791693" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"7-Zip" = 7-Zip 9.20
"AACDecoder_is1" = AACDEcoder 2.10
"AC3Filter_is1" = AC3Filter 1.63b
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"ALUpdate_is1" = ALTools Update
"Any Video Converter Professional_is1" = Any Video Converter Professional 3.0.5
"Audio Converter Plus_is1" = Audio Converter Plus 4.0.0.4
"Avira AntiVir Desktop" = Avira Free Antivirus
"bitRipper" = bitRipper
"CCleaner" = CCleaner
"CD-DA X-Tractor_is1" = CD-DA X-Tractor v0.24
"C-Media Audio Driver" = C-Media WDM Audio Driver
"ComicRack" = ComicRack v0.9.136
"Comodo Dragon" = Comodo Dragon
"COMODO GeekBuddy" = COMODO GeekBuddy
"DivX Setup.divx.com" = DivX Setup
"DVD Shrink_is1" = DVD Shrink 3.2
"eMusic Download Manager" = eMusic Download Manager 4.1.4
"ERUNT_is1" = ERUNT 1.1j
"Eye Candy 4000" = Eye Candy 4000
"ffdshow_is1" = ffdshow v1.1.4096 [2011-11-29]
"FLV Player" = FLV Player 2.0 (build 25)
"Free M4a to MP3 Converter_is1" = Free M4a to MP3 Converter 7.0
"Freecorder Toolbar" = Freecorder Toolbar
"Freecorder4.01" = Freecorder 4.01 Application
"Freecorder5.11" = Freecorder 5
"HMA! Pro VPN" = HMA! Pro VPN 2.6.9
"ie8" = Windows Internet Explorer 8
"InstallShield_{758C8301-2696-4855-AF45-534B1200980A}" = Samsung Kies
"InstallShield_{9FF24774-6E3A-47E3-ABA4-02B1B44910C5}" = USB Video Capture Device x86
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Mozilla Firefox 13.0.1 (x86 en-US)" = Mozilla Firefox 13.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Nero - Burning Rom!UninstallKey" = Nero 6 Enterprise Edition
"Playlist Creator 3.6" = Playlist Creator 3.6
"QcDrv" = Logitech® Camera Driver
"QuicktimeAlt_is1" = QuickTime Alternative 3.2.2
"RadLight APE DirectShow filter" = RadLight APE DirectShow filter (remove only)
"RealAlt_is1" = Real Alternative 2.0.2
"Registry Mechanic_is1" = Registry Mechanic 9.0
"RESIDENT EVIL2" = RESIDENT EVIL2
"ST6UNST #1" = TRLevelManager
"Syberia 1 1.00" = Syberia 1 1.00
"Tomb Raider - The Last Revelation" = Tomb Raider - The Last Revelation
"Tomb Raider Chronicles" = Tomb Raider Chronicles
"Tomb Raider Level Editor" = Tomb Raider Level Editor XP
"uTorrent" = µTorrent
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinPcapInst" = WinPcap 4.1.2
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xvid_is1" = Xvid 1.2.2 final uninstall

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"AddonChat" = AddonChat
"Google Chrome" = Google Chrome

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 08/08/2012 09:38:58 | Computer Name = CHRIS-3961AAA10 | Source = WinMgmt | ID = 28
Description = WinMgmt could not initialize the core parts. This could be due to
a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient
disk space or insufficient memory.

Error - 08/08/2012 10:54:19 | Computer Name = CHRIS-3961AAA10 | Source = WinMgmt | ID = 28
Description = WinMgmt could not initialize the core parts. This could be due to
a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient
disk space or insufficient memory.

Error - 08/08/2012 11:34:09 | Computer Name = CHRIS-3961AAA10 | Source = WinMgmt | ID = 28
Description = WinMgmt could not initialize the core parts. This could be due to
a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient
disk space or insufficient memory.

Error - 08/08/2012 12:17:43 | Computer Name = CHRIS-3961AAA10 | Source = WinMgmt | ID = 28
Description = WinMgmt could not initialize the core parts. This could be due to
a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient
disk space or insufficient memory.

Error - 09/08/2012 12:48:10 | Computer Name = CHRIS-3961AAA10 | Source = VSS | ID = 12292
Description = Volume Shadow Copy Service error: Error creating the Shadow Copy Provider
COM class with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} [0x80070422].

Error - 09/08/2012 13:31:07 | Computer Name = CHRIS-3961AAA10 | Source = VSS | ID = 12292
Description = Volume Shadow Copy Service error: Error creating the Shadow Copy Provider
COM class with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} [0x80070422].

Error - 09/08/2012 13:37:46 | Computer Name = CHRIS-3961AAA10 | Source = VSS | ID = 12292
Description = Volume Shadow Copy Service error: Error creating the Shadow Copy Provider
COM class with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} [0x80070422].

Error - 09/08/2012 13:37:46 | Computer Name = CHRIS-3961AAA10 | Source = Diskeeper | ID = 5
Description = Diskeeper Control Center - ERROR Unable to check the VSS Shadow Copy
status for volume C:\ .

Error - 09/08/2012 17:00:01 | Computer Name = CHRIS-3961AAA10 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 09/08/2012 17:00:01 | Computer Name = CHRIS-3961AAA10 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

[ System Events ]
Error - 09/08/2012 17:08:16 | Computer Name = CHRIS-3961AAA10 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 09/08/2012 17:08:17 | Computer Name = CHRIS-3961AAA10 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 09/08/2012 17:08:18 | Computer Name = CHRIS-3961AAA10 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 09/08/2012 17:08:19 | Computer Name = CHRIS-3961AAA10 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 09/08/2012 17:08:20 | Computer Name = CHRIS-3961AAA10 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 09/08/2012 17:20:59 | Computer Name = CHRIS-3961AAA10 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 09/08/2012 17:21:01 | Computer Name = CHRIS-3961AAA10 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 09/08/2012 17:21:03 | Computer Name = CHRIS-3961AAA10 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 09/08/2012 17:21:05 | Computer Name = CHRIS-3961AAA10 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 09/08/2012 17:21:07 | Computer Name = CHRIS-3961AAA10 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.


< End of report >
  • 0

Advertisements

#2
RKinner
Posted 09 August 2012 - 11:14 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
1. Open Avira AntiVir Personal. (There is likely an icon on your desktop, or in your system tray by the clock.)
2. Click the "Configuration" link on the main screen. This opens the configuration panel.
3. Check the "Expert mode" option.
4. Click on General > Security.
5. *Uncheck* the option titled "Protect files and registry entries from manipulation".
6. Click the "OK" button.
7. Reboot your computer.

This is the latest zero Access infection and he brought a few friends.

Copy the text in the code box by highlighting and Ctrl + c


:OTL
IE - HKCU\..\URLSearchHook: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\prxtbFree.dll (Conduit Ltd.)
IE - HKCU\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylo...search&AF=10588
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.condui...3&SSPV=IEAUTOBR
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: File not found
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
[2011/01/16 21:13:11 | 000,002,226 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
O2 - BHO: (Freecorder Toolbar) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\prxtbFree.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Freecorder Toolbar) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\prxtbFree.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (Freecorder Toolbar) - {1392B8D2-5C05-419F-A8F6-B9F15A596612} - C:\Program Files\Freecorder\prxtbFree.dll (Conduit Ltd.)
O4 - HKCU..\Run: [VscFglqg] C:\Documents and Settings\CHRIS\Local Settings\Application Data\nmksvlhp\vscfglqg.exe File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_32)
O20 - AppInit_DLLs: (WLControl.dll) - File not found
O20 - HKLM Winlogon: UserInit - (C:\DOCUME~1\CHRIS\LOCALS~1\Temp\nxwainsm.exe) - File not found
O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\CHRIS\Local Settings\Application Data\nmksvlhp\vscfglqg.exe) - C:\Documents and Settings\CHRIS\Local Settings\Application Data\nmksvlhp\vscfglqg.exe File not found
[2012/08/08 23:20:43 | 000,094,292 | ---- | M] () -- C:\Documents and Settings\CHRIS\0.641622245941756.exe
[2011/06/27 22:46:34 | 000,004,972 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\ojobkspa.ako
[2010/07/27 11:47:18 | 000,004,896 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\kbkwknay.ayh
[2012/07/06 15:34:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\Aqyn
[2011/03/18 01:26:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\cYo
[2012/07/08 23:41:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\Kukuge
[2012/04/11 18:38:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\Leawo
@Alternate Data Stream - 165 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 158 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:85AA7074

:files
C:\WINDOWS\Installer\{fbbe1b3c-81a7-ed04-4c48-d2d5689f1126}
C:\Documents and Settings\CHRIS\Local Settings\Application Data\{fbbe1b3c-81a7-ed04-4c48-d2d5689f1126}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Documents and Settings\kathryn\Application Data\Xaafso
C:\Documents and Settings\CHRIS\Local Settings\Application Data\nmksvlhp

:reg
[HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
""="%systemroot%\system32\wbem\wbemess.dll"
[-HKCU\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}]

:Commands
[EMPTYFLASH]
[EMPTYJAVA]
[purity]
[Reboot]

then Double on OTL to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it into a reply.


Download aswMBR.exe ( 511KB ) to your desktop.
Double click aswMBR.exe
uncheck trace disk IO calls
Click the "Scan" button to start scan (Accept the Avast Engine)
On completion of the scan if the Fix button is enabled (not the FixMBR button) press it and then run a new scan and click save log, save it to your desktop and post in your next reply
If the Fix button is not enabled then just click save log, save it to your desktop and post in your next reply

ComboFix

:!: It must be saved to your desktop, do not run it from your browser:!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Double click on ComboFix to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.


Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe and to start the program.

If TDSSKiller alerts you that the system needs to reboot, please consent.

Run TDSSKiller again but this time:
before you hit the Scan hit Change Parameters and check the two items under Additional Options. OK then Scan.
In this mode it is prone to false positives so do not change the SKIP option to DELETE unless it says TDSS.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.



Malwarebytes' Anti-Malware
http://www.malwareby...lwarebytes_free

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe to start the program.
* follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.


Right click on (My) Computer and select Manage (Continue) Then the Event Viewer. Next select Windows Logs. Right click on System and Clear Log, Clear. Repeat for Application.

Reboot.

1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.


Copy the text in the code box:

DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
pnrpnsp.dll 
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
services.exe
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT

Run OTL

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.


Ron
  • 0

#3
earthwing
Posted 10 August 2012 - 08:04 AM

earthwing

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Made the alteration to Avira configuration as instructed,and ran OTL with the text copied and pasted also as instructed - was expecting the log to be on the desktop,but assume it is this one which was in an OTL folder on the C drive? Also,Unable to download either aswMBR.exe or combofix from any of the links provided..just get an 'unable to connect'message each time.

========== OTL ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{1392b8d2-5c05-419f-a8f6-b9f15a596612} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\ deleted successfully.
C:\Program Files\Freecorder\prxtbFree.dll moved successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@checkpoint.com/FFApi\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=\ deleted successfully.
C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\ not found.
File C:\Program Files\Freecorder\prxtbFree.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{1392b8d2-5c05-419f-a8f6-b9f15a596612} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\ not found.
File C:\Program Files\Freecorder\prxtbFree.dll not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{1392B8D2-5C05-419F-A8F6-B9F15A596612} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1392B8D2-5C05-419F-A8F6-B9F15A596612}\ not found.
File C:\Program Files\Freecorder\prxtbFree.dll not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\VscFglqg deleted successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:WLControl.dll deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\DOCUME~1\CHRIS\LOCALS~1\Temp\nxwainsm.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\Documents and Settings\CHRIS\Local Settings\Application Data\nmksvlhp\vscfglqg.exe deleted successfully.
C:\Documents and Settings\CHRIS\0.641622245941756.exe moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\ojobkspa.ako moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\kbkwknay.ayh moved successfully.
C:\Documents and Settings\CHRIS\Application Data\Aqyn folder moved successfully.
C:\Documents and Settings\CHRIS\Application Data\cYo\ComicRack\Scripts\.Pending folder moved successfully.
C:\Documents and Settings\CHRIS\Application Data\cYo\ComicRack\Scripts folder moved successfully.
C:\Documents and Settings\CHRIS\Application Data\cYo\ComicRack folder moved successfully.
C:\Documents and Settings\CHRIS\Application Data\cYo folder moved successfully.
C:\Documents and Settings\CHRIS\Application Data\Kukuge folder moved successfully.
C:\Documents and Settings\CHRIS\Application Data\Leawo\Video Converter folder moved successfully.
C:\Documents and Settings\CHRIS\Application Data\Leawo folder moved successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:DFC5A2B2 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D1B5B4F1 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A8ADE5D8 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:85AA7074 deleted successfully.
========== FILES ==========
C:\WINDOWS\Installer\{fbbe1b3c-81a7-ed04-4c48-d2d5689f1126}\U folder moved successfully.
C:\WINDOWS\Installer\{fbbe1b3c-81a7-ed04-4c48-d2d5689f1126}\L folder moved successfully.
C:\WINDOWS\Installer\{fbbe1b3c-81a7-ed04-4c48-d2d5689f1126} folder moved successfully.
C:\Documents and Settings\CHRIS\Local Settings\Application Data\{fbbe1b3c-81a7-ed04-4c48-d2d5689f1126}\U folder moved successfully.
C:\Documents and Settings\CHRIS\Local Settings\Application Data\{fbbe1b3c-81a7-ed04-4c48-d2d5689f1126}\L folder moved successfully.
C:\Documents and Settings\CHRIS\Local Settings\Application Data\{fbbe1b3c-81a7-ed04-4c48-d2d5689f1126} folder moved successfully.
File\Folder C:\Windows\assembly\GAC_32\Desktop.ini not found.
File\Folder C:\Windows\assembly\GAC_64\Desktop.ini not found.
File\Folder C:\Documents and Settings\kathryn\Application Data\Xaafso not found.
File\Folder C:\Documents and Settings\CHRIS\Local Settings\Application Data\nmksvlhp not found.
========== REGISTRY ==========
HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\\""|"%systemroot%\system32\wbem\wbemess.dll" /E : value set successfully!
Registry key HKEY_CURRENT_USER\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{12d0253a-7c96-815c-11e0-3034bbd97cc0}\ not found.
========== COMMANDS ==========

[EMPTYFLASH]

User: All Users

User: All Users.WINDOWS

User: CHRIS
->Flash cache emptied: 1808 bytes

User: Default User

User: Default User.WINDOWS

User: LocalService

User: LocalService.NT AUTHORITY

User: MR JONES
->Flash cache emptied: 0 bytes

User: NetworkService

User: NetworkService.NT AUTHORITY

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: All Users

User: All Users.WINDOWS

User: CHRIS
->Java cache emptied: 0 bytes

User: Default User

User: Default User.WINDOWS

User: LocalService

User: LocalService.NT AUTHORITY

User: MR JONES

User: NetworkService

User: NetworkService.NT AUTHORITY

Total Java Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.56.0 log created on 08102012_145219

EDIT!! used a friend's laptop to download all the required apps,and transferred to infected comp via flashdrive.managed to run aswMBR,although it indicated an Avast download error,but Combofix will not run at all - the disclaimer box shows on screen for a second or two then disappears.The aswMBR log is below.

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-10 15:55:24
-----------------------------
15:55:24.703 OS Version: Windows 5.1.2600 Service Pack 3
15:55:24.703 Number of processors: 1 586 0x801
15:55:24.703 ComputerName: CHRIS-3961AAA10 UserName: CHRIS
15:55:25.546 Initialize success
15:55:38.953 AVAST engine download error: 0
15:56:12.890 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
15:56:12.890 Disk 0 Vendor: SAMSUNG_SP1203N TL100-30 Size: 114498MB BusType: 3
15:56:12.921 Disk 0 MBR read successfully
15:56:12.921 Disk 0 MBR scan
15:56:12.937 Disk 0 Windows XP default MBR code
15:56:12.937 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 114486 MB offset 63
15:56:12.953 Disk 0 scanning sectors +234468675
15:56:13.031 Disk 0 scanning C:\WINDOWS\system32\drivers
15:56:20.984 Service scanning
15:56:36.453 Modules scanning
15:56:48.093 Scan finished successfully
15:59:02.453 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\CHRIS\Desktop\MBR.dat"
15:59:02.453 The log file has been saved successfully to "C:\Documents and Settings\CHRIS\Desktop\aswMBR.txt"

Edited by earthwing, 10 August 2012 - 09:05 AM.

  • 0

#4
RKinner
Posted 10 August 2012 - 09:59 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
OK. Thanks for the update on the OTL log. Old Timer must have changed it.

Run the other programs and skip anything that won't run. The bug often infects the services.exe file. We test for that with the second OTL scan. Your infection is slightly different from the usual version which only infects Vista/Win 7 so it may be a new mutation.
  • 0

#5
earthwing
Posted 10 August 2012 - 11:26 AM

earthwing

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
OK all programs except Combofix are now ran,and logs as below. After the Malwarebytes scan - and I had to rename the mbam.exe in order to get it to run - I've noticed that Avira is now not running,can't be started and is missing from the system tray,in case this is significant.

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.10.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
CHRIS :: CHRIS-3961AAA10 [administrator]

10/08/2012 17:17:18
mbam-log-2012-08-10 (17-17-18).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 272811
Time elapsed: 13 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SYSTEM\CurrentControlSet\Services\Micorsoft Windows Service (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Vino's Event Viewer v01c run on Windows XP in English
Report run at 10/08/2012 17:52:16

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 10/08/2012 17:48:56
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The Avira Realtime Protection service terminated unexpectedly. It has done this 5 time(s).

Log: 'System' Date/Time: 10/08/2012 17:47:24
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The Avira Realtime Protection service terminated unexpectedly. It has done this 4 time(s).

Log: 'System' Date/Time: 10/08/2012 17:46:22
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The Avira Realtime Protection service terminated unexpectedly. It has done this 3 time(s).

Log: 'System' Date/Time: 10/08/2012 17:46:21
Type: error Category: 0
Event: 7031 Source: Service Control Manager
The Avira Realtime Protection service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

Log: 'System' Date/Time: 10/08/2012 17:40:17
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The Avira Realtime Protection service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

Log: 'System' Date/Time: 10/08/2012 17:40:17
Type: error Category: 0
Event: 7009 Source: Service Control Manager
Timeout (30000 milliseconds) waiting for the Avira Realtime Protection service to connect.

Log: 'System' Date/Time: 10/08/2012 17:40:17
Type: error Category: 0
Event: 7031 Source: Service Control Manager
The Avira Realtime Protection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

Log: 'System' Date/Time: 10/08/2012 17:37:23
Type: error Category: 0
Event: 7 Source: Disk
The device, \Device\Harddisk0\D, has a bad block.

Log: 'System' Date/Time: 10/08/2012 17:37:23
Type: error Category: 0
Event: 7 Source: Disk
The device, \Device\Harddisk0\D, has a bad block.

Log: 'System' Date/Time: 10/08/2012 17:37:23
Type: error Category: 0
Event: 7 Source: Disk
The device, \Device\Harddisk0\D, has a bad block.

Log: 'System' Date/Time: 10/08/2012 17:37:23
Type: error Category: 0
Event: 7 Source: Disk
The device, \Device\Harddisk0\D, has a bad block.

Log: 'System' Date/Time: 10/08/2012 17:37:23
Type: error Category: 0
Event: 7 Source: Disk
The device, \Device\Harddisk0\D, has a bad block.

Log: 'System' Date/Time: 10/08/2012 17:37:23
Type: error Category: 0
Event: 1 Source: sr
The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

Log: 'System' Date/Time: 10/08/2012 17:32:59
Type: error Category: 0
Event: 7 Source: Disk
The device, \Device\Harddisk0\D, has a bad block.

Log: 'System' Date/Time: 10/08/2012 17:32:57
Type: error Category: 0
Event: 7 Source: Disk
The device, \Device\Harddisk0\D, has a bad block.

Log: 'System' Date/Time: 10/08/2012 17:32:55
Type: error Category: 0
Event: 7 Source: Disk
The device, \Device\Harddisk0\D, has a bad block.

Log: 'System' Date/Time: 10/08/2012 17:32:53
Type: error Category: 0
Event: 7 Source: Disk
The device, \Device\Harddisk0\D, has a bad block.

Log: 'System' Date/Time: 10/08/2012 17:32:50
Type: error Category: 0
Event: 7 Source: Disk
The device, \Device\Harddisk0\D, has a bad block.

Log: 'System' Date/Time: 10/08/2012 17:28:05
Type: error Category: 0
Event: 7 Source: Disk
The device, \Device\Harddisk0\D, has a bad block.

Log: 'System' Date/Time: 10/08/2012 17:28:04
Type: error Category: 0
Event: 7 Source: Disk
The device, \Device\Harddisk0\D, has a bad block.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 10/08/2012 17:40:14
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<explorer.exe> C:\...net Security\cfp.exe

Log: 'System' Date/Time: 10/08/2012 15:10:05
Type: warning Category: 0
Event: 4226 Source: Tcpip
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Log: 'System' Date/Time: 10/08/2012 00:41:29
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<System> C:\...42.default\sessionstore.js

Log: 'System' Date/Time: 10/08/2012 00:40:31
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<System> C:\...efault\Cache\5\02\3C5BFd01

Log: 'System' Date/Time: 10/08/2012 00:40:03
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<System> C:\...efault\Cache\8\12\BCDADd01

Log: 'System' Date/Time: 10/08/2012 00:35:32
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<System> C:\...efault\Cache\5\3F\75767d01

Log: 'System' Date/Time: 09/08/2012 23:52:48
Type: warning Category: 0
Event: 4226 Source: Tcpip
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Log: 'System' Date/Time: 09/08/2012 20:39:21
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<jjj.exe> C:\...nfig backup\audio\047.wav

Log: 'System' Date/Time: 09/08/2012 20:38:40
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<jjj.exe> C:\...nfig backup\audio\047.wav

Log: 'System' Date/Time: 09/08/2012 20:38:11
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<jjj.exe> C:\...nfig backup\audio\047.wav

Log: 'System' Date/Time: 09/08/2012 18:07:58
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<cmj.exe> C:\...nfig backup\audio\047.wav

Log: 'System' Date/Time: 09/08/2012 18:07:27
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<cmj.exe> C:\...nfig backup\audio\047.wav

Log: 'System' Date/Time: 09/08/2012 18:06:58
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<cmj.exe> C:\...nfig backup\audio\047.wav

Log: 'System' Date/Time: 09/08/2012 18:06:28
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<cmj.exe> C:\...nfig backup\audio\047.wav

Log: 'System' Date/Time: 09/08/2012 18:05:57
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<cmj.exe> C:\...nfig backup\audio\047.wav

Log: 'System' Date/Time: 08/08/2012 23:52:02
Type: warning Category: 0
Event: 26 Source: atapi
The driver has detected that device \Device\Ide\IdePort0 has old or out-of-date firmware. Reduced performance may result.

Log: 'System' Date/Time: 08/08/2012 23:39:34
Type: warning Category: 0
Event: 26 Source: atapi
The driver has detected that device \Device\Ide\IdePort0 has old or out-of-date firmware. Reduced performance may result.

Log: 'System' Date/Time: 08/08/2012 23:22:33
Type: warning Category: 0
Event: 4226 Source: Tcpip
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Log: 'System' Date/Time: 08/08/2012 22:44:27
Type: warning Category: 0
Event: 4226 Source: Tcpip
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Log: 'System' Date/Time: 08/08/2012 17:44:54
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<mbam.exe> C:\...fig backup\audio\047.wav

Vino's Event Viewer v01c run on Windows XP in English
Report run at 10/08/2012 17:53:25

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 10/08/2012 14:54:46
Type: error Category: 0
Event: 28 Source: WinMgmt
WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Log: 'Application' Date/Time: 10/08/2012 01:02:25
Type: error Category: 0
Event: 1000 Source: Application Error
Faulting application flvplayer.exe, version 0.0.0.0, faulting module flashplayer.3.1.1k.ocx, version 9.0.124.0, fault address 0x000c274c.

Log: 'Application' Date/Time: 09/08/2012 22:00:01
Type: error Category: 0
Event: 11 Source: crypt32
Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Log: 'Application' Date/Time: 09/08/2012 22:00:01
Type: error Category: 0
Event: 11 Source: crypt32
Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Log: 'Application' Date/Time: 09/08/2012 18:37:46
Type: error Category: 0
Event: 5 Source: Diskeeper
Diskeeper Control Center - ERROR Unable to check the VSS Shadow Copy status for volume C:\ .

Log: 'Application' Date/Time: 09/08/2012 18:37:46
Type: error Category: 0
Event: 12292 Source: VSS
Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} [0x80070422].

Log: 'Application' Date/Time: 09/08/2012 18:31:07
Type: error Category: 0
Event: 12292 Source: VSS
Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} [0x80070422].

Log: 'Application' Date/Time: 09/08/2012 17:48:10
Type: error Category: 0
Event: 12292 Source: VSS
Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} [0x80070422].

Log: 'Application' Date/Time: 08/08/2012 17:17:43
Type: error Category: 0
Event: 28 Source: WinMgmt
WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Log: 'Application' Date/Time: 08/08/2012 16:34:09
Type: error Category: 0
Event: 28 Source: WinMgmt
WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Log: 'Application' Date/Time: 08/08/2012 15:54:19
Type: error Category: 0
Event: 28 Source: WinMgmt
WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Log: 'Application' Date/Time: 08/08/2012 14:38:58
Type: error Category: 0
Event: 28 Source: WinMgmt
WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Log: 'Application' Date/Time: 08/08/2012 14:08:37
Type: error Category: 0
Event: 28 Source: WinMgmt
WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Log: 'Application' Date/Time: 08/08/2012 13:55:34
Type: error Category: 0
Event: 8193 Source: VSS
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x8007041d.

Log: 'Application' Date/Time: 08/08/2012 13:50:45
Type: error Category: 0
Event: 28 Source: WinMgmt
WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Log: 'Application' Date/Time: 03/08/2012 22:45:20
Type: error Category: 3
Event: 4118 Source: Avira Antivirus
EXCEPTION calling function AVEPROC_TestFile() for the file C:\Documents and Settings\CHRIS\Local Settings\Application Data\Mozilla\Firefox\Profiles\v7gq7w42.default\Cache\4\17\64AB5d01 [ACCESS_VIOLATION Exception!! EIP = 0x1c86d12] Please inform Avira and submit the appropriate file!

Log: 'Application' Date/Time: 29/07/2012 13:27:46
Type: error Category: 0
Event: 12292 Source: VSS
Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} [0x80070422].

Log: 'Application' Date/Time: 29/07/2012 13:24:31
Type: error Category: 0
Event: 12292 Source: VSS
Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} [0x80070422].

Log: 'Application' Date/Time: 29/07/2012 11:47:31
Type: error Category: 0
Event: 12292 Source: VSS
Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} [0x80070422].

Log: 'Application' Date/Time: 29/07/2012 11:45:15
Type: error Category: 0
Event: 12292 Source: VSS
Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} [0x80070422].

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 10/08/2012 17:39:42
Type: warning Category: 2
Event: 4113 Source: Avira Antivirus
AntiVir has detected 'RKIT/Hider.LKI' in the file C:\Documents and Settings\CHRIS\Local Settings\Temp\dhamjims.sys

Log: 'Application' Date/Time: 10/08/2012 17:35:49
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user CHRIS-3961AAA10\CHRIS registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Log: 'Application' Date/Time: 10/08/2012 01:11:12
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user CHRIS-3961AAA10\CHRIS registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Log: 'Application' Date/Time: 10/08/2012 01:09:46
Type: warning Category: 0
Event: 1524 Source: Userenv
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Log: 'Application' Date/Time: 09/08/2012 22:01:33
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user CHRIS-3961AAA10\CHRIS registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Log: 'Application' Date/Time: 09/08/2012 22:00:30
Type: warning Category: 0
Event: 1524 Source: Userenv
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Log: 'Application' Date/Time: 09/08/2012 21:58:38
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x800401F0

Log: 'Application' Date/Time: 09/08/2012 21:46:54
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user CHRIS-3961AAA10\CHRIS registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Log: 'Application' Date/Time: 09/08/2012 21:45:34
Type: warning Category: 0
Event: 1524 Source: Userenv
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Log: 'Application' Date/Time: 09/08/2012 20:40:50
Type: warning Category: 2
Event: 4113 Source: Avira Antivirus
AntiVir has detected 'TR/Patched.Gen' in the file C:\Documents and Settings\CHRIS\Desktop\TO\PH-Olkaira1\TRO.exe

Log: 'Application' Date/Time: 09/08/2012 20:40:49
Type: warning Category: 2
Event: 4113 Source: Avira Antivirus
AntiVir has detected 'TR/Patched.Gen' in the file C:\Documents and Settings\CHRIS\Local Settings\Temp\avz_3156_raw.tmp

Log: 'Application' Date/Time: 09/08/2012 20:40:43
Type: warning Category: 2
Event: 4113 Source: Avira Antivirus
AntiVir has detected 'TR/Patched.Gen' in the file C:\Documents and Settings\CHRIS\Desktop\TO\PH-Olkaira1\TRO.exe

Log: 'Application' Date/Time: 09/08/2012 18:26:30
Type: warning Category: 2
Event: 4113 Source: Avira Antivirus
AntiVir has detected 'TR/Patched.Gen' in the file C:\Documents and Settings\CHRIS\Desktop\TO\PH-Olkaira1\TRO.exe

Log: 'Application' Date/Time: 09/08/2012 18:26:30
Type: warning Category: 2
Event: 4113 Source: Avira Antivirus
AntiVir has detected 'TR/Patched.Gen' in the file C:\Documents and Settings\CHRIS\Desktop\TO\PH-Olkaira1\TRO.exe

Log: 'Application' Date/Time: 09/08/2012 18:26:23
Type: warning Category: 2
Event: 4113 Source: Avira Antivirus
AntiVir has detected 'TR/Patched.Gen' in the file C:\Documents and Settings\CHRIS\Desktop\TO\PH-Olkaira1\TRO.exe

Log: 'Application' Date/Time: 09/08/2012 18:26:22
Type: warning Category: 2
Event: 4113 Source: Avira Antivirus
AntiVir has detected 'TR/Patched.Gen' in the file C:\Documents and Settings\CHRIS\Desktop\TO\PH-Olkaira1\TRO.exe

Log: 'Application' Date/Time: 09/08/2012 17:22:51
Type: warning Category: 2
Event: 4113 Source: Avira Antivirus
AntiVir has detected 'TR/Kazy.85271' in the file C:\WINDOWS\Installer\{fbbe1b3c-81a7-ed04-4c48-d2d5689f1126}\n

Log: 'Application' Date/Time: 09/08/2012 16:21:21
Type: warning Category: 2
Event: 4113 Source: Avira Antivirus
AntiVir has detected 'TR/Winwebsec.AJ.35' in the file C:\System Volume Information\_restore{D2ADFC15-8647-41F2-AE0C-3C2AE118184B}\RP654\A0158116.exe

Log: 'Application' Date/Time: 09/08/2012 15:35:13
Type: warning Category: 2
Event: 4113 Source: Avira Antivirus
AntiVir has detected 'TR/Patched.Gen' in the file C:\Documents and Settings\CHRIS\Desktop\TO\PH-Olkaira1\TRO.exe

Log: 'Application' Date/Time: 09/08/2012 01:05:16
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user CHRIS-3961AAA10\CHRIS registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

OTL logfile created on: 8/10/2012 17:57:07 - Run 2
OTL by OldTimer - Version 3.2.56.0 Folder = C:\Documents and Settings\CHRIS\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: M/d/yyyy

1023.48 Mb Total Physical Memory | 550.64 Mb Available Physical Memory | 53.80% Memory free
2.40 Gb Paging File | 2.00 Gb Available in Paging File | 83.18% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.80 Gb Total Space | 43.31 Gb Free Space | 38.74% Space Free | Partition Type: NTFS
Drive R: | 7.47 Gb Total Space | 0.19 Gb Free Space | 2.59% Space Free | Partition Type: FAT32

Computer Name: CHRIS-3961AAA10 | User Name: CHRIS | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/08/09 22:28:36 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\CHRIS\Desktop\OTL.exe
PRC - [2012/05/08 22:20:08 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2011/12/21 00:41:44 | 006,676,808 | ---- | M] (COMODO) -- C:\Program Files\Comodo\COMODO Internet Security\cfp.exe
PRC - [2011/12/19 18:59:00 | 001,960,584 | ---- | M] (COMODO) -- C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
PRC - [2011/11/23 11:27:04 | 001,052,472 | ---- | M] (COMODO) -- C:\Program Files\Comodo\COMODO GeekBuddy\CLPSLS.exe
PRC - [2011/11/23 11:27:04 | 000,992,056 | ---- | M] (COMODO) -- C:\Program Files\Comodo\COMODO GeekBuddy\CLPS.exe
PRC - [2010/04/15 19:01:58 | 001,732,960 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2012/05/08 22:20:08 | 000,398,288 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2011/11/23 11:27:10 | 004,284,728 | ---- | M] () -- C:\Program Files\Comodo\COMODO GeekBuddy\Components\Core\Socket\Adaptor.dll
MOD - [2011/11/23 11:27:10 | 002,085,688 | ---- | M] () -- C:\Program Files\Comodo\COMODO GeekBuddy\Components\Core\GuiListener\export.dll
MOD - [2011/11/23 11:27:10 | 001,764,664 | ---- | M] () -- C:\Program Files\Comodo\COMODO GeekBuddy\Components\Core\Socket\Export.dll
MOD - [2011/11/23 11:27:10 | 000,339,768 | ---- | M] () -- C:\Program Files\Comodo\COMODO GeekBuddy\Components\Core\RemoteDesktop\Export.dll
MOD - [2011/11/23 11:27:10 | 000,049,976 | ---- | M] () -- C:\Program Files\Comodo\COMODO GeekBuddy\Components\Core\RemoteDesktop\ShHook.dll
MOD - [2011/11/23 11:27:08 | 000,464,184 | ---- | M] () -- C:\Program Files\Comodo\COMODO GeekBuddy\Components\Core\CRF\export.dll
MOD - [2011/11/23 11:27:08 | 000,328,504 | ---- | M] () -- C:\Program Files\Comodo\COMODO GeekBuddy\Components\Core\EventMonitor\export.dll
MOD - [2011/11/23 11:27:08 | 000,126,776 | ---- | M] () -- C:\Program Files\Comodo\COMODO GeekBuddy\Components\Core\EventMonitor\EventMonitor.dll
MOD - [2011/11/23 11:27:06 | 001,131,320 | ---- | M] () -- C:\Program Files\Comodo\COMODO GeekBuddy\CLPS_RES.dll
MOD - [2011/11/23 11:27:06 | 000,020,280 | ---- | M] () -- C:\Program Files\Comodo\COMODO GeekBuddy\CLPSLANG.dll
MOD - [2010/03/15 11:28:22 | 000,141,824 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2007/09/19 20:15:00 | 000,161,792 | ---- | M] () -- C:\Program Files\Audio Converter Plus\audioconverter.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2012/08/09 16:05:14 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/06/14 23:20:14 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/05/08 22:20:08 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012/05/08 22:20:06 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/12/19 18:59:00 | 001,960,584 | ---- | M] (COMODO) [Auto | Running] -- C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe -- (cmdAgent)
SRV - [2011/11/23 11:27:04 | 001,052,472 | ---- | M] (COMODO) [Auto | Running] -- C:\Program Files\Comodo\COMODO GeekBuddy\CLPSLS.exe -- (CLPSLS)
SRV - [2011/08/21 17:28:48 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Disabled | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2011/07/13 15:00:16 | 000,036,352 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\HMA! Pro VPN\bin\openvpnserv.exe -- (OpenVPNService)
SRV - [2010/04/15 19:01:58 | 001,732,960 | ---- | M] (Diskeeper Corporation) [Auto | Running] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2010/04/08 09:14:22 | 000,632,792 | ---- | M] (PC Tools) [Disabled | Stopped] -- C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe -- (PCToolsSSDMonitorSvc)
SRV - [2008/11/11 09:38:06 | 000,620,544 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2003/05/14 18:45:04 | 000,065,795 | R--- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | Disabled | Running] -- C:\DOCUME~1\CHRIS\LOCALS~1\Temp\dhamjims.sys -- (Micorsoft Windows Service)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/05/08 22:20:08 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2012/05/08 22:20:08 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2012/03/28 22:11:02 | 000,020,032 | ---- | M] (Devguru Co., Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\dgderdrv.sys -- (dgderdrv)
DRV - [2012/02/24 10:14:42 | 000,181,432 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssudmdm.sys -- (ssudmdm)
DRV - [2012/02/24 10:14:42 | 000,080,824 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssudbus.sys -- (dg_ssudbus)
DRV - [2011/12/20 08:39:28 | 000,100,368 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AtihdXP3.sys -- (AtiHDAudioService)
DRV - [2011/12/19 18:59:24 | 000,097,760 | ---- | M] (COMODO) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\inspect.sys -- (Inspect)
DRV - [2011/12/19 18:59:22 | 000,494,816 | ---- | M] (COMODO) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\cmdGuard.sys -- (cmdGuard)
DRV - [2011/12/19 18:59:22 | 000,031,704 | ---- | M] (COMODO) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cmdhlp.sys -- (cmdHlp)
DRV - [2011/12/06 04:42:18 | 007,490,560 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2011/10/11 15:00:32 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2011/08/07 13:00:05 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2011/08/07 13:00:04 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2011/07/13 15:00:14 | 000,026,112 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tap0901.sys -- (tap0901)
DRV - [2011/04/01 00:14:06 | 000,023,608 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\DrmRAudio.sys -- (DrmRAudio)
DRV - [2010/07/16 01:45:44 | 000,035,088 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\npf.sys -- (npf)
DRV - [2010/06/17 15:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010/05/01 07:51:28 | 000,036,640 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\FsUsbExDisk.Sys -- (FsUsbExDisk)
DRV - [2010/03/10 11:29:24 | 000,042,144 | ---- | M] (Diskeeper Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DKRtWrt.sys -- (DKRtWrt)
DRV - [2008/11/07 17:35:54 | 000,455,168 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\emOEM.sys -- (USB28xxOEM)
DRV - [2008/11/07 17:35:52 | 000,561,536 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\emBDA.sys -- (USB28xxBGA)
DRV - [2008/09/24 10:40:22 | 004,122,368 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM)
DRV - [2008/08/26 09:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2008/04/13 19:46:22 | 000,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MPE.sys -- (MPE)
DRV - [2005/11/14 07:19:28 | 000,027,264 | R--- | M] (Saitek) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SaiU5F0D.sys -- (SaiU5F0D)
DRV - [2005/11/14 07:19:26 | 000,176,640 | R--- | M] (Saitek) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SaiH5F0D.sys -- (SaiH5F0D)
DRV - [2005/07/22 03:38:20 | 000,033,792 | R--- | M] (Saitek) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SaiBus.sys -- (SaiNtBus)
DRV - [2005/07/22 03:38:20 | 000,013,312 | R--- | M] (Saitek) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SaiMini.sys -- (SaiMini)
DRV - [2004/10/08 12:59:11 | 000,326,656 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Camdrl.sys -- (CamDrL)
DRV - [2004/10/08 12:57:48 | 000,022,016 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2004/10/08 02:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2004/08/03 23:31:36 | 000,032,768 | ---- | M] (SiS Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sisnic.sys -- (SISNIC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.trle.net/
IE - HKCU\..\SearchScopes,DefaultScope =
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_3_300_270.dll ()
FF - HKLM\Software\MozillaPlugins\@emusic.com/dlm-plugin: C:\Program Files\eMusic Download Manager\plugin\npemusic.dll (eMusic.com)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.4.1: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.450: C:\Program Files\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.448: C:\Program Files\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@emusic.com/dlm-plugin: C:\Program Files\eMusic Download Manager\plugin\npemusic.dll (eMusic.com)

FF - HKEY_LOCAL_MACHINE\software\mozilla\eMusic Download Manager\Extensions\\Components: C:\Program Files\eMusic Download Manager\xulrunner\components [2010/09/15 17:03:24 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\eMusic Download Manager\Extensions\\Plugins: C:\Program Files\eMusic Download Manager\xulrunner\plugins [2012/02/22 23:08:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/28 19:07:56 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/05/12 19:23:15 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]:

[2010/07/25 19:22:23 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\CHRIS\Application Data\Mozilla\Extensions
[2012/07/29 22:18:10 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\v7gq7w42.default\extensions
[2012/07/16 14:40:17 | 000,000,000 | ---D | M] (Freecorder Community Toolbar) -- C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\v7gq7w42.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}
[2010/07/31 18:39:04 | 000,000,000 | ---D | M] (IP Changer) -- C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\v7gq7w42.default\extensions\Proxybar@Proxy
[2012/06/28 19:07:56 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/09/15 17:03:25 | 000,000,000 | ---D | M] (eMusic - Apple iTunes Support) -- C:\PROGRAM FILES\EMUSIC DOWNLOAD MANAGER\XULRUNNER\EXTENSIONS\[email protected]
[2010/09/15 17:03:25 | 000,000,000 | ---D | M] (eMusic - Nullsoft Winamp Support) -- C:\PROGRAM FILES\EMUSIC DOWNLOAD MANAGER\XULRUNNER\EXTENSIONS\[email protected]
[2010/09/15 17:03:25 | 000,000,000 | ---D | M] (eMusic - Microsoft Media Player Support) -- C:\PROGRAM FILES\EMUSIC DOWNLOAD MANAGER\XULRUNNER\EXTENSIONS\[email protected]
[2012/06/14 23:20:49 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/06/27 11:23:03 | 000,226,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\npdrmv2.dll
[2010/06/27 11:22:32 | 000,364,544 | ---- | M] (Microsoft Corporation (written by Digital Renaissance Inc.)) -- C:\Program Files\mozilla firefox\plugins\npdsplay.dll
[2010/06/27 11:22:51 | 000,010,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\npwmsdrm.dll
[2012/06/14 23:19:40 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/06/14 23:19:40 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
CHR - homepage: http://www.google.com/
CHR - Extension: New Tab, New Window = C:\Documents and Settings\CHRIS\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dndlcbaomdoggooaficldplkcmkfpgff\2.0_0\
CHR - Extension: AdBlock = C:\Documents and Settings\CHRIS\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.4.27_0\

O1 HOSTS File: ([2012/08/08 18:36:40 | 000,443,278 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 123fporn.info
O1 - Hosts: 15251 more lines...
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No CLSID value found.
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [COMODO] C:\Program Files\Comodo\COMODO GeekBuddy\CLPSLA.exe (COMODO)
O4 - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)
O4 - HKLM..\Run: [CPA] C:\Program Files\Comodo\COMODO GeekBuddy\VALA.exe (COMODO)
O4 - HKCU..\Run: [VscFglqg] C:\Documents and Settings\CHRIS\Local Settings\Application Data\nmksvlhp\vscfglqg.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1280082859593 (MUWebControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{75ECFB8D-C3CD-4CA0-9932-871912AAC4E2}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (c:\windows\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\CHRIS\Local Settings\Application Data\nmksvlhp\vscfglqg.exe) - C:\Documents and Settings\CHRIS\Local Settings\Application Data\nmksvlhp\vscfglqg.exe File not found
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\CHRIS\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\CHRIS\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/07/25 16:36:28 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - %SystemRoot%\System32\appmgmts.dll File not found
NetSvcs: HidServ - %SystemRoot%\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - StartUpFolder: C:^Documents and Settings^CHRIS^Start Menu^Programs^Startup^Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe - (Adobe Systems, Inc.)
MsConfig - StartUpReg: Adobe ARM - hkey= - key= - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: Babylon Client - hkey= - key= - Reg Error: Value error. File not found
MsConfig - StartUpReg: BluetoothAuthenticationAgent - hkey= - key= - File not found
MsConfig - StartUpReg: Cmaudio - hkey= - key= - File not found
MsConfig - StartUpReg: CTFMON.EXE - hkey= - key= - File not found
MsConfig - StartUpReg: DivXUpdate - hkey= - key= - C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
MsConfig - StartUpReg: Freecorder FLV Service - hkey= - key= - C:\Program Files\Freecorder\FLVSrvc.exe (Applian Technologies, Inc.)
MsConfig - StartUpReg: H/PC Connection Agent - hkey= - key= - Reg Error: Value error. File not found
MsConfig - StartUpReg: HP Component Manager - hkey= - key= - C:\Program Files\HP\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
MsConfig - StartUpReg: HP Software Update - hkey= - key= - C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe (Hewlett-Packard)
MsConfig - StartUpReg: HPDJ Taskbar Utility - hkey= - key= - File not found
MsConfig - StartUpReg: HPHmon05 - hkey= - key= - File not found
MsConfig - StartUpReg: HPHUPD05 - hkey= - key= - C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe (Hewlett-Packard)
MsConfig - StartUpReg: hshagf - hkey= - key= - Reg Error: Value error. File not found
MsConfig - StartUpReg: KernelFaultCheck - hkey= - key= - File not found
MsConfig - StartUpReg: KiesHelper - hkey= - key= - C:\Program Files\Samsung\Kies\KiesHelper.exe (Samsung)
MsConfig - StartUpReg: KiesPDLR - hkey= - key= - C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe ()
MsConfig - StartUpReg: KiesTrayAgent - hkey= - key= - C:\Program Files\Samsung\Kies\KiesTrayAgent.exe (Samsung Electronics Co., Ltd.)
MsConfig - StartUpReg: LogitechSoftwareUpdate - hkey= - key= - C:\Program Files\Logitech\Video\ManifestEngine.exe (Logitech Inc.)
MsConfig - StartUpReg: LogitechVideoRepair - hkey= - key= - C:\Program Files\Logitech\Video\ISStart.exe (Logitech Inc.)
MsConfig - StartUpReg: LogitechVideoTray - hkey= - key= - C:\Program Files\Logitech\Video\LogiTray.exe (Logitech Inc.)
MsConfig - StartUpReg: LVCOMSX - hkey= - key= - File not found
MsConfig - StartUpReg: MSMSGS - hkey= - key= - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
MsConfig - StartUpReg: NeroFilterCheck - hkey= - key= - File not found
MsConfig - StartUpReg: NvCplDaemon - hkey= - key= - Reg Error: Value error. File not found
MsConfig - StartUpReg: NvMediaCenter - hkey= - key= - Reg Error: Value error. File not found
MsConfig - StartUpReg: nwiz - hkey= - key= - Reg Error: Value error. File not found
MsConfig - StartUpReg: Profiler - hkey= - key= - C:\Program Files\Saitek\Software\Profiler.exe (Saitek)
MsConfig - StartUpReg: RegistryMechanic - hkey= - key= - C:\Program Files\Registry Mechanic\RegMech.exe (PC Tools)
MsConfig - StartUpReg: SaiMfd - hkey= - key= - C:\Program Files\Saitek\Software\SaiMfd.exe (Saitek)
MsConfig - StartUpReg: SoundMan - hkey= - key= - C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
MsConfig - StartUpReg: StartCCC - hkey= - key= - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
MsConfig - StartUpReg: SUPERAntiSpyware - hkey= - key= - C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
MsConfig - StartUpReg: VscFglqg - hkey= - key= - C:\Documents and Settings\CHRIS\Local Settings\Application Data\nmksvlhp\vscfglqg.exe File not found
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 2
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

SafeBootMin: !SASCORE - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE (SUPERAntiSpyware.com)
SafeBootMin: AppMgmt - %SystemRoot%\System32\appmgmts.dll File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: CLPSLS - C:\Program Files\Comodo\COMODO GeekBuddy\CLPSLS.exe (COMODO)
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PEVSystemStart - Service
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: procexp90.Sys - Driver
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: !SASCORE - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE (SUPERAntiSpyware.com)
SafeBootNet: AppMgmt - %SystemRoot%\System32\appmgmts.dll File not found
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: CLPSLS - C:\Program Files\Comodo\COMODO GeekBuddy\CLPSLS.exe (COMODO)
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PEVSystemStart - Service
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: procexp90.Sys - Driver
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {0213C6AF-5562-4D09-884C-2ADCFC8C2F35} - Microsoft .NET Framework 1.1 Security Update (KB2656353)
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {1897C549-AE52-4571-8996-44854F5612B2} - Microsoft .NET Framework 1.1 Security Update (KB2656370)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {2E7D1CFD-F85C-BBBF-5A67-BA1E3E711045} - Vector Graphics Rendering (VML)
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C3C986D6-06B1-43BF-90DD-BE30756C00DE} - RevokedRootsUpdate
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Macromedia Shockwave Flash
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.ac3filter - C:\WINDOWS\System32\ac3filter.acm ()
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.dvsd - pdvcodec.dll File not found
Drivers32: VIDC.FFDS - C:\WINDOWS\System32\ff_vfw.dll ()
Drivers32: VIDC.I420 - C:\WINDOWS\System32\lvcodec2.dll (Logitech Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.XVID - C:\WINDOWS\System32\xvidvfw.dll ()
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/08/10 16:58:13 | 004,728,003 | R--- | C] (Swearware) -- C:\Documents and Settings\CHRIS\Desktop\ComboFix.exe
[2012/08/10 16:55:58 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/08/10 15:45:33 | 002,136,664 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\CHRIS\Desktop\tdsskiller.exe
[2012/08/10 15:45:26 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\CHRIS\Desktop\aswMBR.exe
[2012/08/10 14:52:19 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/08/10 14:48:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\CHRIS\Desktop\otl first scan
[2012/08/10 01:07:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\CHRIS\Desktop\www.NewAlbumReleases.net_ZZ_Top_-_Texicali_(2012)
[2012/08/09 22:28:35 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\CHRIS\Desktop\OTL.exe
[2012/08/09 22:07:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\CHRIS\Local Settings\Application Data\Comodo
[2012/08/09 22:05:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\CPA_VA
[2012/08/09 22:04:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Documents\COMODO
[2012/08/09 21:58:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Comodo
[2012/08/09 21:58:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Comodo
[2012/08/09 21:58:20 | 000,000,000 | ---D | C] -- C:\Program Files\Comodo
[2012/08/09 21:58:17 | 001,700,352 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\gdiplus.dll
[2012/08/09 15:46:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\CHRIS\DoctorWeb
[2012/08/09 00:09:08 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/08/08 14:27:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\CHRIS\Desktop\tdsskiller
[2012/08/07 16:32:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\6F638BBA00449709F212F0ED7B07D329
[2012/07/22 22:15:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\CHRIS\Desktop\Concrete Wave Evolutions 6
[2012/07/19 21:32:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\CHRIS\Application Data\PriceGong
[2012/07/18 15:53:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\CHRIS\Desktop\Concrete Wave Evolutions 4
[2012/07/12 23:55:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\CHRIS\Desktop\atlantis
[2010/07/26 11:15:03 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\CHRIS\Application Data\pcouffin.sys

========== Files - Modified Within 30 Days ==========

[2012/08/10 17:44:29 | 000,000,000 | -HS- | M] () -- C:\DkHyperbootSync
[2012/08/10 17:37:06 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/08/10 17:04:18 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/08/10 15:59:02 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\CHRIS\Desktop\MBR.dat
[2012/08/10 15:43:46 | 000,061,440 | ---- | M] ( ) -- C:\Documents and Settings\CHRIS\Desktop\VEW.exe
[2012/08/10 15:43:22 | 002,136,664 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\CHRIS\Desktop\tdsskiller.exe
[2012/08/10 15:43:14 | 004,728,003 | R--- | M] (Swearware) -- C:\Documents and Settings\CHRIS\Desktop\ComboFix.exe
[2012/08/10 15:41:32 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\CHRIS\Desktop\aswMBR.exe
[2012/08/10 15:24:01 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\HP Usg Daily.job
[2012/08/09 22:28:36 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\CHRIS\Desktop\OTL.exe
[2012/08/09 22:25:36 | 001,552,896 | ---- | M] () -- C:\Documents and Settings\CHRIS\Desktop\RogueKiller.exe
[2012/08/09 21:59:08 | 000,001,653 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\COMODO Firewall.lnk
[2012/08/09 21:58:36 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\CHRIS\Application Data\Microsoft\Internet Explorer\Quick Launch\COMODO GeekBuddy.lnk
[2012/08/09 21:58:36 | 000,000,915 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\COMODO GeekBuddy.lnk
[2012/08/09 21:58:25 | 000,000,763 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Comodo Dragon.lnk
[2012/08/09 21:58:17 | 001,700,352 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\gdiplus.dll
[2012/08/09 16:05:07 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/08/09 16:05:07 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/08/09 01:03:43 | 000,000,232 | -HS- | M] () -- C:\boot.ini
[2012/08/08 23:44:56 | 019,922,944 | ---- | M] () -- C:\Documents and Settings\CHRIS\NTUSER.bak
[2012/08/08 19:45:36 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/08/08 18:36:40 | 000,443,278 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/08/08 15:04:35 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes Anti-Malware.lnk
[2012/08/06 16:00:27 | 000,231,936 | ---- | M] () -- C:\Documents and Settings\CHRIS\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/08/02 03:14:06 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Movavi Video Converter 10.lnk
[2012/07/31 23:00:25 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2012/07/30 00:06:51 | 000,000,675 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\FLV Video Player.lnk
[2012/07/29 17:57:26 | 000,443,098 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120808-183640.backup
[2012/07/24 18:19:58 | 500,372,760 | ---- | M] () -- C:\Documents and Settings\CHRIS\Desktop\Rising Son - The Legend Of Skateboarder Christian Hosoi.flv
[2012/07/15 18:26:34 | 000,442,739 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120729-175726.backup

========== Files Created - No Company Name ==========

[2012/08/10 17:44:29 | 000,000,000 | -HS- | C] () -- C:\DkHyperbootSync
[2012/08/10 15:59:02 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\CHRIS\Desktop\MBR.dat
[2012/08/10 15:45:37 | 000,061,440 | ---- | C] ( ) -- C:\Documents and Settings\CHRIS\Desktop\VEW.exe
[2012/08/09 22:25:34 | 001,552,896 | ---- | C] () -- C:\Documents and Settings\CHRIS\Desktop\RogueKiller.exe
[2012/08/09 21:59:08 | 000,001,653 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\COMODO Firewall.lnk
[2012/08/09 21:58:36 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\CHRIS\Application Data\Microsoft\Internet Explorer\Quick Launch\COMODO GeekBuddy.lnk
[2012/08/09 21:58:36 | 000,000,915 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\COMODO GeekBuddy.lnk
[2012/08/09 21:58:25 | 000,000,763 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Comodo Dragon.lnk
[2012/07/25 15:18:53 | 500,372,760 | ---- | C] () -- C:\Documents and Settings\CHRIS\Desktop\Rising Son - The Legend Of Skateboarder Christian Hosoi.flv
[2012/07/22 16:30:21 | 612,424,266 | ---- | C] () -- C:\Documents and Settings\CHRIS\Desktop\Concrete_Wave_Evolutions_5.mp4
[2012/03/28 22:11:08 | 000,030,568 | ---- | C] () -- C:\WINDOWS\MusiccityDownload.exe
[2012/03/11 15:51:23 | 000,000,770 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2012/01/30 16:53:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2012/01/30 16:52:04 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2012/01/30 16:52:02 | 000,608,507 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2012/01/30 16:52:02 | 000,000,003 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2011/12/09 21:22:53 | 000,079,872 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2011/12/05 23:04:00 | 000,059,904 | ---- | C] () -- C:\WINDOWS\System32\OpenVideo.dll
[2011/12/05 23:03:52 | 000,054,784 | ---- | C] () -- C:\WINDOWS\System32\OVDecode.dll
[2011/12/01 19:39:09 | 000,000,926 | ---- | C] () -- C:\WINDOWS\CDRipper.ini
[2011/11/14 16:39:35 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2011/09/25 22:27:56 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\binkw32.dll
[2011/06/27 23:28:00 | 000,000,427 | ---- | C] () -- C:\WINDOWS\ULEAD32.INI
[2011/05/24 22:53:24 | 000,180,624 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2011/02/18 17:40:44 | 000,000,028 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2011/01/29 17:00:22 | 000,974,848 | ---- | C] () -- C:\WINDOWS\System32\cis-2.4.dll
[2011/01/29 17:00:22 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\issacapi_bs-2.3.dll
[2011/01/29 17:00:22 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\issacapi_pe-2.3.dll
[2011/01/29 17:00:22 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\issacapi_se-2.3.dll
[2011/01/17 20:38:53 | 000,177,152 | ---- | C] () -- C:\WINDOWS\Res2_uninst.exe
[2010/10/08 16:24:32 | 000,380,928 | ---- | C] () -- C:\WINDOWS\System32\GTTunerCard.dll
[2010/10/08 16:24:32 | 000,175,104 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2010/10/08 16:24:32 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\ThumbExtract.dll
[2010/10/08 15:00:49 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll
[2010/09/02 15:12:47 | 000,020,801 | ---- | C] () -- C:\WINDOWS\HPHins02.dat
[2010/09/02 15:12:47 | 000,004,308 | ---- | C] () -- C:\WINDOWS\hphmdl02.dat
[2010/09/02 15:09:33 | 000,020,826 | ---- | C] () -- C:\WINDOWS\HPHins02.dat.temp
[2010/09/02 15:09:32 | 000,004,308 | ---- | C] () -- C:\WINDOWS\hphmdl02.dat.temp
[2010/08/30 15:53:22 | 000,003,728 | ---- | C] () -- C:\Documents and Settings\CHRIS\Application Data\wklnhst.dat
[2010/07/30 19:05:16 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\CHRIS\Local Settings\Application Data\PUTTY.RND
[2010/07/30 17:55:18 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\CHRIS\Application Data\$_hpcst$.hpc
[2010/07/27 11:49:11 | 000,231,936 | ---- | C] () -- C:\Documents and Settings\CHRIS\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/26 11:15:03 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\CHRIS\Application Data\inst.exe
[2010/07/26 11:15:03 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\CHRIS\Application Data\pcouffin.cat
[2010/07/26 11:15:03 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\CHRIS\Application Data\pcouffin.inf
[2010/07/26 10:17:08 | 000,001,057 | ---- | C] () -- C:\Documents and Settings\CHRIS\Application Data\vso_ts_preview.xml
[2010/07/25 18:22:05 | 019,922,944 | ---- | C] () -- C:\Documents and Settings\CHRIS\NTUSER.bak
[2010/06/24 20:13:16 | 000,167,360 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2007/10/05 11:05:05 | 002,293,712 | ---- | C] () -- C:\Program Files\FLV PlayerFCSetup.exe

========== Custom Scans ==========

========== Drive Information ==========

Physical Drives
---------------

Drive: \\\\.\\PHYSICALDRIVE0 - Fixed\thard disk media
Interface type: IDE
Media Type: Fixed\thard disk media
Model: SAMSUNG SP1203N
Partitions: 1
Status: OK
Status Info: 0

Drive: \\\\.\\PHYSICALDRIVE1 - Removable media other than\tfloppy
Interface type: USB
Media Type: Removable media other than\tfloppy
Model: PNY USB 2.0 FD USB Device
Partitions: 1
Status: OK
Status Info: 0

Drive: \\\\.\\PHYSICALDRIVE2 -
Interface type: USB
Media Type:
Model: HP photosmart 7200 USB Device
Partitions: 0
Status: OK
Status Info: 0

Partitions
---------------

DeviceID: Disk #0, Partition #0
PartitionType: Installable File System
Bootable: True
BootPartition: True
PrimaryPartition: True
Size: 112.00GB
Starting Offset: 32256
Hidden sectors: 0


DeviceID: Disk #1, Partition #0
PartitionType: Unknown
Bootable: False
BootPartition: False
PrimaryPartition: True
Size: 7.00GB
Starting Offset: 22528
Hidden sectors: 0


< %SYSTEMDRIVE%\*.exe >
[2001/05/24 12:59:30 | 000,162,304 | ---- | M] () -- C:\UNWISE.EXE

< %systemroot%\assembly\GAC_32\*.ini >

< %systemroot%\assembly\GAC_64\*.ini >

< %SYSTEMDRIVE%\*.exe >
[2001/05/24 12:59:30 | 000,162,304 | ---- | M] () -- C:\UNWISE.EXE

< %ALLUSERSPROFILE%\Application Data\*.exe >

< %APPDATA%\*. >
[2010/10/22 21:56:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\AccurateRip
[2011/05/21 18:29:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\Adobe
[2010/07/27 11:24:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\AnvSoft
[2012/01/30 17:00:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\ATI
[2011/10/20 18:54:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\Avira
[2012/03/21 01:10:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\Binreader
[2012/01/09 22:32:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\calibre
[2010/07/28 00:23:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\DivX
[2010/09/12 19:09:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\dream-amr-converter
[2010/09/15 17:03:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\eMusic
[2010/08/05 22:41:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\ESTsoft
[2012/04/22 20:47:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\GetRightToGo
[2010/07/25 18:22:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\Identities
[2010/07/27 10:45:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\iPodder
[2010/07/26 09:30:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\Macromedia
[2010/07/27 13:40:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\Malwarebytes
[2011/06/04 00:13:22 | 000,000,000 | --SD | M] -- C:\Documents and Settings\CHRIS\Application Data\Microsoft
[2011/06/27 22:46:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\MOVAVI
[2010/07/25 19:22:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\Mozilla
[2012/05/12 19:23:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\Oracle
[2010/07/30 17:58:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\PC Suite
[2012/07/19 21:32:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\PriceGong
[2011/07/16 14:58:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\PrimoPDF
[2010/12/08 18:21:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\Real
[2010/08/08 17:26:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\Registry Mechanic
[2012/04/15 21:58:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\Samsung
[2010/07/26 10:00:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\Sun
[2010/07/26 18:44:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\SUPERAntiSpyware.com
[2010/08/30 15:53:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\Template
[2012/04/11 18:38:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\tiger-k
[2010/07/27 10:43:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\TVU networks
[2012/07/23 17:01:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\uTorrent
[2012/05/01 18:04:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\Vso
[2010/07/26 10:27:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CHRIS\Application Data\WinRAR

< MD5 for: ATAPI.SYS >
[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2010/07/25 20:25:09 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2010/07/25 20:25:09 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 13:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: CSRSS.EXE >
[2008/04/14 01:12:15 | 000,006,144 | ---- | M] (Microsoft Corporation) MD5=44F275C64738EA2056E3D9580C23B60F -- C:\WINDOWS\ServicePackFiles\i386\csrss.exe
[2008/04/14 01:12:15 | 000,006,144 | ---- | M] (Microsoft Corporation) MD5=44F275C64738EA2056E3D9580C23B60F -- C:\WINDOWS\system32\csrss.exe
[2004/08/04 13:00:00 | 000,006,144 | ---- | M] (Microsoft Corporation) MD5=F12B178B1678D778CFD3FF1FC38C71FB -- C:\WINDOWS\$NtServicePackUninstall$\csrss.exe

< MD5 for: EXPLORER.EXE >
[2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2004/08/04 13:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe

< MD5 for: MSWSOCK.DLL >
[2008/06/20 18:41:10 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=097722F235A1FB698BF9234E01B52637 -- C:\WINDOWS\$NtServicePackUninstall$\mswsock.dll
[2008/06/20 18:36:11 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=1DFCA7713EA5A70D5D93B436AEA0317A -- C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\mswsock.dll
[2004/08/04 13:00:00 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=4E74AF063C3271FBEA20DD940CFD1184 -- C:\WINDOWS\$NtUninstallKB951748_0$\mswsock.dll
[2008/06/20 18:46:57 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=832E4DD8964AB7ACC880B2837CB1ED20 -- C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\mswsock.dll
[2008/06/20 18:46:57 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=832E4DD8964AB7ACC880B2837CB1ED20 -- C:\WINDOWS\$NtUninstallKB2509553$\mswsock.dll
[2008/06/20 17:02:47 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=943337D786A56729263071623BBB9DE5 -- C:\WINDOWS\system32\dllcache\mswsock.dll
[2008/06/20 17:02:47 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=943337D786A56729263071623BBB9DE5 -- C:\WINDOWS\system32\mswsock.dll
[2008/04/14 01:12:01 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=B4138E99236F0F57D4CF49BAE98A0746 -- C:\WINDOWS\$NtUninstallKB951748$\mswsock.dll
[2008/04/14 01:12:01 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=B4138E99236F0F57D4CF49BAE98A0746 -- C:\WINDOWS\ServicePackFiles\i386\mswsock.dll
[2008/06/20 18:43:05 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=FCEE5FCB99F7C724593365C706D28388 -- C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\mswsock.dll
[2008/06/20 18:43:05 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=FCEE5FCB99F7C724593365C706D28388 -- C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\mswsock.dll

< MD5 for: NWPROVAU.DLL >
[2008/04/14 01:12:02 | 000,142,336 | ---- | M] (Microsoft Corporation) MD5=06E587F41466569F32BEAAC7260E8AEC -- C:\WINDOWS\ServicePackFiles\i386\nwprovau.dll
[2008/04/14 01:12:02 | 000,142,336 | ---- | M] (Microsoft Corporation) MD5=06E587F41466569F32BEAAC7260E8AEC -- C:\WINDOWS\system32\nwprovau.dll
[2004/08/04 13:00:00 | 000,144,384 | ---- | M] (Microsoft Corporation) MD5=F01D97A8E0380BA52F58249A7B3BD7F1 -- C:\WINDOWS\$NtServicePackUninstall$\nwprovau.dll

< MD5 for: PNRPNSP.DLL >
[2004/08/04 13:00:00 | 000,048,640 | ---- | M] (Microsoft Corporation) MD5=74D3620D2E63489975E3956A40DDD35F -- C:\WINDOWS\$NtServicePackUninstall$\pnrpnsp.dll
[2008/04/14 01:12:02 | 000,058,880 | ---- | M] (Microsoft Corporation) MD5=AF1449AC1D79D37C7026C1D8912DDA8E -- C:\WINDOWS\ServicePackFiles\i386\pnrpnsp.dll
[2008/04/14 01:12:02 | 000,058,880 | ---- | M] (Microsoft Corporation) MD5=AF1449AC1D79D37C7026C1D8912DDA8E -- C:\WINDOWS\system32\pnrpnsp.dll

< MD5 for: SERVICES.EXE >
[2009/02/06 12:06:24 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=020CEAAEDC8EB655B6506B8C70D53BB6 -- C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe
[2008/04/14 01:12:34 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\$NtUninstallKB956572$\services.exe
[2008/04/14 01:12:34 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\ServicePackFiles\i386\services.exe
[2009/02/06 18:14:03 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=37561F8D4160D62DA86D24AE41FAE8DE -- C:\WINDOWS\$NtServicePackUninstall$\services.exe
[2009/02/06 11:22:21 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=4712531AB7A01B7EE059853CA17D39BD -- C:\WINDOWS\$hf_mig$\KB956572\SP2QFE\services.exe
[2009/02/06 12:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\$hf_mig$\KB956572\SP3GDR\services.exe
[2009/02/06 12:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\dllcache\services.exe
[2009/02/06 12:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\services.exe
[2004/08/04 13:00:00 | 000,108,032 | ---- | M] (Microsoft Corporation) MD5=C6CE6EEC82F187615D1002BB3BB50ED4 -- C:\WINDOWS\$NtUninstallKB956572_0$\services.exe

< MD5 for: SVCHOST.EXE >
[2008/04/14 01:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008/04/14 01:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
[2012/07/03 13:46:42 | 000,217,672 | ---- | M] () MD5=8A7F34F0BBD076EC3815680A7309114F -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe
[2004/08/04 13:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe

< MD5 for: USERINIT.EXE >
[2004/08/04 13:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2008/04/14 01:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/14 01:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2004/08/04 13:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2012/07/03 13:46:42 | 000,217,672 | ---- | M] () MD5=8A7F34F0BBD076EC3815680A7309114F -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2008/04/14 01:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/14 01:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< MD5 for: WINRNR.DLL >
[2004/08/04 13:00:00 | 000,016,896 | ---- | M] (Microsoft Corporation) MD5=2C8FDB176F22629EA5342DB474FAC391 -- C:\WINDOWS\$NtServicePackUninstall$\winrnr.dll
[2008/04/14 01:12:09 | 000,016,896 | ---- | M] (Microsoft Corporation) MD5=D72B9EC3337B247A666F098F3D6B43DE -- C:\WINDOWS\ServicePackFiles\i386\winrnr.dll
[2008/04/14 01:12:09 | 000,016,896 | ---- | M] (Microsoft Corporation) MD5=D72B9EC3337B247A666F098F3D6B43DE -- C:\WINDOWS\system32\winrnr.dll

< %systemroot%\*. /mp /s >

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2012/06/14 23:20:49 | 000,867,072 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2012/06/14 23:20:49 | 000,867,072 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2012/06/14 23:20:49 | 000,867,072 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2012/06/14 23:20:13 | 000,913,888 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2012/06/14 23:20:13 | 000,913,888 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2012/06/14 23:20:13 | 000,913,888 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Documents and Settings\CHRIS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --show-icons [2011/09/03 13:28:25 | 001,017,912 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Documents and Settings\CHRIS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --hide-icons [2011/09/03 13:28:25 | 001,017,912 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Documents and Settings\CHRIS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --make-default-browser [2011/09/03 13:28:25 | 001,017,912 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Documents and Settings\CHRIS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2011/09/03 13:28:25 | 001,017,912 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2012/05/11 12:38:19 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2012/05/11 12:38:19 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2012/05/11 12:38:19 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2012/06/14 23:20:49 | 000,867,072 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2012/06/14 23:20:49 | 000,867,072 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2012/06/14 23:20:49 | 000,867,072 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2012/06/14 23:20:13 | 000,913,888 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2012/06/14 23:20:13 | 000,913,888 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2012/06/14 23:20:13 | 000,913,888 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Documents and Settings\CHRIS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --show-icons [2011/09/03 13:28:25 | 001,017,912 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Documents and Settings\CHRIS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --hide-icons [2011/09/03 13:28:25 | 001,017,912 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Documents and Settings\CHRIS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --make-default-browser [2011/09/03 13:28:25 | 001,017,912 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Documents and Settings\CHRIS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2011/09/03 13:28:25 | 001,017,912 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2012/05/11 12:38:19 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2012/05/11 12:38:19 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2012/05/11 12:38:19 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< End of report >


OTL Extras logfile created on: 8/10/2012 17:57:07 - Run 2
OTL by OldTimer - Version 3.2.56.0 Folder = C:\Documents and Settings\CHRIS\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: M/d/yyyy

1023.48 Mb Total Physical Memory | 550.64 Mb Available Physical Memory | 53.80% Memory free
2.40 Gb Paging File | 2.00 Gb Available in Paging File | 83.18% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.80 Gb Total Space | 43.31 Gb Free Space | 38.74% Space Free | Partition Type: NTFS
Drive R: | 7.47 Gb Total Space | 0.19 Gb Free Space | 2.59% Space Free | Partition Type: FAT32

Computer Name: CHRIS-3961AAA10 | User Name: CHRIS | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (All) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] -- "%1" %*
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.cmd [@ = cmdfile] -- "%1" %*
.com [@ = comfile] -- "%1" %*
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.exe [@ = exefile] -- "%1" %*
.hlp [@ = hlpfile] -- C:\WINDOWS\System32\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\WINDOWS\System32\mshta.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.inf [@ = inffile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- C:\WINDOWS\System32\rundll32.exe (Microsoft Corporation)
.js [@ = JSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.pif [@ = piffile] -- "%1" %*
.reg [@ = regfile] -- C:\WINDOWS\regedit.exe (Microsoft Corporation)
.scr [@ = scrfile] -- "%1" /S
.txt [@ = txtfile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- winhlp32.exe %1 (Microsoft Corporation)
hlpfile [open] -- %SystemRoot%\System32\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
vbsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wsffile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wshfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\ZoneLabs\vsmon.exe" = C:\WINDOWS\system32\ZoneLabs\vsmon.exe:*:Enabled:vsmon
"C:\WINDOWS\system32\muzapp.exe" = C:\WINDOWS\system32\muzapp.exe:*:Enabled:MUZ AOD APP player -- (Musiccity Co.Ltd.)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02D5CE9B-6013-9D44-7C72-9D19A3878966}" = ccc-utility
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{04AA1207-D8C6-45DC-A96D-48358EBE09F3}" = PSShortcuts
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{1CB92574-96F2-467B-B793-5CEB35C40C29}" = Image Resizer Powertoy for Windows XP
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{26A24AE4-039D-4CA4-87B4-2F83216032FF}" = Java™ 6 Update 32
"{28450FDB-2FA1-7B62-D172-239C195180BE}" = CCC Help German
"{2ECA81CA-D932-4AD3-AD59-BF5CCF099C83}" = Catalyst Control Center - Branding
"{312FD9DA-E8DD-ED75-5F79-768AD2A4ECC1}" = CCC Help Chinese Standard
"{34610DE0-3C13-42CA-8E32-01FFA38AB6E8}" = PC Connectivity Solution
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
"{42FAD1F9-6170-992A-80AF-D320119AABEA}" = CCC Help Czech
"{441F3C2E-96AC-6E09-14F4-5C5195500B84}" = CCC Help Thai
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B8AC992-363F-722E-7AB0-27509ABCAA8F}" = CCC Help Turkish
"{512C8C5F-2BC4-1D04-56EF-DDDBBB38D2E6}" = CCC Help Danish
"{517B8FB2-26EE-43B0-AE1B-07408860AA69}" = DigitImg
"{532296F3-2B86-869E-6330-63B8658C83FA}" = CCC Help Russian
"{5DAAD148-7E3B-EFA4-00E3-F3BED24FA7F7}" = CCC Help Japanese
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{655EE3B7-0113-4C5E-B147-B82BA325643F}" = Saitek SST Programming Software
"{66712EEE-ECBC-4CA4-A474-dream-amr-converter}_is1" = Dream AMR Converter 3.0.3.2
"{67B988E3-8B5F-E19F-1F4E-8813237E3541}" = CCC Help Polish
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{71B358E3-3DA0-5DF5-F262-B47EC020246F}" = CCC Help Norwegian
"{758C8301-2696-4855-AF45-534B1200980A}" = Samsung Kies
"{75DC48BD-4273-E710-0C2F-8C037FE9D16C}" = CCC Help Italian
"{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
"{799C0C2B-6F66-5A39-EA5A-78955D590BC9}" = CCC Help Dutch
"{7AEBFFF0-15A1-48A9-88F3-06604486C7C9}" = WMPTagSupportExtender
"{8543A572-5993-4101-BACC-C83884E183A4}" = One Touch Grabber
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{8AF3E926-ED59-11D4-A44B-0000E86D2305}" = Ulead GIF Animator 5
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
"{90481BEA-8F52-4FE7-A0D6-BBFAB003D997}" = Movavi Video Converter 10
"{930399D6-7458-76C6-B13A-BAB70C9C9929}" = CCC Help Spanish
"{987AADD6-425E-545D-043E-D10CE7B12DDE}" = CCC Help Chinese Traditional
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9B1BABA2-F38E-4C6B-A1EF-B83221FBB7A6}" = Private Proxy
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9ECE13D2-C028-44CB-8A96-A65196E7BBE7}_is1" = Convert AVI to MP4 1.3
"{9FF24774-6E3A-47E3-ABA4-02B1B44910C5}" = USB Video Capture Device x86
"{A25FF1C0-80B6-4B8B-A551-DC525697A408}" = AMD APP SDK Runtime
"{A2763F0F-F905-3BA6-13EB-75713E7526E5}" = CCC Help Swedish
"{A2BD371F-54B4-48D1-A211-59B0567E8F26}_is1" = FLV Video Player 1.0
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A309171A-87A4-52B0-6426-A581F7274FF9}" = CCC Help English
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A67FC347-8673-3B77-1103-65C4AEDE3779}" = Catalyst Control Center Graphics Previews Common
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
"{B376402D-58EA-45EA-BD50-DD924EB67A70}" = HP Memories Disc
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B43A3B44-2FBE-45A4-86A3-1CB9D3BC230A}" = PS7200
"{B74D4E10-1033-0000-0000-000000000001}" = Adobe Bridge 1.0
"{B971E11B-DFEB-3D69-E03C-0932FA01B0E6}" = Catalyst Control Center
"{BE073173-C12B-2D33-2C50-E5875BB56CEC}" = CCC Help French
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C18F32CD-780C-BD89-C077-5D093D05171B}" = CCC Help Greek
"{C43048A9-742C-4DAD-90D2-E3B53C9DB825}" = Logitech QuickCam Software
"{C4C843CE-5851-41BC-A17B-E158B996B50D}" = Diskeeper 2010
"{C852EC6B-97DA-FF9F-D633-2EA375C3A799}" = AMD Catalyst Install Manager
"{CB100A6A-06BE-BBC1-9BCE-79A1013A91E1}" = CCC Help Korean
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}" = SAMSUNG USB Driver for Mobile Phones
"{D6AB1F5B-FED6-49A9-9747-327BD28FB3C7}" = COMODO Internet Security
"{D7B82BB6-1B8B-236E-7FB7-CB8CAD5FD228}" = CCC Help Portuguese
"{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}" = Photosmart 140,240,7200,7600,7700,7900 Series
"{DB6AB705-C9BD-40E3-8929-2EA57F36A4FF}_is1" = ConvertXtoDVD 4.0.12.327
"{DBAEDA31-4857-0CCF-13EC-D3EC8718010A}" = Catalyst Control Center InstallProxy
"{DDA2B32F-EB16-4C96-A130-4E4A4C1E6B12}" = HP Software Update
"{E1D3C91C-A7BB-A4D9-CBC8-897A01352EE4}" = CCC Help Hungarian
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"{EAEA47E5-18C4-442D-33C0-8901F313405E}" = CCC Help Finnish
"{EFE26D3B-2789-4068-A5BB-77E389FAEB98}" = PSUsage
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F904C173-ADC8-AC9B-9FFF-3AAABF093D1F}" = Catalyst Control Center Localization All
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"504244733D18C8F63FF584AEB290E3904E791693" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"7-Zip" = 7-Zip 9.20
"AACDecoder_is1" = AACDEcoder 2.10
"AC3Filter_is1" = AC3Filter 1.63b
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"ALUpdate_is1" = ALTools Update
"Any Video Converter Professional_is1" = Any Video Converter Professional 3.0.5
"Audio Converter Plus_is1" = Audio Converter Plus 4.0.0.4
"Avira AntiVir Desktop" = Avira Free Antivirus
"bitRipper" = bitRipper
"CCleaner" = CCleaner
"CD-DA X-Tractor_is1" = CD-DA X-Tractor v0.24
"C-Media Audio Driver" = C-Media WDM Audio Driver
"ComicRack" = ComicRack v0.9.136
"Comodo Dragon" = Comodo Dragon
"COMODO GeekBuddy" = COMODO GeekBuddy
"DivX Setup.divx.com" = DivX Setup
"DVD Shrink_is1" = DVD Shrink 3.2
"eMusic Download Manager" = eMusic Download Manager 4.1.4
"ERUNT_is1" = ERUNT 1.1j
"Eye Candy 4000" = Eye Candy 4000
"ffdshow_is1" = ffdshow v1.1.4096 [2011-11-29]
"FLV Player" = FLV Player 2.0 (build 25)
"Free M4a to MP3 Converter_is1" = Free M4a to MP3 Converter 7.0
"Freecorder Toolbar" = Freecorder Toolbar
"Freecorder4.01" = Freecorder 4.01 Application
"Freecorder5.11" = Freecorder 5
"HMA! Pro VPN" = HMA! Pro VPN 2.6.9
"ie8" = Windows Internet Explorer 8
"InstallShield_{758C8301-2696-4855-AF45-534B1200980A}" = Samsung Kies
"InstallShield_{9FF24774-6E3A-47E3-ABA4-02B1B44910C5}" = USB Video Capture Device x86
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Mozilla Firefox 13.0.1 (x86 en-US)" = Mozilla Firefox 13.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Nero - Burning Rom!UninstallKey" = Nero 6 Enterprise Edition
"Playlist Creator 3.6" = Playlist Creator 3.6
"QcDrv" = Logitech® Camera Driver
"QuicktimeAlt_is1" = QuickTime Alternative 3.2.2
"RadLight APE DirectShow filter" = RadLight APE DirectShow filter (remove only)
"RealAlt_is1" = Real Alternative 2.0.2
"Registry Mechanic_is1" = Registry Mechanic 9.0
"RESIDENT EVIL2" = RESIDENT EVIL2
"ST6UNST #1" = TRLevelManager
"Syberia 1 1.00" = Syberia 1 1.00
"Tomb Raider - The Last Revelation" = Tomb Raider - The Last Revelation
"Tomb Raider Chronicles" = Tomb Raider Chronicles
"Tomb Raider Level Editor" = Tomb Raider Level Editor XP
"uTorrent" = µTorrent
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinPcapInst" = WinPcap 4.1.2
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xvid_is1" = Xvid 1.2.2 final uninstall

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"AddonChat" = AddonChat
"Google Chrome" = Google Chrome

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 8/8/2012 11:34:09 | Computer Name = CHRIS-3961AAA10 | Source = WinMgmt | ID = 28
Description = WinMgmt could not initialize the core parts. This could be due to
a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient
disk space or insufficient memory.

Error - 8/8/2012 12:17:43 | Computer Name = CHRIS-3961AAA10 | Source = WinMgmt | ID = 28
Description = WinMgmt could not initialize the core parts. This could be due to
a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient
disk space or insufficient memory.

Error - 8/9/2012 12:48:10 | Computer Name = CHRIS-3961AAA10 | Source = VSS | ID = 12292
Description = Volume Shadow Copy Service error: Error creating the Shadow Copy Provider
COM class with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} [0x80070422].

Error - 8/9/2012 13:31:07 | Computer Name = CHRIS-3961AAA10 | Source = VSS | ID = 12292
Description = Volume Shadow Copy Service error: Error creating the Shadow Copy Provider
COM class with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} [0x80070422].

Error - 8/9/2012 13:37:46 | Computer Name = CHRIS-3961AAA10 | Source = VSS | ID = 12292
Description = Volume Shadow Copy Service error: Error creating the Shadow Copy Provider
COM class with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} [0x80070422].

Error - 8/9/2012 13:37:46 | Computer Name = CHRIS-3961AAA10 | Source = Diskeeper | ID = 5
Description = Diskeeper Control Center - ERROR Unable to check the VSS Shadow Copy
status for volume C:\ .

Error - 8/9/2012 17:00:01 | Computer Name = CHRIS-3961AAA10 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 8/9/2012 17:00:01 | Computer Name = CHRIS-3961AAA10 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 8/9/2012 20:02:25 | Computer Name = CHRIS-3961AAA10 | Source = Application Error | ID = 1000
Description = Faulting application flvplayer.exe, version 0.0.0.0, faulting module
flashplayer.3.1.1k.ocx, version 9.0.124.0, fault address 0x000c274c.

Error - 8/10/2012 09:54:46 | Computer Name = CHRIS-3961AAA10 | Source = WinMgmt | ID = 28
Description = WinMgmt could not initialize the core parts. This could be due to
a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient
disk space or insufficient memory.

[ System Events ]
Error - 8/10/2012 12:37:23 | Computer Name = CHRIS-3961AAA10 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 8/10/2012 12:37:23 | Computer Name = CHRIS-3961AAA10 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 8/10/2012 12:37:23 | Computer Name = CHRIS-3961AAA10 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 8/10/2012 12:40:17 | Computer Name = CHRIS-3961AAA10 | Source = Service Control Manager | ID = 7031
Description = The Avira Realtime Protection service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 0 milliseconds:
Restart the service.

Error - 8/10/2012 12:40:17 | Computer Name = CHRIS-3961AAA10 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Avira Realtime Protection
service to connect.

Error - 8/10/2012 12:40:17 | Computer Name = CHRIS-3961AAA10 | Source = Service Control Manager | ID = 7000
Description = The Avira Realtime Protection service failed to start due to the following
error: %%1053

Error - 8/10/2012 12:46:21 | Computer Name = CHRIS-3961AAA10 | Source = Service Control Manager | ID = 7031
Description = The Avira Realtime Protection service terminated unexpectedly. It
has done this 2 time(s). The following corrective action will be taken in 0 milliseconds:
Restart the service.

Error - 8/10/2012 12:46:22 | Computer Name = CHRIS-3961AAA10 | Source = Service Control Manager | ID = 7034
Description = The Avira Realtime Protection service terminated unexpectedly. It
has done this 3 time(s).

Error - 8/10/2012 12:47:24 | Computer Name = CHRIS-3961AAA10 | Source = Service Control Manager | ID = 7034
Description = The Avira Realtime Protection service terminated unexpectedly. It
has done this 4 time(s).

Error - 8/10/2012 12:48:56 | Computer Name = CHRIS-3961AAA10 | Source = Service Control Manager | ID = 7034
Description = The Avira Realtime Protection service terminated unexpectedly. It
has done this 5 time(s).


< End of report >
  • 0

#6
RKinner
Posted 10 August 2012 - 12:36 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP

Log: 'System' Date/Time: 10/08/2012 15:10:05
Type: warning Category: 0
Event: 4226 Source: Tcpip
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.


Can you turn off utorrent or better uninstall it? It usually causes these errors.

Avira found something before it died:

AntiVir has detected 'RKIT/Hider.LKI' in the file C:\Documents and Settings\CHRIS\Local Settings\Temp\dhamjims.sys

I would let OTL empty the temp files as long as you don't have a case of missing program icons. First uninstall MalwareBytes as it may interfere and cause OTL to hang.

Copy the text in the code box by highlighting and Ctrl + c 

     
:Commands
[EMPTYTEMP]
[Reboot]
then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.


Also both MBAM and Avira tagged C:\...nfig backup\audio\047.wav as a problem. Can you find it and delete it or at least rename it bad047.wavx?

This error is bad:

Error - 8/10/2012 12:37:23 | Computer Name = CHRIS-3961AAA10 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.


Let's see if we can clear it:

1. Double-click My Computer, and then right-click the hard disk that you want to check. C:
2. Click Properties, and then click Tools.
3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
4. Check both boxes and then click Start.
You will receive the following message:
The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
Click Yes to schedule the disk check, but don't restart yet.

Start, Run, eventvwr.msc, OK to bring up the Event Viewer. Right click on System and Clear All Events, No (we don't want to save the old log), OK. Repeat for Application.

Reboot.

The disk check will run and will probably take an hour or more to finish.


1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.

You may not have been able to get aswMBR and Combofix because the forum software shortens the full link sometimes. It works if you click on it but if you type what you see then it sometimes doesn't work. Full paths:

http://public.avast.com/~gmerek/aswMBR.exe


http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

You might have better luck with Combofix in Safe Mode with Networking
(Reboot and when you see the maker's logo, hear a beep or it talks about F8, start tapping the F8 key slowly. Keep tapping until the Safe Mode Menu appears and choose Safe Mode with Networking. Login with your usual login.)

If that doesn't work then uninstall MalwareBytes and try:

Start, Run, cmd, OK and type with an enter after the line:

"%userprofile%\Desktop\combofix.exe" /killall

(Make sure you put a space before the /killall)


Also Comodo should probably be uninstalled if you are having problems connecting. A better firewall is Online Armor:
http://www.online-ar...m/downloads.php

Run OTL, quickscan and post the log.
  • 0

#7
earthwing
Posted 10 August 2012 - 03:00 PM

earthwing

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Malwarebytes and utorrent both uninstalled.Temp files cleared with OTL - log below - but that nxwainsm.exe is still there.ran the CHKDSK operation and the event logs ran after are also below.Combofix still will not run,either in normal or safe mode.Using the cmd prompt had it ran briefly for about 3 seconds before closing.Couldn't find the wav file you had noticed,but did see that the chkdsk operation had picked it up.

All processes killed
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: All Users.WINDOWS

User: CHRIS
->Temp folder emptied: 46352501 bytes
->Temporary Internet Files folder emptied: 73582 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 444137565 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1147 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User.WINDOWS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService.NT AUTHORITY
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33614 bytes

User: MR JONES
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 32768 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 43928 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 468.00 mb


OTL by OldTimer - Version 3.2.56.0 log created on 08102012_200825

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...


Vino's Event Viewer v01c run on Windows XP in English
Report run at 10/08/2012 21:40:57

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 10/08/2012 21:36:26
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The Avira Realtime Protection service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

Log: 'System' Date/Time: 10/08/2012 21:36:26
Type: error Category: 0
Event: 7009 Source: Service Control Manager
Timeout (30000 milliseconds) waiting for the Avira Realtime Protection service to connect.

Log: 'System' Date/Time: 10/08/2012 21:36:25
Type: error Category: 0
Event: 7031 Source: Service Control Manager
The Avira Realtime Protection service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

Log: 'System' Date/Time: 10/08/2012 21:36:21
Type: error Category: 0
Event: 7031 Source: Service Control Manager
The Avira Realtime Protection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Vino's Event Viewer v01c run on Windows XP in English
Report run at 10/08/2012 21:41:55

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • 0

#8
RKinner
Posted 10 August 2012 - 05:02 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
You have some sort of proxy service showing in Firefox.:
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]:
[2010/07/31 18:39:04 | 000,000,000 | ---D | M] (IP Changer) -- C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\v7gq7w42.default\extensions\Proxybar@Proxy

Not sure what it is but try running Firefox in Safe Mode if you are having troubles downloading files. http://support.mozil...using-safe-mode



Let's see if Avenger will get it.

Download The Avenger by Swandog46 from
http://swandog46.gee...r2/download.php
* Unzip/extract it to a folder on your desktop.
* Double click on avenger.exe to run The Avenger.
* Click OK.
* Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
* Copy all of the text between the stars to the clipboard by highlighting it and then pressing Ctrl+C.
*******************************************************

Files to replace with dummy:
C:\Documents and Settings\CHRIS\Local Settings\Application Data\nmksvlhp\nxwainsm.exe
C:\Documents and Settings\CHRIS\Local Settings\Temp\dhamjims.sys
C:\Documents and Settings\CHRIS\Local Settings\Application Data\nmksvlhp\vscfglqg.exe

******************************************************
* In the avenger window, click the Paste Script from Clipboard icon, Image button.
* :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
* Click the Execute button.
* You will be asked Are you sure you want to execute the current script?.
* Click Yes.
* You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
* Click Yes.
* Your PC will now be rebooted.
* Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
* If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
* After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt). I would like to see the log in your next post.


We are trying to replace the bad files with a dummy file. Sometimes that will let us fool the malware. You will still see the file but it won't be malware any more.

See if you can get ESET or Bitdefender online scans to work:

Use IE and go to http://eset.com/onlinescan and click on ESET online Scanner. Accept the terms then press Start (If you get a warning from your browser tell it you want to run it).

# Check Scan Archives
# Push the Start button.
# ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
# When the scan completes, push LIST OF THREATS FOUND
# Push EXPORT TO TEXT FILE , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
# Push the BACK button.
# Push Finish
# Once the scan is completed, you may close the window.
# Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
# Copy and paste that log as a reply.


Let's also try the bitdefender quickscan.

http://quickscan.bitdefender.com/

When it finishes there is a View Report option at the bottom. Click on it and copy and paste the report (even if it says nothing found).


Try downloading combofix again and this time rename it to george.exe before you save it. Then boot into Safe Mode with Networking and double click on george.exe
Run OTL, Quickscan and post the log.
  • 0

#9
earthwing
Posted 11 August 2012 - 03:10 AM

earthwing

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi,thanks for your continued patience with this problem!

First thing I noticed this morning when I booted up the comp was that Avira had come back to life!It also immediately flagged up nxwainsm.exe and vscfglqg.exe. Furthermore,it then flagged up 'TR/Strictor.6318.2 found in nxmainsm.exe'.Comodo also alerted that nxwainsm was trying to access cmd.exe,which I blocked.
Cannot access either the eset or bitdefender online scans,but did run Avenger - log below.Will now try Combofix again as 'george' and report back.

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\Documents and Settings\CHRIS\Local Settings\Application Data\nmksvlhp\nxwainsm.exe" not found!
Replacement with dummy of file "C:\Documents and Settings\CHRIS\Local Settings\Application Data\nmksvlhp\nxwainsm.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Documents and Settings\CHRIS\Local Settings\Temp\dhamjims.sys" not found!
Replacement with dummy of file "C:\Documents and Settings\CHRIS\Local Settings\Temp\dhamjims.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Documents and Settings\CHRIS\Local Settings\Application Data\nmksvlhp\vscfglqg.exe" not found!
Replacement with dummy of file "C:\Documents and Settings\CHRIS\Local Settings\Application Data\nmksvlhp\vscfglqg.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

EDIT!! Got Combofix to run as 'george'.It detected that recovery console was not installed and asked to download from microsoft but couldnt connect - scan went ahead anyway.Also,even though Avira and comodo were turned off,combofix detected that they were still running?! Log below.
However,things seem to be back to normal - nxwainsm has gone from the temp folder,and vscfglqg is no longer on the startup list.Also,I can now connect with malwarebytes.org where previously I'd been unable,and Avira appears to be running normally again.I can also connect with the online scans you provided above,but I haven't run them as yet.Is there anything else you wish to do to make sure all is well?

ComboFix 12-08-09.01 - CHRIS 08/11/2012 10:49:12.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.568 [GMT 1:00]
Running from: c:\documents and settings\CHRIS\Desktop\george.exe
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\DFC5A2B2.TMP
c:\documents and settings\CHRIS\Application Data\PriceGong
c:\documents and settings\CHRIS\Application Data\PriceGong\Data\1.txt
c:\documents and settings\CHRIS\Application Data\PriceGong\Data\a.txt
c:\documents and settings\CHRIS\Application Data\PriceGong\Data\b.txt
c:\documents and settings\CHRIS\Application Data\PriceGong\Data\c.txt
c:\documents and settings\CHRIS\Application Data\PriceGong\Data\d.txt
c:\documents and settings\CHRIS\Application Data\PriceGong\Data\e.txt
c:\documents and settings\CHRIS\Application Data\PriceGong\Data\f.txt
c:\documents and settings\CHRIS\Application Data\PriceGong\Data\g.txt
c:\documents and settings\CHRIS\Application Data\PriceGong\Data\h.txt
c:\documents and settings\CHRIS\Application Data\PriceGong\Data\i.txt
c:\documents and settings\CHRIS\Application Data\PriceGong\Data\j.txt
c:\documents and settings\CHRIS\Application Data\PriceGong\Data\k.txt
c:\documents and settings\CHRIS\Application Data\PriceGong\Data\l.txt
c:\documents and settings\CHRIS\Application Data\PriceGong\Data\m.txt
c:\documents and settings\CHRIS\Application Data\PriceGong\Data\n.txt
c:\documents and settings\CHRIS\Application Data\PriceGong\Data\o.txt
c:\documents and settings\CHRIS\Application Data\PriceGong\Data\p.txt
c:\documents and settings\CHRIS\Application Data\PriceGong\Data\q.txt
c:\documents and settings\CHRIS\Application Data\PriceGong\Data\r.txt
c:\documents and settings\CHRIS\Application Data\PriceGong\Data\s.txt
c:\documents and settings\CHRIS\Application Data\PriceGong\Data\t.txt
c:\documents and settings\CHRIS\Application Data\PriceGong\Data\u.txt
c:\documents and settings\CHRIS\Application Data\PriceGong\Data\v.txt
c:\documents and settings\CHRIS\Application Data\PriceGong\Data\w.txt
c:\documents and settings\CHRIS\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\CHRIS\Application Data\PriceGong\Data\x.txt
c:\documents and settings\CHRIS\Application Data\PriceGong\Data\y.txt
c:\documents and settings\CHRIS\Application Data\PriceGong\Data\z.txt
c:\documents and settings\CHRIS\Local Settings\Application Data\cijvbdcu.log
c:\documents and settings\CHRIS\Local Settings\Application Data\ictbogna.log
c:\documents and settings\CHRIS\Local Settings\Application Data\jomcsatq.log
c:\documents and settings\CHRIS\Local Settings\Application Data\lhgyfyxt.log
c:\documents and settings\CHRIS\Local Settings\Application Data\ncwjohyg.log
c:\documents and settings\CHRIS\Local Settings\Application Data\nmksvlhp\vscfglqg.exe
c:\documents and settings\CHRIS\Local Settings\Application Data\pvvokixr.log
c:\documents and settings\CHRIS\Local Settings\Application Data\wyoxykla.log
c:\documents and settings\CHRIS\Local Settings\Application Data\xpsluksa.log
c:\documents and settings\CHRIS\Local Settings\Application Data\ymiesrsq.log
c:\documents and settings\CHRIS\WINDOWS
c:\documents and settings\MR JONES\WINDOWS
c:\windows\system32\Language
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\Settings
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
-------\Service_Micorsoft Windows Service
.
.
((((((((((((((((((((((((( Files Created from 2012-07-11 to 2012-08-11 )))))))))))))))))))))))))))))))
.
.
2012-08-10 13:52 . 2012-08-10 13:52 -------- d-----w- C:\_OTL
2012-08-09 21:07 . 2012-08-09 21:07 -------- d-----w- c:\documents and settings\CHRIS\Local Settings\Application Data\Comodo
2012-08-09 21:05 . 2012-08-11 10:06 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\CPA_VA
2012-08-09 21:04 . 2012-08-09 21:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-08-09 20:58 . 2012-08-09 21:11 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Comodo
2012-08-09 20:58 . 2012-08-09 20:58 -------- d-----w- c:\program files\Comodo
2012-08-09 20:58 . 2012-08-09 20:58 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-08-09 14:46 . 2012-08-09 14:46 -------- d-----w- c:\documents and settings\CHRIS\DoctorWeb
2012-08-08 23:09 . 2012-08-08 23:09 -------- d-----w- C:\TDSSKiller_Quarantine
2012-08-07 15:32 . 2012-08-08 13:36 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\6F638BBA00449709F212F0ED7B07D329
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-09 15:05 . 2012-04-02 13:33 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-09 15:05 . 2011-05-30 10:15 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-13 13:19 . 2004-08-04 12:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2008-04-14 00:12 1372672 ------w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2004-08-04 12:00 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 14:19 . 2009-08-06 18:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 14:19 . 2010-07-25 17:11 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 14:19 . 2010-07-25 17:11 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 14:19 . 2010-07-25 17:11 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 14:19 . 2009-08-06 18:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 14:19 . 2010-07-25 17:11 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 14:19 . 2010-07-25 17:11 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 14:19 . 2009-08-06 18:24 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 14:19 . 2009-08-06 18:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 14:19 . 2004-08-04 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 14:19 . 2009-08-06 18:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 14:19 . 2010-07-25 17:11 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 14:19 . 2010-07-25 17:11 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 14:18 . 2010-07-26 13:25 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 14:18 . 2010-07-26 13:25 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 14:18 . 2009-08-06 18:23 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2007-10-05 10:05 . 2007-10-05 10:05 2293712 -c--a-w- c:\program files\FLV PlayerFCSetup.exe
2012-06-14 22:20 . 2011-03-23 18:45 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-08-08 348664]
"COMODO"="c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe" [2011-11-23 208184]
"CPA"="c:\program files\COMODO\COMODO GeekBuddy\VALA.exe" [2011-11-23 182584]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-12-20 6676808]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\CHRIS\Start Menu\Programs\Startup\
vscfglqg.exe [2012-8-8 94292]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-07 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\CHRIS\Local Settings\Application Data\nmksvlhp\vscfglqg.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^CHRIS^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hshagf
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 13:10 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-01-03 13:10 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12 110592 ----a-w- c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Freecorder FLV Service]
2011-03-24 05:11 167936 ----a-w- c:\program files\Freecorder\FLVSrvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-12-22 07:38 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-12-05 14:41 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2003-12-04 23:44 176128 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
2004-02-02 19:41 495616 ----a-w- c:\windows\system32\hphmon05.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
2003-11-12 22:12 49152 ----a-w- c:\program files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesHelper]
2012-03-31 03:38 954256 ----a-w- c:\program files\Samsung\Kies\KiesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesPDLR]
2012-03-31 03:38 21392 ----a-w- c:\program files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesTrayAgent]
2012-03-31 03:38 3521424 ----a-w- c:\program files\Samsung\Kies\KiesTrayAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
2004-10-08 11:06 196608 ----a-w- c:\program files\Logitech\Video\ManifestEngine.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
2004-10-08 11:31 458752 ----a-w- c:\program files\Logitech\Video\ISStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
2004-10-08 11:24 217088 ----a-w- c:\program files\Logitech\Video\LogiTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2004-10-08 10:52 221184 ----a-w- c:\windows\system32\LVCOMSX.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\progra~1\MESSEN~1\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Profiler]
2005-06-14 14:23 159744 ----a-w- c:\program files\Saitek\Software\Profiler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
2010-04-08 08:15 3233752 ----a-w- c:\program files\Registry Mechanic\RegMech.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiMfd]
2005-06-17 18:02 126976 ----a-w- c:\program files\Saitek\Software\SaiMfd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2007-04-16 14:28 577536 ----a-w- c:\windows\soundman.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2011-12-05 21:37 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 10:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2012-07-29 16:33 4777856 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [10/20/2011 18:53 36000]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [12/19/2011 18:59 494816]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [12/19/2011 18:59 31704]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 19:25 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 19:41 67664]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/20/2011 18:53 86224]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\Comodo\COMODO GeekBuddy\CLPSLS.exe [11/23/2011 11:27 1052472]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [7/16/2010 01:45 35088]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [1/30/2012 16:53 100368]
R3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [7/27/2010 15:57 42144]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [7/26/2010 11:15 47360]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/2/2012 14:33 250056]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [4/15/2012 21:57 80824]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [4/15/2012 21:54 20032]
S3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [4/15/2011 19:40 23608]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [7/30/2010 17:55 36640]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [6/28/2012 19:07 113120]
S3 SaiH5F0D;SaiH5F0D;c:\windows\system32\drivers\SaiH5F0D.sys [7/26/2010 14:45 176640]
S3 SaiU5F0D;SaiU5F0D;c:\windows\system32\drivers\SaiU5F0D.sys [7/26/2010 14:45 27264]
S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [4/15/2012 21:57 181432]
S4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [6/29/2010 18:48 116608]
S4 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [7/26/2010 16:26 632792]
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 15:05]
.
2012-08-10 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\pexpress\hphped05.exe [2004-01-07 05:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.trle.net/
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\v7gq7w42.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=10588
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.startup.homepage - hxxp://trle.net/
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - prefs.js: network.proxy.ftp_port - 8128
FF - prefs.js: network.proxy.gopher_port - 8128
FF - prefs.js: network.proxy.http_port - 8128
FF - prefs.js: network.proxy.ssl_port - 8128
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-VscFglqg - c:\documents and settings\CHRIS\Local Settings\Application Data\nmksvlhp\vscfglqg.exe
MSConfigStartUp-Cmaudio - cmicnfg.cpl
MSConfigStartUp-VscFglqg - c:\documents and settings\CHRIS\Local Settings\Application Data\nmksvlhp\vscfglqg.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-11 11:05
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\CHRIS\Start Menu\Programs\Startup\vscfglqg.exe 94292 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(772)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
.
- - - - - - - > 'lsass.exe'(828)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(2256)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
- - - - - - - > 'csrss.exe'(716)
c:\windows\system32\cmdcsr.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\COMODO\COMODO GeekBuddy\CLPS.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2012-08-11 11:22:13 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-11 10:22
.
Pre-Run: 46,920,994,816 bytes free
Post-Run: 46,709,846,016 bytes free
.
- - End Of File - - 319D4FF587E3B409ACE08D9BF88DDA4A

Edited by earthwing, 11 August 2012 - 04:45 AM.

  • 0

#10
RKinner
Posted 11 August 2012 - 08:37 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
CF doesn't really know what anti-virus and firewall are running. It asks Windows and apparently Windows is a bit confused.

We are making progress but we aren't there yet. It's still showing in CF. Let's try one more time. CF works best if it has the Recovery Console installed. There is a manual procedure at:
http://www.bleepingc...manual_recovery
You need the Home Edition. After you try that then:
Make sure you do not have MalwareBytes Anti-Malware installed as it will cause CF to hang.

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall::

AtJob::

SecCenter::
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

DirLook::
C:\Program Files\Common
%user%\library

File::
c:\documents and settings\CHRIS\Start Menu\Programs\Startup\vscfglqg.exe
c:\documents and settings\CHRIS\Local Settings\Application Data\nmksvlhp\vscfglqg.exe

Driver::
Micorsoft Windows Service
MICORSOFT_WINDOWS_SERVICE

NetSvcs::
Micorsoft Windows Service
MICORSOFT_WINDOWS_SERVICE

Folder::
c:\documents and settings\CHRIS\Local Settings\Application Data\nmksvlhp
c:\documents and settings\All Users.WINDOWS\Application Data\6F638BBA00449709F212F0ED7B07D329

RootKit::
c:\documents and settings\CHRIS\Start Menu\Programs\Startup\vscfglqg.exe
c:\documents and settings\CHRIS\Local Settings\Application Data\nmksvlhp\vscfglqg.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,"
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag CFScript.txt over to george.exe and let go Combofix should start on its own.

Post the new log.

The BitDefender scan is very quick so please try it.

Ron
  • 0

Advertisements

#11
earthwing
Posted 11 August 2012 - 11:14 AM

earthwing

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok,ran combofix again using the script file and this time CF was able to download and install recovery console itself.Will run bitdefender next.New CF log below.

ComboFix 12-08-09.01 - CHRIS 08/11/2012 17:36:54.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.620 [GMT 1:00]
Running from: c:\documents and settings\CHRIS\Desktop\george.exe
Command switches used :: c:\documents and settings\CHRIS\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
FILE ::
"c:\documents and settings\CHRIS\Local Settings\Application Data\nmksvlhp\vscfglqg.exe"
"c:\documents and settings\CHRIS\Start Menu\Programs\Startup\vscfglqg.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users.WINDOWS\Application Data\6F638BBA00449709F212F0ED7B07D329
c:\documents and settings\All Users.WINDOWS\Application Data\6F638BBA00449709F212F0ED7B07D329\6F638BBA00449709F212F0ED7B07D329
c:\documents and settings\All Users.WINDOWS\Application Data\6F638BBA00449709F212F0ED7B07D329\6F638BBA00449709F212F0ED7B07D329.ico
c:\documents and settings\CHRIS\Local Settings\Application Data\ictbogna.log
c:\documents and settings\CHRIS\Local Settings\Application Data\jomcsatq.log
c:\documents and settings\CHRIS\Local Settings\Application Data\nmksvlhp
c:\documents and settings\CHRIS\Local Settings\Application Data\xpsluksa.log
.
.
((((((((((((((((((((((((( Files Created from 2012-07-11 to 2012-08-11 )))))))))))))))))))))))))))))))
.
.
2012-08-10 13:52 . 2012-08-10 13:52 -------- d-----w- C:\_OTL
2012-08-09 21:07 . 2012-08-09 21:07 -------- d-----w- c:\documents and settings\CHRIS\Local Settings\Application Data\Comodo
2012-08-09 21:05 . 2012-08-11 10:28 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\CPA_VA
2012-08-09 21:04 . 2012-08-09 21:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-08-09 20:58 . 2012-08-09 21:11 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Comodo
2012-08-09 20:58 . 2012-08-09 20:58 -------- d-----w- c:\program files\Comodo
2012-08-09 20:58 . 2012-08-09 20:58 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-08-09 14:46 . 2012-08-09 14:46 -------- d-----w- c:\documents and settings\CHRIS\DoctorWeb
2012-08-08 23:09 . 2012-08-08 23:09 -------- d-----w- C:\TDSSKiller_Quarantine
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-09 15:05 . 2012-04-02 13:33 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-09 15:05 . 2011-05-30 10:15 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-13 13:19 . 2004-08-04 12:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2008-04-14 00:12 1372672 ------w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2004-08-04 12:00 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 14:19 . 2009-08-06 18:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 14:19 . 2010-07-25 17:11 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 14:19 . 2010-07-25 17:11 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 14:19 . 2010-07-25 17:11 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 14:19 . 2009-08-06 18:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 14:19 . 2010-07-25 17:11 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 14:19 . 2010-07-25 17:11 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 14:19 . 2009-08-06 18:24 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 14:19 . 2009-08-06 18:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 14:19 . 2004-08-04 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 14:19 . 2009-08-06 18:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 14:19 . 2010-07-25 17:11 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 14:19 . 2010-07-25 17:11 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 14:18 . 2010-07-26 13:25 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 14:18 . 2010-07-26 13:25 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 14:18 . 2009-08-06 18:23 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2007-10-05 10:05 . 2007-10-05 10:05 2293712 -c--a-w- c:\program files\FLV PlayerFCSetup.exe
2012-06-14 22:20 . 2011-03-23 18:45 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of %user%\library ----
.
.
---- Directory of c:\program files\Common ----
.
.
.
((((((((((((((((((((((((((((( SnapShot@2012-08-11_10.06.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-08-11 16:48 . 2012-08-11 16:48 16384 c:\windows\temp\Perflib_Perfdata_1b0.dat
- 2012-08-10 19:13 . 2012-08-11 10:05 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2012-08-10 19:13 . 2012-08-11 16:50 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-07-25 17:19 . 2012-08-11 16:50 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-07-25 17:19 . 2012-08-11 10:05 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2012-08-09 21:05 . 2012-08-11 16:50 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2012-08-09 21:05 . 2012-08-11 10:05 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2010-07-25 17:19 . 2012-08-11 10:05 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-07-25 17:19 . 2012-08-11 16:50 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-08-08 348664]
"COMODO"="c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe" [2011-11-23 208184]
"CPA"="c:\program files\COMODO\COMODO GeekBuddy\VALA.exe" [2011-11-23 182584]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-12-20 6676808]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-07 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^CHRIS^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^CHRIS^Start Menu^Programs^Startup^vscfglqg.exe]
path=c:\documents and settings\CHRIS\Start Menu\Programs\Startup\vscfglqg.exe
backup=c:\windows\pss\vscfglqg.exeStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 13:10 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-01-03 13:10 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12 110592 ----a-w- c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Freecorder FLV Service]
2011-03-24 05:11 167936 ----a-w- c:\program files\Freecorder\FLVSrvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-12-22 07:38 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-12-05 14:41 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2003-12-04 23:44 176128 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
2004-02-02 19:41 495616 ----a-w- c:\windows\system32\hphmon05.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
2003-11-12 22:12 49152 ----a-w- c:\program files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesHelper]
2012-03-31 03:38 954256 ----a-w- c:\program files\Samsung\Kies\KiesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesPDLR]
2012-03-31 03:38 21392 ----a-w- c:\program files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesTrayAgent]
2012-03-31 03:38 3521424 ----a-w- c:\program files\Samsung\Kies\KiesTrayAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
2004-10-08 11:06 196608 ----a-w- c:\program files\Logitech\Video\ManifestEngine.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
2004-10-08 11:31 458752 ----a-w- c:\program files\Logitech\Video\ISStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
2004-10-08 11:24 217088 ----a-w- c:\program files\Logitech\Video\LogiTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2004-10-08 10:52 221184 ----a-w- c:\windows\system32\LVCOMSX.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\progra~1\MESSEN~1\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Profiler]
2005-06-14 14:23 159744 ----a-w- c:\program files\Saitek\Software\Profiler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
2010-04-08 08:15 3233752 ----a-w- c:\program files\Registry Mechanic\RegMech.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiMfd]
2005-06-17 18:02 126976 ----a-w- c:\program files\Saitek\Software\SaiMfd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2007-04-16 14:28 577536 ----a-w- c:\windows\soundman.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2011-12-05 21:37 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 10:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2012-07-29 16:33 4777856 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [10/20/2011 18:53 36000]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [12/19/2011 18:59 494816]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [12/19/2011 18:59 31704]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 19:25 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 19:41 67664]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/20/2011 18:53 86224]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\Comodo\COMODO GeekBuddy\CLPSLS.exe [11/23/2011 11:27 1052472]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [7/16/2010 01:45 35088]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [1/30/2012 16:53 100368]
R3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [7/27/2010 15:57 42144]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [7/26/2010 11:15 47360]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/2/2012 14:33 250056]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [4/15/2012 21:57 80824]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [4/15/2012 21:54 20032]
S3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [4/15/2011 19:40 23608]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [7/30/2010 17:55 36640]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [6/28/2012 19:07 113120]
S3 SaiH5F0D;SaiH5F0D;c:\windows\system32\drivers\SaiH5F0D.sys [7/26/2010 14:45 176640]
S3 SaiU5F0D;SaiU5F0D;c:\windows\system32\drivers\SaiU5F0D.sys [7/26/2010 14:45 27264]
S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [4/15/2012 21:57 181432]
S4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [6/29/2010 18:48 116608]
S4 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [7/26/2010 16:26 632792]
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 15:05]
.
2012-08-11 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\pexpress\hphped05.exe [2004-01-07 05:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.trle.net/
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\v7gq7w42.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=10588
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.startup.homepage - hxxp://trle.net/
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - prefs.js: network.proxy.ftp_port - 8128
FF - prefs.js: network.proxy.gopher_port - 8128
FF - prefs.js: network.proxy.http_port - 8128
FF - prefs.js: network.proxy.ssl_port - 8128
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-11 17:48
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(768)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
.
- - - - - - - > 'lsass.exe'(824)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(3008)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
- - - - - - - > 'csrss.exe'(708)
c:\windows\system32\cmdcsr.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\COMODO\COMODO GeekBuddy\CLPS.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2012-08-11 18:08:21 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-11 17:08
ComboFix2.txt 2012-08-11 10:22
.
Pre-Run: 47,140,286,464 bytes free
Post-Run: 47,115,341,824 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /noexecute=alwaysoff /fastdetect
.
- - End Of File - - FFC9A86C362522B23B721688E77863F2

EDIT Bitdefender scan was all clear!

Edited by earthwing, 11 August 2012 - 11:35 AM.

  • 0

#12
RKinner
Posted 11 August 2012 - 07:20 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
We are still seeing our friend in the CF log:

[HKLM\~\startupfolder\C:^Documents and Settings^CHRIS^Start Menu^Programs^Startup^vscfglqg.exe]
path=c:\documents and settings\CHRIS\Start Menu\Programs\Startup\vscfglqg.exe
backup=c:\windows\pss\vscfglqg.exeStartup


but I think what we are seeing is just a leftover entry in msconfig. I think the full path should be:

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder

It does refer to a location we haven't yet cleaned C:\windows\pss so let's remove it and see what happens:

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall::

AtJob::

DirLook::
c:\windows\pss
c:\documents and settings\CHRIS\Start Menu\Programs\Startup\
c:\documents and settings\All Users\Start Menu\Programs\Startup\

File::
c:\documents and settings\CHRIS\Start Menu\Programs\Startup\vscfglqg.exe
c:\documents and settings\CHRIS\Local Settings\Application Data\nmksvlhp\vscfglqg.exe
c:\windows\pss\vscfglqg.exeStartup
c:\windows\pss\vscfglqg.exe

Driver::
Micorsoft Windows Service
MICORSOFT_WINDOWS_SERVICE

NetSvcs::
Micorsoft Windows Service
MICORSOFT_WINDOWS_SERVICE

Folder::
c:\documents and settings\CHRIS\Local Settings\Application Data\nmksvlhp
c:\documents and settings\All Users\WINDOWS\Application Data\6F638BBA00449709F212F0ED7B07D329

RootKit::
c:\documents and settings\CHRIS\Start Menu\Programs\Startup\vscfglqg.exe
c:\documents and settings\CHRIS\Local Settings\Application Data\nmksvlhp\vscfglqg.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,"
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag CFScript.txt over to Combofix and let go Combofix should start on its own.

Post the new log.

Ron
  • 0

#13
earthwing
Posted 13 August 2012 - 03:55 AM

earthwing

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Ron, sorry for the delay in replying this time - had a busy Sunday!
New CF log as requested.

ComboFix 12-08-09.01 - CHRIS 08/13/2012 10:19:54.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.613 [GMT 1:00]
Running from: c:\documents and settings\CHRIS\Desktop\george.exe
Command switches used :: c:\documents and settings\CHRIS\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
* Created a new restore point
.
FILE ::
"c:\documents and settings\CHRIS\Local Settings\Application Data\nmksvlhp\vscfglqg.exe"
"c:\documents and settings\CHRIS\Start Menu\Programs\Startup\vscfglqg.exe"
"c:\windows\pss\vscfglqg.exe"
"c:\windows\pss\vscfglqg.exeStartup"
.
.
((((((((((((((((((((((((( Files Created from 2012-07-13 to 2012-08-13 )))))))))))))))))))))))))))))))
.
.
2012-08-11 17:15 . 2012-08-11 17:15 -------- d-----w- c:\documents and settings\CHRIS\Application Data\QuickScan
2012-08-10 13:52 . 2012-08-10 13:52 -------- d-----w- C:\_OTL
2012-08-09 21:07 . 2012-08-09 21:07 -------- d-----w- c:\documents and settings\CHRIS\Local Settings\Application Data\Comodo
2012-08-09 21:05 . 2012-08-11 10:28 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\CPA_VA
2012-08-09 21:04 . 2012-08-09 21:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-08-09 20:58 . 2012-08-09 21:11 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Comodo
2012-08-09 20:58 . 2012-08-09 20:58 -------- d-----w- c:\program files\Comodo
2012-08-09 20:58 . 2012-08-09 20:58 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-08-09 14:46 . 2012-08-09 14:46 -------- d-----w- c:\documents and settings\CHRIS\DoctorWeb
2012-08-08 23:09 . 2012-08-08 23:09 -------- d-----w- C:\TDSSKiller_Quarantine
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-09 15:05 . 2012-04-02 13:33 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-09 15:05 . 2011-05-30 10:15 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-13 13:19 . 2004-08-04 12:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2008-04-14 00:12 1372672 ------w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2004-08-04 12:00 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 14:19 . 2009-08-06 18:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 14:19 . 2010-07-25 17:11 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 14:19 . 2010-07-25 17:11 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 14:19 . 2010-07-25 17:11 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 14:19 . 2009-08-06 18:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 14:19 . 2010-07-25 17:11 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 14:19 . 2010-07-25 17:11 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 14:19 . 2009-08-06 18:24 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 14:19 . 2009-08-06 18:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 14:19 . 2004-08-04 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 14:19 . 2009-08-06 18:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 14:19 . 2010-07-25 17:11 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 14:19 . 2010-07-25 17:11 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 14:18 . 2010-07-26 13:25 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 14:18 . 2010-07-26 13:25 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 14:18 . 2009-08-06 18:23 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2007-10-05 10:05 . 2007-10-05 10:05 2293712 -c--a-w- c:\program files\FLV PlayerFCSetup.exe
2012-06-14 22:20 . 2011-03-23 18:45 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Start Menu\Programs\Startup ----
.
2010-07-25 15:00 . 2010-07-25 15:36 84 --sha-w- c:\documents and settings\All Users\Start Menu\Programs\Startup\desktop.ini
.
---- Directory of c:\documents and settings\CHRIS\Start Menu\Programs\Startup ----
.
2010-07-25 17:22 . 2010-07-25 17:14 84 --sha-w- c:\documents and settings\CHRIS\Start Menu\Programs\Startup\desktop.ini
.
---- Directory of c:\windows\pss ----
.
2010-07-26 14:44 . 2010-07-26 12:04 988 ------w- c:\windows\pss\Adobe Gamma.lnkStartup
2010-07-26 10:42 . 2011-11-14 18:52 303 ------w- c:\windows\pss\boot.ini.backup
2010-07-25 19:53 . 2010-07-25 17:58 231 ------w- c:\windows\pss\system.ini.backup
2010-07-25 19:53 . 2010-07-25 17:14 477 ------w- c:\windows\pss\win.ini.backup
.
.
((((((((((((((((((((((((((((( SnapShot@2012-08-11_10.06.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-08-13 09:33 . 2012-08-13 09:33 16384 c:\windows\temp\Perflib_Perfdata_73c.dat
- 2012-08-10 19:13 . 2012-08-11 10:05 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2012-08-10 19:13 . 2012-08-13 09:36 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-07-25 17:19 . 2012-08-11 10:05 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-07-25 17:19 . 2012-08-13 09:36 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2012-08-09 21:05 . 2012-08-13 09:36 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2012-08-09 21:05 . 2012-08-11 10:05 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2010-07-25 17:19 . 2012-08-11 10:05 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-07-25 17:19 . 2012-08-13 09:36 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2012-06-26 15:09 . 2012-06-26 15:09 731688 c:\windows\Downloaded Program Files\qsax.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-08-08 348664]
"COMODO"="c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe" [2011-11-23 208184]
"CPA"="c:\program files\COMODO\COMODO GeekBuddy\VALA.exe" [2011-11-23 182584]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-12-20 6676808]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-07 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 13:10 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-01-03 13:10 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12 110592 ----a-w- c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Freecorder FLV Service]
2011-03-24 05:11 167936 ----a-w- c:\program files\Freecorder\FLVSrvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-12-22 07:38 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-12-05 14:41 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2003-12-04 23:44 176128 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
2004-02-02 19:41 495616 ----a-w- c:\windows\system32\hphmon05.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
2003-11-12 22:12 49152 ----a-w- c:\program files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesHelper]
2012-03-31 03:38 954256 ----a-w- c:\program files\Samsung\Kies\KiesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesPDLR]
2012-03-31 03:38 21392 ----a-w- c:\program files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesTrayAgent]
2012-03-31 03:38 3521424 ----a-w- c:\program files\Samsung\Kies\KiesTrayAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
2004-10-08 11:06 196608 ----a-w- c:\program files\Logitech\Video\ManifestEngine.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
2004-10-08 11:31 458752 ----a-w- c:\program files\Logitech\Video\ISStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
2004-10-08 11:24 217088 ----a-w- c:\program files\Logitech\Video\LogiTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2004-10-08 10:52 221184 ----a-w- c:\windows\system32\LVCOMSX.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\progra~1\MESSEN~1\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Profiler]
2005-06-14 14:23 159744 ----a-w- c:\program files\Saitek\Software\Profiler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
2010-04-08 08:15 3233752 ----a-w- c:\program files\Registry Mechanic\RegMech.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiMfd]
2005-06-17 18:02 126976 ----a-w- c:\program files\Saitek\Software\SaiMfd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2007-04-16 14:28 577536 ----a-w- c:\windows\soundman.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2011-12-05 21:37 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 10:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2012-07-29 16:33 4777856 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [10/20/2011 18:53 36000]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [12/19/2011 18:59 494816]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [12/19/2011 18:59 31704]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 19:25 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 19:41 67664]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/20/2011 18:53 86224]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\Comodo\COMODO GeekBuddy\CLPSLS.exe [11/23/2011 11:27 1052472]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [7/16/2010 01:45 35088]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [1/30/2012 16:53 100368]
R3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [7/27/2010 15:57 42144]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [7/26/2010 11:15 47360]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/2/2012 14:33 250056]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [4/15/2012 21:57 80824]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [4/15/2012 21:54 20032]
S3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [4/15/2011 19:40 23608]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [7/30/2010 17:55 36640]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [6/28/2012 19:07 113120]
S3 SaiH5F0D;SaiH5F0D;c:\windows\system32\drivers\SaiH5F0D.sys [7/26/2010 14:45 176640]
S3 SaiU5F0D;SaiU5F0D;c:\windows\system32\drivers\SaiU5F0D.sys [7/26/2010 14:45 27264]
S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [4/15/2012 21:57 181432]
S4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [6/29/2010 18:48 116608]
S4 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [7/26/2010 16:26 632792]
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 15:05]
.
2012-08-12 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\pexpress\hphped05.exe [2004-01-07 05:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.trle.net/
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\v7gq7w42.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=10588
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.startup.homepage - hxxp://trle.net/
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - prefs.js: network.proxy.ftp_port - 8128
FF - prefs.js: network.proxy.gopher_port - 8128
FF - prefs.js: network.proxy.http_port - 8128
FF - prefs.js: network.proxy.ssl_port - 8128
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.proxy.socks -
FF - user.js: network.proxy.socks_port - 0
FF - user.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-13 10:35
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(772)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
.
- - - - - - - > 'lsass.exe'(828)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(3360)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
- - - - - - - > 'csrss.exe'(716)
c:\windows\system32\cmdcsr.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\COMODO\COMODO GeekBuddy\CLPS.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2012-08-13 10:51:14 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-13 09:50
ComboFix2.txt 2012-08-11 17:08
ComboFix3.txt 2012-08-11 10:22
.
Pre-Run: 46,952,484,864 bytes free
Post-Run: 46,975,492,096 bytes free
.
- - End Of File - - 4943B1EC04F53F624A61AE6030BB2C39
  • 0

#14
RKinner
Posted 13 August 2012 - 08:11 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
No problem with delays. I don't keep track.

Your Combofix log looks clean. I think we finally got the last of it.

We need to clean up System Restore.

Copy the following:


:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]
Run OTL. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.


Clear the Java Cache by following the instructions on
http://www.java.com/...lugin_cache.xml

You do not have the latest Java.
First go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)
I see:
Java™ 6 Update 32

Get the latest Java at:
http://www.java.com/en/

Save it to your PC then close all browsers and install it. Do not let it install the yahoo toolbar or other foistware.

Are you able to update now?
  • 0

#15
earthwing
Posted 13 August 2012 - 10:52 AM

earthwing

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Everything seems to be working ok now.I can connect to microsoft update and my programs will open and update.I've noticed that with the latest Java installed,the java icon is no longer present in the system tray - I assume this is normal?

Glad you were able to do something about system restore,because Avira was driving me mad with constant alerts about 'TR/Strictor 6318' being found in system volume information!Whilst on the subject of Avira,at the start of this thread you asked me to uncheck the "protect files and registry entries from manipulation" box in Avira's configuration - can this be set back again now?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP