# Ukash west yorkshire virus - can't remove with malwarebytes



## Catherine-N (Sep 12, 2012)

Hi there,

On Sunday (3 days ago) my machine came up with the Ukash West Yorkshire Police virus and I couldn't do anything ohter than shut down. I found on another site the suggestion to download the free version of malwarebytes anti malware the free version and to run it in safe mode , which I did. This found around 15 or so problems and I removed them. I then logged off. Today, I logged on and for a few minutes was working in normal mode ok and then the Ukash virus locked me out again. I re-ran in safe mode the malwarebytes programme, and removed the viruses again. I then tried logging on as normal and I was able to work perfectly ok and it seemed to have worked. However, my internet connect is fairly rubbish and at that point was showing limited connection. Anyway, I thought I'd run the malwarebytes programme in the normal mode just to check everything had gone. After a while, I decided to fire up my internet explorer and then set it to repair my internet connection - which it did. A dialogue box then popped up saying a programme on my computer had corrupted my default setting provider for internet explore and that it would fix it. I then got a google page up and typed a search query in. As soon as the page started to search, I lost the whole bottom row of icons on my screen and then the Ukash virus popped up again and locked me out.

I have followed the instructions on your site as best I can - I am a novice and apologise if what I've completely misunderstood the things I should be doing and appear stupid - I did have a lot of problems trying to get the GMER thing to work - it didn't pop up and ask if I wnated to do a full scan but didn't give me any option for anything else, so I ended up doing I expect full scan as it took about 2 hours...anyway I tried again and fiddled around with the options on the top and the autostart seemed to give a small amount scan info so I've saved that and hope that's the right bit to have done.

I notice you recommend people update their virus packages regularly - I had just updated mine on Sunday so was really surprised to get a virus in the first place (I have the microsoft security essentials package). I appreciate that my ability may mean that your advice is simply dig deep and plod off to an IT person who you can pay to sort the probelm out, but thought I'd try this site first as it would be good to learn. I've pasted the files below as per your instructions and appreciate any help you can give me, many thanks.

hijack log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:56:09, on 12/09/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange UK
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [WSManHTTPConfig] C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\Microsoft\Windows\912\WSManHTTPConfig.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: orange search - file://C:\Program Files\ORANGE4\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
--
End of file - 5096 bytes

DDS text file:

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by Administrator at 14:58:20 on 2012-09-12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.401 [GMT 1:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uWindow Title = Microsoft Internet Explorer provided by Orange UK
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Conime] %windir%\system32\conime.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [WSManHTTPConfig] c:\documents and settings\administrator.catherin-zge1zi\local settings\application data\microsoft\windows\912\WSManHTTPConfig.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: orange search - file://c:\program files\orange4\cache\SelectedContextSearch.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E5845F11-365B-433F-BB6D-550870630CDB} : DhcpNameServer = 192.168.1.1
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2006-3-27 167808]
S0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
S0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2012-7-29 65848]
S1 RapportCerberus_42020;RapportCerberus_42020;c:\documents and settings\all users.windows\application data\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_42020.sys [2012-8-11 228376]
S1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2012-7-29 71480]
S1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2012-7-29 166840]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\ekdiscovery.exe [2010-9-13 308656]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-9-9 655944]
S2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2012-7-29 976728]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-7 250056]
S3 emusba10;E-MU USB-Audio 1.0 Driver;c:\windows\system32\drivers\emusba10.sys --> c:\windows\system32\drivers\emusba10.sys [?]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-9-9 22344]
S3 RapportIaso;RapportIaso;c:\documents and settings\all users.windows\application data\trusteer\rapport\store\exts\rapportms\39624\RapportIaso.sys [2012-6-6 21520]
S4 Everet_;Everet_;c:\windows\system32\drivers\ati1btxx.sys [2007-9-22 56623]
.
=============== Created Last 30 ================
.
2012-09-12 13:11:10 -------- dc----w- c:\documents and settings\administrator.catherin-zge1zi\application data\hellomoto
2012-09-12 13:09:15 -------- dc----w- c:\program files\Microsoft Windows OneCare Live
2012-09-09 15:41:01 -------- dc----w- c:\documents and settings\administrator.catherin-zge1zi\application data\Malwarebytes
2012-09-09 15:40:54 -------- dc----w- c:\documents and settings\all users.windows\application data\Malwarebytes
2012-09-09 15:40:53 22344 -c--a-w- c:\windows\system32\drivers\mbam.sys
2012-09-09 15:40:53 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-09 14:40:17 7022536 -c--a-w- c:\documents and settings\all users.windows\application data\microsoft\microsoft antimalware\definition updates\{105b1e4d-16fe-41ee-b877-4b0fa6322f9a}\mpengine.dll
2012-09-07 17:43:32 7022536 -c--a-w- c:\documents and settings\all users.windows\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
.
==================== Find3M ====================
.
2012-08-29 19:58:01 426184 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-29 19:58:00 70344 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-29 19:52:38 65848 -c--a-w- c:\windows\system32\drivers\RapportKELL.sys
2012-07-06 13:58:51 78336 -c--a-w- c:\windows\system32\browser.dll
2012-07-04 14:05:18 139784 -c--a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40:15 1866112 -c--a-w- c:\windows\system32\win32k.sys
2012-07-02 17:49:33 916992 -c--a-w- c:\windows\system32\wininet.dll
2012-07-02 17:49:32 43520 -c--a-w- c:\windows\system32\licmgr10.dll
2012-07-02 17:49:32 1469440 -c--a-w- c:\windows\system32\inetcpl.cpl
2012-07-02 12:05:43 385024 -c--a-w- c:\windows\system32\html.iec
.
============= FINISH: 14:59:08.81 ===============

attach text file:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 22/09/2007 19:37:09
System Uptime: 12/09/2012 14:43:39 (0 hours ago)
.
Motherboard: Dell Computer Corp. | | 02X378
Processor: Intel(R) Pentium(R) 4 CPU 2.00GHz | Microprocessor | 1992/400mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 19 GiB total, 5.214 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1077: 01/09/2012 12:52:45 - Software Distribution Service 3.0
RP1078: 02/09/2012 16:46:38 - Software Distribution Service 3.0
RP1079: 05/09/2012 15:02:30 - Software Distribution Service 3.0
RP1080: 07/09/2012 18:43:27 - Software Distribution Service 3.0
RP1081: 09/09/2012 15:39:56 - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
ACDSee for PENTAX 3.0
Adobe Acrobat 4.0
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player 11.5
aiofw
aioprnt
aioscnnr
AmpliTube LE
C4USelfUpdater
center
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
GEAR 32bit Driver Installer
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) Extreme Graphics Driver
Intel(R) PRO Ethernet Adapter and Software
Java(TM) 6 Update 6
KODAK AiO Home Centre
ksDIP
Malwarebytes Anti-Malware version 1.62.0.1300
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft Security Client
Microsoft Security Essentials
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser
NETGEAR WG111v2 wireless USB 2.0 adapter
OGA Notifier 2.0.0048.0
Orange Search Toolbar
PreReq
Rapport
Safari
SafeCast Shared Components
Samsung PC Studio 3
Samsung PC Studio 3 USB Driver Installer
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SoundMAX
Uniblue PowerSuite
Uniblue RegistryBooster
Uniblue SpeedUpMyPC
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676-v2)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2718704)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
ViewSonic Monitor Drivers
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
12/09/2012 14:54:54, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.135.826.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8704.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode 
12/09/2012 14:27:29, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.135.826.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8704.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. 
12/09/2012 13:27:40, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.135.826.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8704.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode 
12/09/2012 13:27:39, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
12/09/2012 13:17:01, error: Dhcp [1002] - The IP address lease 192.168.1.9 for the Network Card with network address 001B2F733B47 has been denied by the DHCP server 10.106.183.65 (The DHCP Server sent a DHCPNACK message).
12/09/2012 13:11:16, error: Dhcp [1002] - The IP address lease 192.168.1.10 for the Network Card with network address 001B2F733B47 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
09/09/2012 16:36:17, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm MpFilter RapportKELL StarOpen
09/09/2012 16:35:34, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
07/09/2012 18:32:18, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
05/09/2012 14:51:46, error: Service Control Manager [7003] - The Kodak AiO Network Discovery Service service depends on the following nonexistent service: Bonjour Service
05/09/2012 14:51:44, error: Dhcp [1002] - The IP address lease 192.168.1.9 for the Network Card with network address 001B2F733B47 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================

ark text file:

GMER 1.0.15.15641 - http://www.gmer.net
Autostart scan 2012-09-12 19:15:23
Windows 5.1.2600 Service Pack 3

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\[email protected] = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon >>>
@UserinitC:\WINDOWS\system32\userinit.exe, = C:\WINDOWS\system32\userinit.exe,
@GinaDLLRtlGina2.dll = RtlGina2.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
[email protected] = %SystemRoot%\System32\dimsntfy.dll
[email protected] = igfxsrvc.dll
[email protected] = WgaLogon.dll
HKLM\SYSTEM\CurrentControlSet\Services\ >>>
[email protected] = C:\WINDOWS\system32\drivers\CDAC11BA.EXE
Kodak AiO Network Discovery [email protected] = C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
[email protected] = "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe"
[email protected] = "c:\Program Files\Microsoft Security Client\MsMpEng.exe"
[email protected] = "C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe"
[email protected] = %SystemRoot%\system32\drivers\scsiport.sys
HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@HotKeysCmdsC:\WINDOWS\system32\hkcmd.exe = C:\WINDOWS\system32\hkcmd.exe
@Conime%windir%\system32\conime.exe = %windir%\system32\conime.exe
@EKIJ5000StatusMonitorC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
@MSC"c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey = "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
@WSManHTTPConfigC:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\Microsoft\Windows\912\WSManHTTPConfig.exe = C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\Microsoft\Windows\912\WSManHTTPConfig.exe
@Malwarebytes' Anti-Malware"C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray = "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@MSMSGS"C:\Program Files\Messenger\msmsgs.exe" /background = "C:\Program Files\Messenger\msmsgs.exe" /background
HKLM\Software\Microsoft\Windows\CurrentVersion\[email protected] = C:\WINDOWS\system32\WPDShServiceObj.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/(null) = 
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) = 
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL = C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/c:\WINDOWS\system32\dfshim.dll = c:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/c:\WINDOWS\system32\dfshim.dll = c:\WINDOWS\system32\dfshim.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/(null) = 
@{45670FA8-ED97-4F44-BC93-305082590BFB} /*Microsoft.XPS.Shell.Metadata.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL
@{44121072-A222-48f2-A58A-6D9AD51EBBE9} /*Microsoft.XPS.Shell.Thumbnail.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\OFFICE11\msohev.dll = C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
@{11016101-E366-4D22-BC06-4ADA335C892B} /*IE History and Feeds Shell Data Source for Windows Search*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{8856f961-340a-11d0-a96b-00c04fd705a2} /*Microsoft Web Browser*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} /*Microsoft Office Metadata Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} /*Microsoft Office Thumbnail Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{09A47860-11B0-4DA5-AFA5-26D86198A780} /*EPP*/c:\PROGRA~1\MI239C~1\shellext.dll = c:\PROGRA~1\MI239C~1\shellext.dll
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\[email protected]{09A47860-11B0-4DA5-AFA5-26D86198A780} = c:\PROGRA~1\MI239C~1\shellext.dll
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\[email protected]{09A47860-11B0-4DA5-AFA5-26D86198A780} = c:\PROGRA~1\MI239C~1\shellext.dll
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\[email protected]{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll = C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\[email protected] Page = http://www.google.co.uk/
HKLM\Software\Classes\PROTOCOLS\Filter\text/[email protected] = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
[email protected] = C:\WINDOWS\system32\msvidctl.dll
[email protected] = C:\WINDOWS\System32\itss.dll
[email protected] = C:\WINDOWS\System32\msvidctl.dll
[email protected] = %SystemRoot%\System32\inetcomm.dll
[email protected] = C:\WINDOWS\System32\itss.dll
[email protected] = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
[email protected] = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
[email protected] = C:\WINDOWS\system32\msvidctl.dll
HKLM\Software\Classes\PROTOCOLS\Handler\[email protected] = C:\WINDOWS\System32\wiascr.dll
---- EOF - GMER 1.0.15 ----

Many thanks.


----------



## Catherine-N (Sep 12, 2012)

Bump


----------



## Cookiegal (Aug 27, 2003)

Please visit *Combofix Guide & Instructions * for instructions for installing the Recovery Console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

Post the log from ComboFix when you've accomplished that.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices (don't worry, the keyboard and mouse will still function) to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read  *HERE * for an article written by dvk01 on why we disable autoruns.


----------



## Catherine-N (Sep 12, 2012)

Thanks Cookiegirl.

I followed the steps & two things*

1. When it reached the stage where it was going auto show the log - it took my pc out of safe mode and then the Ukash screen came up again and locked me out.

I shut down & restarted in safe mode again. I looked in C/puppy and am guessing the most recently created file is the one I should paste

2. When i logged onto to tech guy in safe mode I discovered I have lost my keyboard - an e comes out as french accented, t doesn't do anything i and a both have accents on them...

I'm going to type the log in manually from my iphone, so i hope i've got the spaces and returns & whatnot right. Here goes anyway!!

ComboFix 12-09-18.07 - Administrator 19/09/2012. 18:33:25.1.1 - x86 NETWORK
Microsoft Windows XP Professional. 5.1.2600.3.1252.1.1033.18.766.517 [GMT 1:00]=Running from: C:\Documents and settings\Administrator.CATHERIN-ZGE1ZI\Desktop\puppy.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBC}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

(((((((((((((((((((((((((((((((((((((((. *Other Deletions. *)))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Administrator.CATHERIN.ZGE1ZI\My Documents\~WRL0436.tmp
C:\Documents and Settings\Administrator.CATHERIN.ZGE1ZI\My Documents\~WRL0717.tmp
C:\Documents and Settings\Administrator.CATHERIN.ZGE1ZI\My Documents\~WRL1193.tmp
C:\Documents and Settings\Administrator.CATHERIN.ZGE1ZI\My Documents\~WRL2012.tmp
C:\Documents and Settings\Administrator.CATHERIN.ZGE1ZI\My Documents\~WRL3307.tmp
C:\Documents and Settings\Administrator.CATHERIN.ZGE1ZI\Recent\Thumbs.db
C:\Documents and Settings\Administrator.CATHERIN.ZGE1ZI\WINDOWS
C:\Documents and Settings\All Users.WINDOWS\Application Data\xmlD.tmp
C:\Documents and Settings\All Users.WINDOWS\Application Data\xmlE.tmp
C:\Documents and Settings\All Users.WINDOWS\Application Data\xmlF.tmp
C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.1.0.inf
C:\WINDOWS\system32\RtlGina2.dll
C:\WINDOWS\system32\SET33.tmp
C:\WINDOWS\system32\SET37.tmp
C:\WINDOWS\system32\SET3F.tmp

Ok think that was it. Thanks for your help!


----------



## Catherine-N (Sep 12, 2012)

Ps - sorry - Cookiegal...


----------



## Cookiegal (Aug 27, 2003)

There would be much more to the log than that. It would be located at C:\combofix.txt.


----------



## Catherine-N (Sep 12, 2012)

Thanks Cookiegal - but that was the name of the file...just located in C:\puppy\combofix.txt - which I figured was because I'd saved the programme as puppy?

I've just logged on again anyway and done a search of combofix.txt and the only file that came up is that one in the puppy folder on the C drive. What's weird is that my keyboard is working again now!

Could it be because the combofix didn't get to automatically open the file and the Ukash virus screen came on again that maybe it didn't complete the process? Or maybe part fo the file got wiped?

Should I run the combofix again? Is there anyway I can ensure it restarts in safe mode as otherwise the virus just stops it completing?

Appriacate your help & advice.
Thanks
Catherine.


----------



## Cookiegal (Aug 27, 2003)

The log should not be in the puppy folder. It should be in the root (C drive.

Download and run the following tool to help allow other programs to run. _(Courtesy of BleepingComputer.com)_
There are 4 different versions. If one of them won't run then download and try to run the other one. Do not reboot after running this program.

Vista and Win7 users need to right click and choose *Run as Admin* 
*You only need to get one of them to run, not all of them.*

rkill.exe
rkill.com
rkill.scr
rkill.pif

The run ComboFix again please. Be sure to disable your security programs before running ComboFix.


----------



## Catherine-N (Sep 12, 2012)

Ok - seems to have worked with the first link - here's the file that popped up:

ComboFix 12-09-20.01 - Administrator 20/09/2012 16:16:15.2.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.446 [GMT 1:00]
Running from: c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Desktop\puppy.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\My Documents\~WRL0436.tmp
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\My Documents\~WRL0717.tmp
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\My Documents\~WRL1193.tmp
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\My Documents\~WRL2012.tmp
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\My Documents\~WRL3307.tmp
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Recent\Thumbs.db
c:\documents and settings\All Users.WINDOWS\Application Data\xmlD.tmp
c:\documents and settings\All Users.WINDOWS\Application Data\xmlE.tmp
c:\documents and settings\All Users.WINDOWS\Application Data\xmlF.tmp
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.0.inf
c:\windows\system32\RtlGina2.dll
c:\windows\system32\SET33.tmp
c:\windows\system32\SET37.tmp
c:\windows\system32\SET3F.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-08-20 to 2012-09-20 )))))))))))))))))))))))))))))))
.
.
2012-09-19 16:57 . 2012-08-22 23:15 7022536 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{84A1B710-62B5-47B1-B504-7784DA9D5136}\mpengine.dll
2012-09-12 13:11 . 2012-09-12 13:32 -------- dc----w- c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\hellomoto
2012-09-12 13:09 . 2012-09-12 13:09 -------- dc----w- c:\program files\Microsoft Windows OneCare Live
2012-09-09 15:41 . 2012-09-09 15:41 -------- dc----w- c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Malwarebytes
2012-09-09 15:40 . 2012-09-09 15:40 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2012-09-09 15:40 . 2012-09-09 15:40 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-09 15:40 . 2012-07-03 12:46 22344 -c--a-w- c:\windows\system32\drivers\mbam.sys
2012-09-09 14:40 . 2012-08-22 23:15 7022536 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-29 19:58 . 2012-05-07 10:15 426184 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-29 19:58 . 2011-12-18 18:29 70344 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-29 19:52 . 2012-07-29 19:52 65848 -c--a-w- c:\windows\system32\drivers\RapportKELL.sys
2012-07-06 13:58 . 2001-08-23 12:00 78336 -c--a-w- c:\windows\system32\browser.dll
2012-07-04 14:05 . 2007-09-22 18:25 139784 -c--a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40 . 2001-08-23 12:00 1866112 -c--a-w- c:\windows\system32\win32k.sys
2012-07-02 17:49 . 2001-08-23 12:00 916992 -c--a-w- c:\windows\system32\wininet.dll
2012-07-02 17:49 . 2001-08-23 12:00 43520 -c--a-w- c:\windows\system32\licmgr10.dll
2012-07-02 17:49 . 2001-08-23 12:00 1469440 -c--a-w- c:\windows\system32\inetcpl.cpl
2012-07-02 12:05 . 2007-09-22 19:10 385024 -c--a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"WSManHTTPConfig"="c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\Microsoft\Windows\912\WSManHTTPConfig.exe" [2012-09-09 89600]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=
"c:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\Kodak\\Installer\\Setup.exe"=
"c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery
"5353:UDP"= 5353:UDP:Bonjour Port 5353
.
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [27/03/2006 17:53 167808]
S0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [29/07/2012 20:52 65848]
S1 RapportCerberus_42020;RapportCerberus_42020;c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_42020.sys [11/08/2012 15:26 228376]
S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [29/07/2012 20:52 71480]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [29/07/2012 20:52 166840]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [13/09/2010 18:18 308656]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [09/09/2012 16:40 655944]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [29/07/2012 20:52 976728]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [07/05/2012 11:15 250056]
S3 emusba10;E-MU USB-Audio 1.0 Driver;c:\windows\system32\DRIVERS\emusba10.sys --> c:\windows\system32\DRIVERS\emusba10.sys [?]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [09/09/2012 16:40 22344]
S3 RapportIaso;RapportIaso;c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys [06/06/2012 17:52 21520]
S4 Everet_;Everet_;c:\windows\system32\drivers\ati1btxx.sys [22/09/2007 20:11 56623]
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-07 19:58]
.
2012-09-19 c:\windows\Tasks\User_Feed_Synchronization-{13B53172-B98C-4AF0-AC9B-BD5D56344E2C}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: orange search - file://c:\program files\ORANGE4\Cache\SelectedContextSearch.htm
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-20 16:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1659004503-1897051121-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9d,44,22,f2,ee,ea,06,46,92,8a,c5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,57,c8,4e,54,da,d8,7b,42,80,f8,6f,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,13,2f,59,e9,78,d7,52,47,b9,53,cb,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(184)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Microsoft Shared\OFFICE11\MSOXEV.DLL
.
Completion time: 2012-09-20 16:29:12
ComboFix-quarantined-files.txt 2012-09-20 15:29
.
Pre-Run: 5,552,099,328 bytes free
Post-Run: 5,539,196,928 bytes free
.
- - End Of File - - 612E1057337AFC23909419E1B839D164


----------



## Cookiegal (Aug 27, 2003)

Open Notepad and copy and paste the text in the code box below into it:


```
Folder::
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\hellomoto
```
Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.


----------



## Catherine-N (Sep 12, 2012)

Hi Cookiegal - ok - followed your instructions - here's the log it created:

ComboFix 12-09-20.03 - Administrator 21/09/2012 19:38:23.3.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.443 [GMT 1:00]
Running from: c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Desktop\puppy.exe
Command switches used :: c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\hellomoto
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\hellomoto\BukF.dat
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\hellomoto\TujP.dat
.
.
((((((((((((((((((((((((( Files Created from 2012-08-21 to 2012-09-21 )))))))))))))))))))))))))))))))
.
.
2012-09-20 15:13 . 2012-09-20 15:29 -------- dc----w- C:\puppy
2012-09-19 16:57 . 2012-08-22 23:15 7022536 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{84A1B710-62B5-47B1-B504-7784DA9D5136}\mpengine.dll
2012-09-12 13:09 . 2012-09-12 13:09 -------- dc----w- c:\program files\Microsoft Windows OneCare Live
2012-09-09 15:41 . 2012-09-09 15:41 -------- dc----w- c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Malwarebytes
2012-09-09 15:40 . 2012-09-09 15:40 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2012-09-09 15:40 . 2012-09-09 15:40 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-09 15:40 . 2012-07-03 12:46 22344 -c--a-w- c:\windows\system32\drivers\mbam.sys
2012-09-09 14:40 . 2012-08-22 23:15 7022536 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-29 19:58 . 2012-05-07 10:15 426184 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-29 19:58 . 2011-12-18 18:29 70344 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-29 19:52 . 2012-07-29 19:52 65848 -c--a-w- c:\windows\system32\drivers\RapportKELL.sys
2012-07-06 13:58 . 2001-08-23 12:00 78336 -c--a-w- c:\windows\system32\browser.dll
2012-07-04 14:05 . 2007-09-22 18:25 139784 -c--a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40 . 2001-08-23 12:00 1866112 -c--a-w- c:\windows\system32\win32k.sys
2012-07-02 17:49 . 2001-08-23 12:00 916992 -c--a-w- c:\windows\system32\wininet.dll
2012-07-02 17:49 . 2001-08-23 12:00 43520 -c--a-w- c:\windows\system32\licmgr10.dll
2012-07-02 17:49 . 2001-08-23 12:00 1469440 -c--a-w- c:\windows\system32\inetcpl.cpl
2012-07-02 12:05 . 2007-09-22 19:10 385024 -c--a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"WSManHTTPConfig"="c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\Microsoft\Windows\912\WSManHTTPConfig.exe" [2012-09-09 89600]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=
"c:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\Kodak\\Installer\\Setup.exe"=
"c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery
"5353:UDP"= 5353:UDP:Bonjour Port 5353
.
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [27/03/2006 17:53 167808]
S0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [29/07/2012 20:52 65848]
S1 RapportCerberus_42020;RapportCerberus_42020;c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_42020.sys [11/08/2012 15:26 228376]
S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [29/07/2012 20:52 71480]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [29/07/2012 20:52 166840]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [13/09/2010 18:18 308656]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [09/09/2012 16:40 655944]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [29/07/2012 20:52 976728]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [07/05/2012 11:15 250056]
S3 emusba10;E-MU USB-Audio 1.0 Driver;c:\windows\system32\DRIVERS\emusba10.sys --> c:\windows\system32\DRIVERS\emusba10.sys [?]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [09/09/2012 16:40 22344]
S3 RapportIaso;RapportIaso;c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys [06/06/2012 17:52 21520]
S4 Everet_;Everet_;c:\windows\system32\drivers\ati1btxx.sys [22/09/2007 20:11 56623]
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-07 19:58]
.
2012-09-19 c:\windows\Tasks\User_Feed_Synchronization-{13B53172-B98C-4AF0-AC9B-BD5D56344E2C}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: orange search - file://c:\program files\ORANGE4\Cache\SelectedContextSearch.htm
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-21 19:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1659004503-1897051121-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9d,44,22,f2,ee,ea,06,46,92,8a,c5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,57,c8,4e,54,da,d8,7b,42,80,f8,6f,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,13,2f,59,e9,78,d7,52,47,b9,53,cb,\
.
Completion time: 2012-09-21 19:50:24
ComboFix-quarantined-files.txt 2012-09-21 18:50
ComboFix2.txt 2012-09-20 15:29
.
Pre-Run: 5,502,648,320 bytes free
Post-Run: 5,530,439,680 bytes free
.
- - End Of File - - AA18AF5BFAFD49609C307D96222F2836


----------



## Cookiegal (Aug 27, 2003)

Download *OTS.exe * to your Desktop. 

Close any open browsers.
If your Real protection or Antivirus interferes with OTS, allow it to run.
Double-click on *OTS.exe* to start the program.
At the top put a check mark in the box beside "Scan All Users".
Under the *Additional Scans *section put a check in the box next to Disabled MS Config Items, NetSvcs and EventViewer logs (Last 10 errors)
Now click the *Run Scan *button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file.
Use the *Reply* button, scroll down to the attachments section and attach the notepad file here.


----------



## Catherine-N (Sep 12, 2012)

Goodmorning Cookiegal! Ok, followed the next steps and have attached the notepad file as instructed (well - at least I think I've attached it properly...)

Have a great day!


----------



## Cookiegal (Aug 27, 2003)

Start *OTS*. Copy/Paste the information in the code box below into the pane where it says *"Paste fix here"* and then click the "Run Fix" button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here please.


```
[Kill All Processes]
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1659004503-1897051121-682003330-500\] > -> HKEY_USERS\S-1-5-21-1659004503-1897051121-682003330-500\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Created Within 30 Days]
NY ->  5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp
NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files/Folders - Modified Within 30 Days]
NY ->  5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp
NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Empty Temp Folders]
[EmptyFlash]
[EmptyJava]
[Start Explorer]
[Reboot]
```


----------



## Catherine-N (Sep 12, 2012)

Hi Cookiegal - well I feel a bit depressed now....I followed the instructions and pasted the fix, but when it finished, a message box telling me it was finished didn't pop up and so the Notepad didn't open. What happened was a message popped up telling me the system required a reboot and did I want to etc - it didn't give me any option to say no, there was only one button I could click to continue, so had to let it reboot. 

Once back up and in safemode, on the desktop I could see a new thing called Thumbs.db - I thought, maybe that's the text file and it's called db for some special reason. So I clicked on that and a message popped up saying something along the lines of I was attempting to open a certain sort of file and it was used for certain things and I could damage things if I went ahead and did I want to go ahead -so I clicked cancel as obviously it wasn't the text file & didn't want to damage anything.

I then thought I'll do a search of all the files created today using .tx as my search reference. This came up with loads of txt files - 15 of them in the document & settings folders \ cookies. Then there was one file in the C:\windows folder called ntbtlog.txt (is that the one ?) and one called WGAErrlog.txt in the C:\Windows\temp folder and finally one txt file called drivetable.txt in C:\system volume information\_restore{a load of letters & numbers}

Are any of those the file I need? Thanks, Catherine.


----------



## Catherine-N (Sep 12, 2012)

Ps- I've just been panicking & wondering if my usb keys will also be infected and thinking I've not mentioned that they are permanently plugged into my pc. Apols Cookiegal - should i have mentioned them and should i have removed them even though they may be infected? Thanks Catherine


----------



## Cookiegal (Aug 27, 2003)

It's normal for the fix to reboot the machine. The thumbs.db is a normally hidden file that you're now seeing because we've unhidden file using some tools. This will be hidden again when we're done.

Download *OTL* to your Desktop. 

Double-click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. 
Under Custom Scans/Fixes type in *Netsvcs*
Click the Run Scan button. Do not change any other settings unless otherwise instructed. The scan won't take long. 
When the scan completes, it will open two Notepad windows called *OTL.Txt* and *Extras.Txt*. These are saved in the same location as OTL. 
Please copy and paste the contents of both of these files here in your next reply.


----------



## Catherine-N (Sep 12, 2012)

Dear Cookiegal - things have got really bad this end. I logged on and was trying to log onto my account but it said i was putting in the wrong password. I hit the back browser and then a sign came up from the pc's security thing ( that's down on the right hand side) it said your computer is infected and to click on it. I didn't though as i didn't want to do anything that you hadn't told me to unless i messed up what we were doing.

Then a dialogue box came up with quite a long message saying something about infection and in brackets a trojan name. I ran to get a pen to jot the info down so's i could tell you. When i came back the screen had changed and this thing was scanning called "live security platinum" I don't know what that is though as The only package i'm aware of having is mse. Anyway, i sat there in a bit of a panic wonering what to do. I watched as it scanned and listed loads of trojans and worms and things and what they did (stole passwords / system crashes and the like) and when it finished it told me i had 38 infections , what the different types were (spyware, virus etc) and asked did i want to remove them now.
I really wanted to click yes but as you've not told me to and i really know nothing about these things decided to choose save the log file and continue without removing them. I then - to get rid of the live security platinum screen ( there wasn't a close button i could see) had to shut the pc off using the on/off button and then start up in safe mode again. On my desktop was a new icon for Live Security and a file called AVGIDSagent - which i think is the scan thing i saved. 

I then tried to log onto tsg's site - but whilst i could get the link from google everytime i clicked on it i got redirected to sex sites or dating sites and things. I've not een able to do the nxt instructions you've given me....also earlier when i logged on to reply to you i had to do click on that link for diagnostics on my internetto get my internet connection live again and it said i had the wrong password on the pc for my router so i had to go and get that and type it in again so am now worried my router password has been stolen....am going to log on again and manually type tsg's url in as haven't tried that but don't know if i'll get to you....


----------



## Catherine-N (Sep 12, 2012)

ok -can get to you if i type the url in...i now don't have any security as mse won't start -when i click start, i get a dialogue box coming up that says it couldn't start as it's not installed and gives error code 0x80070424...here's the logs from the otl scan (which took about 5-10 minutes to run..?)

OTL logfile created on: 23/09/2012 18:55:43 - Run 1
OTL by OldTimer - Version 3.2.66.0 Folder = C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

765.99 Mb Total Physical Memory | 547.80 Mb Available Physical Memory | 71.52% Memory free
1.83 Gb Paging File | 0.95 Gb Available in Paging File | 51.96% Paging File free
Paging file location(s): C:\pagefile.sys 1147 1147E:\pagef [Binary data over 200 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.64 Gb Total Space | 5.21 Gb Free Space | 27.98% Space Free | Partition Type: NTFS
Drive E: | 983.72 Mb Total Space | 952.84 Mb Free Space | 96.86% Space Free | Partition Type: FAT
Drive F: | 7.45 Gb Total Space | 1.55 Gb Free Space | 20.79% Space Free | Partition Type: FAT32

Computer Name: CATHERIN-ZGE1ZI | User Name: Administrator | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/23 18:53:08 | 000,601,600 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\OTL.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (No Company Name) ==========

MOD - [2012/09/23 19:13:11 | 000,056,320 | -H-- | M] () -- C:\WINDOWS\system32\drivinit.dll

========== Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2012/08/29 20:58:02 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/07/29 20:52:22 | 000,976,728 | ---- | M] (Trusteer Ltd.) [Auto | Stopped] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2010/09/13 18:18:32 | 000,308,656 | ---- | M] (Eastman Kodak Company) [Auto | Stopped] -- C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe -- (Kodak AiO Network Discovery Service)
SRV - [2008/02/28 18:38:57 | 000,054,784 | ---- | M] (Macrovision) [Auto | Stopped] -- C:\WINDOWS\system32\drivers\CDAC11BA.EXE -- (C-DillaCdaC11BA)
SRV - [2004/08/03 22:29:30 | 000,056,623 | ---- | M] (ATI Technologies Inc.) [Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ati1btxx.sys -- (Everet_)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\usbaapl.sys -- (USBAAPL)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (SANDRA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\emusba10.sys -- (emusba10)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\ADMINI~1.CAT\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2012/08/11 15:26:29 | 000,228,376 | ---- | M] () [Kernel | System | Stopped] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_42020.sys -- (RapportCerberus_42020)
DRV - [2012/07/29 20:52:38 | 000,166,840 | ---- | M] (Trusteer Ltd.) [Kernel | System | Stopped] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - [2012/07/29 20:52:38 | 000,071,480 | ---- | M] (Trusteer Ltd.) [Kernel | System | Stopped] -- C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys -- (RapportEI)
DRV - [2012/07/29 20:52:38 | 000,065,848 | ---- | M] (Trusteer Ltd.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\RapportKELL.sys -- (RapportKELL)
DRV - [2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012/06/06 17:52:51 | 000,021,520 | ---- | M] (Trusteer Ltd.) [Kernel | On_Demand | Stopped] -- c:\Documents and Settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys -- (RapportIaso)
DRV - [2012/01/10 19:58:02 | 000,022,050 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smb.sys -- (smbusp)
DRV - [2010/02/16 05:38:12 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2008/02/28 18:37:51 | 000,012,464 | ---- | M] (Macrovision Europe Ltd) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\CdaC15BA.SYS -- (CdaC15BA)
DRV - [2007/02/27 14:31:28 | 000,021,504 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2006/07/24 16:05:00 | 000,005,632 | ---- | M] () [File_System | System | Stopped] -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2006/03/27 17:53:28 | 000,167,808 | ---- | M] (NETGEAR Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wg111v2.sys -- (RTLWUSB)
DRV - [2003/12/08 11:53:48 | 000,053,600 | ---- | M] (THOMSON) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\alcan5wn.sys -- (alcan5wn)
DRV - [2003/12/08 11:53:46 | 000,070,688 | ---- | M] (THOMSON) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\alcaudsl.sys -- (alcaudsl)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {4ED64256-D2C7-48A2-93CA-71172E98F252}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{4ED64256-D2C7-48A2-93CA-71172E98F252}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\..\SearchScopes,DefaultScope = {4ED64256-D2C7-48A2-93CA-71172E98F252}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKCU\..\SearchScopes\{20F6C098-5252-458B-91F3-B1201AB3D1F8}: "URL" = http://uk.search.yahoo.com/search?p={searchTerms}&fr=FP-tab-web-t340&ei=UTF-8&meta=vc%3D
IE - HKCU\..\SearchScopes\{4ED64256-D2C7-48A2-93CA-71172E98F252}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ADFA_enGB483
IE - HKCU\..\SearchScopes\{5C6A7172-72BD-481B-B6C5-1D6517A91047}: "URL" = http://www.bing.com/search?q={searchTerms}&form=IE8SRC&src=IE-SearchBox
IE - HKCU\..\SearchScopes\{C671450A-FB91-48E9-BE07-60AD54D3A0D0}: "URL" = http://search.lycos.co.uk/cgi-bin/pursuit?SITE=uk&query={searchTerms}&cat=loc
IE - HKCU\..\SearchScopes\{CCD6B7BE-C69A-4022-BF80-21FB59A32AC0}: "URL" = http://search.aol.co.uk/web?query={searchTerms}&restrict=wholeweb&isinit=true&invocationType=aolhathp_uk_Po&avtype=
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_3_300_271.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

[2006/10/15 19:48:39 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2006/10/15 19:43:48 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

O1 HOSTS File: ([2012/09/21 19:47:56 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Conime] C:\WINDOWS\system32\conime.exe (Microsoft Corporation)
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [scptsd] C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\scptsd.dll ()
O4 - HKLM..\Run: [WSManHTTPConfig] C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\Microsoft\Windows\912\WSManHTTPConfig.exe ()
O4 - HKCU..\Run: [Oxlil] C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Kyoxo\esnum.exe ()
O4 - HKCU..\RunOnce: [6F63A58B2B17D97999E020957B07D287] C:\Documents and Settings\All Users.WINDOWS\Application Data\6F63A58B2B17D97999E020957B07D287\6F63A58B2B17D97999E020957B07D287.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: orange search - C:\Program Files\ORANGE4\Cache\SelectedContextSearch.htm ()
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll (Sun Microsystems, Inc.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E5845F11-365B-433F-BB6D-550870630CDB}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/10/06 11:37:40 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: igfxhare - (C:\WINDOWS\system32\drivinit.dll) - C:\WINDOWS\system32\drivinit.dll ()
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - %SystemRoot%\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Sharedaccess - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: BITS - File not found

========== Files/Folders - Created Within 30 Days ==========

[2012/09/23 19:16:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Start Menu\Programs\Live Security Platinum
[2012/09/23 19:14:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Vyda
[2012/09/23 19:14:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Siaqn
[2012/09/23 19:14:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Kyoxo
[2012/09/23 19:13:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\6F63A58B2B17D97999E020957B07D287
[2012/09/23 19:12:48 | 000,183,808 | ---- | C] (Blue Ripple Sound ) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\uilap.dll
[2012/09/23 18:53:03 | 000,601,600 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\OTL.exe
[2012/09/23 11:26:18 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/09/23 11:25:57 | 000,000,000 | ---D | C] -- C:\_OTS
[2012/09/22 10:45:28 | 000,646,656 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\OTS.exe
[2012/09/21 19:50:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/09/20 16:13:51 | 000,000,000 | ---D | C] -- C:\puppy
[2012/09/19 18:31:18 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/09/19 18:28:32 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/09/19 18:28:32 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/09/19 18:28:32 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/09/19 18:28:32 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/09/19 18:28:19 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/09/19 18:28:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
[2012/09/19 18:15:37 | 004,754,290 | R--- | C] (Swearware) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\puppy.exe
[2012/09/12 14:56:58 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\dds.com
[2012/09/12 14:54:39 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\HijackThis.exe
[2012/09/12 14:09:15 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Windows OneCare Live
[2012/09/09 16:41:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Malwarebytes
[2012/09/09 16:40:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/09/09 16:40:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
[2012/09/09 16:40:53 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/09/09 16:40:53 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/09/09 16:35:05 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2008/02/26 11:02:15 | 000,079,328 | ---- | C] (MCCI) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\mqdmserd.sys
[2008/02/26 11:02:15 | 000,005,936 | ---- | C] (MCCI) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\mqdmwhnt.sys
[2008/02/26 11:02:14 | 000,092,064 | ---- | C] (MCCI) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\mqdmmdm.sys
[2008/02/26 11:02:14 | 000,009,232 | ---- | C] (MCCI) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\mqdmmdfl.sys
[2008/02/26 11:02:14 | 000,004,048 | ---- | C] (MCCI) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\mqdmcr.sys
[2008/02/26 11:02:13 | 000,066,656 | ---- | C] (MCCI) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\mqdmbus.sys
[2008/02/26 11:02:13 | 000,006,208 | ---- | C] (MCCI) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\mqdmcmnt.sys
[2008/02/26 11:02:12 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\usbsermptxp.sys
[2008/02/26 11:02:11 | 000,022,768 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\usbsermpt.sys

========== Files - Modified Within 30 Days ==========

[2012/09/23 19:20:06 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ
[2012/09/23 19:19:38 | 000,012,146 | ---- | M] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\AVGIDSAgent
[2012/09/23 19:16:28 | 000,002,330 | ---- | M] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\Live Security Platinum.lnk
[2012/09/23 19:13:58 | 000,425,984 | ---- | M] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\scptsd.dll
[2012/09/23 19:13:11 | 000,056,320 | -H-- | M] () -- C:\WINDOWS\System32\drivinit.dll
[2012/09/23 19:12:48 | 000,183,808 | ---- | M] (Blue Ripple Sound ) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\uilap.dll
[2012/09/23 18:53:08 | 000,601,600 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\OTL.exe
[2012/09/23 18:44:37 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/09/23 18:44:01 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/09/22 10:45:33 | 000,646,656 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\OTS.exe
[2012/09/21 19:47:56 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/09/21 19:35:15 | 004,754,290 | R--- | M] (Swearware) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\puppy.exe
[2012/09/19 18:48:01 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{13B53172-B98C-4AF0-AC9B-BD5D56344E2C}.job
[2012/09/19 18:31:24 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/09/19 18:16:19 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/09/12 15:00:42 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\3yiexhpn.exe
[2012/09/12 14:57:14 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\dds.com
[2012/09/12 14:55:08 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\HijackThis.exe
[2012/09/09 16:40:56 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes Anti-Malware.lnk
[2012/09/09 15:56:16 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/08/31 16:37:07 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2012/08/31 14:39:55 | 000,219,248 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/08/31 14:04:47 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/08/29 20:58:01 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/08/29 20:58:00 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl

========== Files Created - No Company Name ==========

[2012/09/23 19:19:38 | 000,012,146 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\AVGIDSAgent
[2012/09/23 19:16:27 | 000,002,330 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\Live Security Platinum.lnk
[2012/09/23 19:14:01 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ
[2012/09/23 19:13:58 | 000,425,984 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\scptsd.dll
[2012/09/23 19:13:11 | 000,056,320 | -H-- | C] () -- C:\WINDOWS\System32\drivinit.dll
[2012/09/19 18:31:24 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/09/19 18:31:20 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/09/19 18:28:32 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/09/19 18:28:32 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/09/19 18:28:32 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/09/19 18:28:32 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/09/19 18:28:32 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/09/19 18:16:19 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/09/12 15:00:39 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\3yiexhpn.exe
[2012/09/09 16:40:56 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/18 13:26:43 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2008/10/12 21:19:07 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\LauncherAccess.dt
[2008/06/16 19:43:11 | 000,063,730 | ---- | C] () -- C:\Program Files\viewsonicinstruct_xp.pdf
[2008/05/16 23:14:18 | 000,018,944 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/02/26 11:02:13 | 000,009,913 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\MCCI_MDM.INF
[2008/02/26 11:02:13 | 000,004,477 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\MCCI_SDM.INF
[2008/02/26 11:02:12 | 000,009,232 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\USB_MOT_BRIT.INF
[2008/02/26 11:02:12 | 000,006,989 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\MCCI_BUS.INF
[2008/02/26 11:02:12 | 000,006,141 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\USBMOT2000XP.INF
[2008/02/26 11:02:12 | 000,005,960 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\USB_MOT_A1000.INF
[2008/02/26 11:02:12 | 000,005,880 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\USB_CMCS_2000.INF
[2008/02/26 11:02:11 | 000,007,201 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\USBMOT2000.INF

========== ZeroAccess Check ==========

[2007/09/22 21:35:35 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/14 01:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/14 01:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
< End of report >

and here's the extras.txt

OTL Extras logfile created on: 23/09/2012 18:55:43 - Run 1
OTL by OldTimer - Version 3.2.66.0 Folder = C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

765.99 Mb Total Physical Memory | 547.80 Mb Available Physical Memory | 71.52% Memory free
1.83 Gb Paging File | 0.95 Gb Available in Paging File | 51.96% Paging File free
Paging file location(s): C:\pagefile.sys 1147 1147E:\pagef [Binary data over 200 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.64 Gb Total Space | 5.21 Gb Free Space | 27.98% Space Free | Partition Type: NTFS
Drive E: | 983.72 Mb Total Space | 952.84 Mb Free Space | 96.86% Space Free | Partition Type: FAT
Drive F: | 7.45 Gb Total Space | 1.55 Gb Free Space | 20.79% Space Free | Partition Type: FAT32

Computer Name: CATHERIN-ZGE1ZI | User Name: Administrator | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
https [open] -- "C:\Program Files\Safari\Safari.exe" -url "%1" (Apple Inc.)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [ACDSee 9.0.Browse] -- "C:\Program Files\ACD Systems\ACDSee\9.0\ACDSeeQV.exe" "%1" (ACD Systems Ltd.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

========== Authorized Applications List ==========

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0645A454-AD44-4F0D-99CF-6B762735AD1F}" = aioprnt
"{0F842B77-56EA-4AAF-8295-81A022350B5E}" = Microsoft Security Client
"{10934A28-0CC6-4B98-A14F-76B3546003AF}" = ksDIP
"{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}" = Rapport
"{216EAAD9-D733-4141-BEAF-2C0B6F6B1D04}" = AmpliTube LE
"{3248F0A8-6813-11D6-A77B-00B0D0160060}" = Java(TM) 6 Update 6
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{48B41C3A-9A92-4B81-B653-C97FEB85C910}" = C4USelfUpdater
"{56BA241F-580C-43D2-8403-947241AAE633}" = center
"{5E453519-60F6-4A4D-A0BF-16663F9B3536}" = Safari
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{793A260C-CDBF-499C-ABBA-B51E8E076867}_is1" = Uniblue PowerSuite
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics Driver
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{92022F8E-2E55-4A16-88EB-B4778B35E942}" = ACDSee for PENTAX 3.0
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B4FEA924-630D-11D4-B78E-005004566E4D}" = ViewSonic Monitor Drivers
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C4A4722E-79F9-417C-BD72-8D359A090C97}" = Samsung PC Studio 3
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DA5BDB2A-12F0-4343-8351-21AAEB293990}" = PreReq
"{DE6B7599-D3EF-4436-8836-BAA0B0D7768D}" = aiofw
"{E0F252A6-DE85-4E93-A93B-DFC3537B3965}" = NETGEAR WG111v2 wireless USB 2.0 adapter
"{E0F274B7-592B-4669-8FB8-8D9825A09858}" = KODAK AiO Home Centre
"{E55B3271-7CA8-4D0C-AE06-69A24856E996}_is1" = Uniblue SpeedUpMyPC
"{E63E34A7-E552-412B-9E40-FD6FC5227ABA}_is1" = Uniblue RegistryBooster
"{E89B484C-B913-49A0-959B-89E836001658}" = GEAR 32bit Driver Installer
"{EBA29752-DDD2-4B62-B2E3-9841F92A3E3A}" = Samsung PC Studio 3 USB Driver Installer
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{FE24086F-3B0C-4C47-A874-97A7B8E2FBBE}" = aioscnnr
"Adobe Acrobat 4.0" = Adobe Acrobat 4.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"CdaC13Ba" = SafeCast Shared Components
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{E0F252A6-DE85-4E93-A93B-DFC3537B3965}" = NETGEAR WG111v2 wireless USB 2.0 adapter
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Client" = Microsoft Security Essentials
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"orange4" = Orange Search Toolbar
"PROSet" = Intel(R) PRO Ethernet Adapter and Software
"Rapport_msi" = Rapport
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Live Security Platinum" = Live Security Platinum

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 07/06/2012 16:08:31 | Computer Name = CATHERIN-ZGE1ZI | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 11/06/2012 11:26:30 | Computer Name = CATHERIN-ZGE1ZI | Source = ESENT | ID = 485
Description = wuauclt (3436) An attempt to delete the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edbtmp.log"
failed with system error 32 (0x00000020): "The process cannot access the file because
it is being used by another process. ". The delete file operation will fail with
error -1032 (0xfffffbf8).

Error - 09/07/2012 14:00:50 | Computer Name = CATHERIN-ZGE1ZI | Source = Microsoft Office 11 | ID = 1000
Description = Faulting application winword.exe, version 11.0.8345.0, stamp 4f3c32b8,
faulting module winword.exe, version 11.0.8345.0, stamp 4f3c32b8, debug? 0, fault
address 0x00805639.

Error - 12/07/2012 10:01:05 | Computer Name = CATHERIN-ZGE1ZI | Source = MsiInstaller | ID = 11719
Description = Product: Microsoft Office Professional Edition 2003 -- Error 1719.
The Windows Installer Service could not be accessed. This can occur if you are 
running Windows in safe mode, or if the Windows Installer is not correctly installed.
Contact your support personnel for assistance.

Error - 12/07/2012 10:01:05 | Computer Name = CATHERIN-ZGE1ZI | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft Office Professional Edition 2003 - Update 'Security
Update for Office 2003 (KB2598361): VBE6' could not be installed. Error code 1603.
Windows Installer can create logs to help troubleshoot issues with installing software
packages. Use the following link for instructions on turning on logging support:
http://go.microsoft.com/fwlink/?LinkId=23127

Error - 29/08/2012 13:07:09 | Computer Name = CATHERIN-ZGE1ZI | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P2 4.0.1526.0, P3 timeout, P4 1.1.8601.0, P5 fixed, P6 1 _ 1024, P7 5 _ not boot,
P8 NIL, P9 NIL, P10 NIL.

Error - 20/09/2012 11:33:32 | Computer Name = CATHERIN-ZGE1ZI | Source = Microsoft Security Client | ID = 5000
Description =

Error - 20/09/2012 11:34:48 | Computer Name = CATHERIN-ZGE1ZI | Source = Microsoft Security Client | ID = 5000
Description =

Error - 20/09/2012 11:35:06 | Computer Name = CATHERIN-ZGE1ZI | Source = Microsoft Security Client | ID = 5000
Description =

Error - 20/09/2012 11:35:42 | Computer Name = CATHERIN-ZGE1ZI | Source = Microsoft Security Client | ID = 5000
Description =

[ OSession Events ]
Error - 07/10/2007 13:08:03 | Computer Name = CATHERIN-ZGE1ZI | Source = Microsoft Office 12 Sessions | ID = 7001
Description =

[ System Events ]
Error - 23/09/2012 14:22:49 | Computer Name = CATHERIN-ZGE1ZI | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 23/09/2012 14:23:52 | Computer Name = CATHERIN-ZGE1ZI | Source = Service Control Manager | ID = 7003
Description = The Kodak AiO Network Discovery Service service depends on the following
nonexistent service: Bonjour Service

Error - 23/09/2012 14:23:52 | Computer Name = CATHERIN-ZGE1ZI | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Fips intelppm MpFilter RapportKELL StarOpen

Error - 23/09/2012 14:23:52 | Computer Name = CATHERIN-ZGE1ZI | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error: 
%%1060

Error - 23/09/2012 14:24:58 | Computer Name = CATHERIN-ZGE1ZI | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 23/09/2012 13:44:11 | Computer Name = CATHERIN-ZGE1ZI | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.12 for the Network Card with network
address 001B2F733B47 has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 23/09/2012 13:44:36 | Computer Name = CATHERIN-ZGE1ZI | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 23/09/2012 13:45:36 | Computer Name = CATHERIN-ZGE1ZI | Source = Service Control Manager | ID = 7003
Description = The Kodak AiO Network Discovery Service service depends on the following
nonexistent service: Bonjour Service

Error - 23/09/2012 13:45:36 | Computer Name = CATHERIN-ZGE1ZI | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Fips intelppm MpFilter RapportKELL StarOpen

Error - 23/09/2012 13:45:36 | Computer Name = CATHERIN-ZGE1ZI | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error: 
%%1060

< End of report >


----------



## Cookiegal (Aug 27, 2003)

Did you just download something related to Blue Ripple Sound?


----------



## Catherine-N (Sep 12, 2012)

Not that I'm aware of. I've only downloaded from the links you've pasted for me. I've tried to follow instructions given exactly - had them up on my iphone so i could close browsers etc... What I'm wondering is if I messed up and after turning that real time tick box off on mse that maybe I didn't turn it on properly again (in safe mode the screen is so stretched i can only just reach the save button) - have i messed up...?


----------



## Cookiegal (Aug 27, 2003)

Please run OTL again. Under the *Custom Scans/Fixes* box at the bottom paste in the following:


```
:OTL
O4 - HKCU..\Run: [Oxlil] C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Kyoxo\esnum.exe ()
O4 - HKCU..\RunOnce: [6F63A58B2B17D97999E020957B07D287] C:\Documents and Settings\All Users.WINDOWS\Application Data\6F63A58B2B17D97999E020957B07D287\6F63A58B2B17D97999E020957B07D287.exe ()
[2012/09/23 19:16:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Start Menu\Programs\Live Security Platinum
[2012/09/23 19:14:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Vyda
[2012/09/23 19:14:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Siaqn
[2012/09/23 19:14:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Kyoxo
[2012/09/23 19:13:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\6F63A58B2B17D97999E020957B07D287
[2012/09/23 19:12:48 | 000,183,808 | ---- | C] (Blue Ripple Sound ) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\uilap.dll
[2012/09/23 19:20:06 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþ ÿ
[2012/09/23 19:16:28 | 000,002,330 | ---- | M] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\Live Security Platinum.lnk
[2012/09/23 19:13:58 | 000,425,984 | ---- | M] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\scptsd.dll
[2012/09/23 19:13:11 | 000,056,320 | -H-- | M] () -- C:\WINDOWS\System32\drivinit.dll
[2012/09/23 19:12:48 | 000,183,808 | ---- | M] (Blue Ripple Sound ) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\uilap.dll
[2012/09/23 19:16:27 | 000,002,330 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\Live Security Platinum.lnk
[2012/09/23 19:14:01 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþ ÿ
[2012/09/23 19:13:58 | 000,425,984 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\scptsd.dll
[2012/09/23 19:13:11 | 000,056,320 | -H-- | C] () -- C:\WINDOWS\System32\drivinit.dll
```

Then click the *Run Fix* button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.


----------



## Cookiegal (Aug 27, 2003)

I just edited the fix so please refresh your browser before running it.


----------



## Catherine-N (Sep 12, 2012)

Ok, bad news, I can no longer get on in safe mode. It does the usual scrolling of lots of path like things (white text on a black background) but stops at multi(0)disk(0)rdisk(0)partition(1)\windows\system32\drivers\Mup.sys

I've tried twice and each time it just stops at this point. What should i do?


----------



## Cookiegal (Aug 27, 2003)

Are you able to boot to Windows normally?


----------



## Catherine-N (Sep 12, 2012)

Just tried but what happens now is it just keeps going back to that page "we apologize for the inconvenience but windows did not start successfully etc etc.."
I'm not hitting F8 and even if i don't touch anything and let it count down the seconds automatically until windows starts it just goes back to the pagr with windows logo and the white box tick along with blue boxes and then to the next page with the logo again and the white box with white filler and then back tO "we apologise etc etc...."


----------



## Cookiegal (Aug 27, 2003)

Try selecting "Last Known Good Configuration".


----------



## Catherine-N (Sep 12, 2012)

Thanks - tried that - unfortunately that's not worked either. My iphone just froze on the internet as well so now am completely paranoid my routers been infected (don't know if that's possible though)...


----------



## Cookiegal (Aug 27, 2003)

Do you have your installation CD?


----------



## Catherine-N (Sep 12, 2012)

Oh dear....no, one of the many losts from the renovation works...is that my only option?


----------



## Cookiegal (Aug 27, 2003)

Not necessarily. Since we installed the Recovery Console, we can use that to see if we can fix it. That is, assuming you've tried all other boot options "safe mode with networking" and "safe mode with command prompt", etc. and none of them worked. If that's the case, then please do the following:

Reboot and select *Recovery Console* from the startup options menu.

You should then see the following message:


```
Microsoft Windows(R) Recovery Console

The Recovery Console provides system repair and recovery functionality. 
Type EXIT to exit the Recovery Console and restart the computer.

1: C:\WINDOWS 

Which Windows Installation would you like to log on to?
(To cancel, press ENTER)
```
Enter the number 1 to log onto your Windows installation. You will be prompted to enter the password for the Administrator account. Please do that and then you should see the following command prompt:

C:\Windows

At the command prompt, type the following command (make sure to include the space between the "g" and the "/"):

*bootcfg /list*

Then report back exactly what it says there please.


----------



## Catherine-N (Sep 12, 2012)

Ok thanks.

Here's exactly what I did and what happened. 

Firstly - I turned my pc on. The internal battery in my pc is low and if it's unplugged from the wall i have to manually enter the date & time in. As it was unplugged from the wall I had to choose F2 to do date/time and then hit escape once set and let it reboot. 

I then got a screen come up which gave a list of options as follows (I've not seen this before):

Safe Mode
Safe Mode With Networking
Enable Boot Logging
Enable VGA Mode
Last Known Good Configuration
Directory Service Restore Mode (Windows Domain Controllers Only)
Debugging Mode
Disable Automatic Restart On System Failure
Start Windows Normally
Reboot
Return to OS choices Menu

Wasn't sure what to pick...so picked Reboot

Machine went back to logo page and then to that page giving me the 3 safe modows, last known gd config or start normally. 

I picked normally and it went back round to the logo page and then back to the 3 safe mode /ast config etc page again.

So i tried last known configuration. It just went round again. At no point did it say Microsoft Recovery Console. 

So as it repeated the pattern - I hit F12 which said Boot Menu. That took me to a page where finally I saw the option Microsoft Window Recovery Consol. I selected that and the next page was just completely black accept in top left corner it said

NTDLR is compressed
Press Ctrl+Alt+delete to restart. 

I sat for a while - nothing happened , so hit alt+ctrl del so that i could exit and turn pc off.


----------



## Cookiegal (Aug 27, 2003)

What is the make and model? Is it a laptop or desktop?

Do you know if it has a recovery partition?

Do you have everything important backed up to some external media?


----------



## Catherine-N (Sep 12, 2012)

Ok it's a dell intel pentium desktop. I didn't know where to see the model number so going to ask a mate at work who's IT savvy to show me where to look/find it

If it's any help, the monitor is a viewsonic VA176w

Will get back to you later with the correct model no 
Thanks
Catherine


----------



## Catherine-N (Sep 12, 2012)

Oh, ps I don't know what a recovery partition is...

All my important files i moved to the 2 usb keys ages ago that i have plugged in - in the hope that would free space and allow it to run better (didnt free much space and didnt run much faster so don't know what is so big it uses all my machine up) Presumably they'll be infected now though. Anyway it won't be the end of the world if i lose what's on them. The really important stuff - music packages & material etc - are on my other pc and i haven't dared turn that on til we fix this pc


----------



## Cookiegal (Aug 27, 2003)

The model should be indicated somewhere on the tower.

USB flash drives should not be left plugged in all the time. When removing them you should use the "remove hardware safely" wizard.


----------



## Catherine-N (Sep 12, 2012)

Ok sorry for delay - there's a big blacl label and it has 

Model No: DHP A: 1.5/0.75A. FCC class: B

THERE's also a service tag no - do you need that? 

Thanks for yr help - sorry it's such a muddle - probably help if i had a bit of a clue!!


----------



## Catherine-N (Sep 12, 2012)

Oh...sorry - my friend just called me and told me to look at the power button.... It says "Optiplex OX260" 
He says that's my model number...(it maybe 280 _ bad eyesight and 6 and 8 look similar..)

Sorry I'm so IT useless!!!


----------



## Cookiegal (Aug 27, 2003)

Yes, please provide the service tag number.


----------



## Catherine-N (Sep 12, 2012)

Ok, it's 3PN500J


----------



## Catherine-N (Sep 12, 2012)

Hi Cookiegal - apols we are having a debate and it's either O0J or it's Q0J ... They're not clear for those bad euesight... Also not sure if they're zero's or capital o's - neither of us can tell!


----------



## Cookiegal (Aug 27, 2003)

Are you able to borrow an XP Pro installation disk from a friend or family member?


----------



## Catherine-N (Sep 12, 2012)

I can ask. This really is going to sound daft but based on the fact i'm ok with working the packages but know nothing else, it just occured to me...when i bought my other pc about 5 yrs ago I bought it from a company that build bespoke machine designed for music. They sent a load of disks with it and manuals to do with the motherboard & that type of thing (like S-Series M/board etc) that I've never read or looked at. I just use cubaae and sound packages for writing. They recommended i didn't go on the net with it and i don't have word or anything like that as i don't need it. Anyway - i just remembered when i turn it on it comes up with the xp logo si just looked in the box and the follow disks are there:

Asus graphic card
Asus VGA driver
VGa driver for windowss
Windows Xp OEM preinstallation kit for service pack 3 (says also preinstallation disk for msbuilders only)
And a shiny one Windows Xp home edition inclydes svs pack 3 version 2002 Part no X14-73422


Are any of these what i need?

If not will ask f's and f's...though will take a few days as we all live all over the place.


----------



## Catherine-N (Sep 12, 2012)

Hello again- my friend has just given me a disk which says

Operating system
Reinstallation cd 
Microsoft windows xp professional 
Service pack 2

So are any of the others or this one what i need?


----------



## Cookiegal (Aug 27, 2003)

Sorry for the delay in replying. I've been researching the recovery options for this model (without knowing the exact model but just Optiplex should be sufficient). I believe this computer has a recovery partition that will restore the system back to the way it was when you first got it (restored to factory settings). You said you had everything important already backed up. I don't know if that includes e-mails, documents, photos and music as well because once a factory reset is done, everything that wasn't backed up elsewhere (to external media) will be lost. That includes programs that you installed after you got the computer. Those will have to be reinstalled so make sure you have the necessary media and licence keys to reinstall and activate them.

But at this point, I think it's the best way to go. If you wish to proceed, then please follow Steps 2 and 3 in this link:

http://support.dell.com/support/top...=us&l=en&s=gen&docid=DSN_181316&isLegacy=true

Once you do the reset, make sure you visit Windows Update and download and install all updates that have been issued since you got the computer.

Please report back how it went.


----------



## Catherine-N (Sep 12, 2012)

Thanks - tried to follow steps but Ctrl & F11 didn't do anything. Tried loads of times for different lengths of time - just kept flashing up to the page where it gives you 3 optioms (inc recovery) for a second and then back round to the "Windows did not start properly" etc - can't move the cursor to any option so it just counts down & reboots. 

A couple of times on the circuit a page flashed for a fraction of a moment and I could just about glimpse the words Phoenix operating.

I hit F12 on last circuit round and wrote all the options it gives there incase they're any hope:

1. Normal
2. Diskette Drive
3. Hard Disk Drive C:
4. IDE CD Rom Device

5. System Setup
6. IDE Drive Diagnostics
7. Boot to Utility Partition

Just hit 1 for normal and let it go round on the circuit again and then used The power button to switch off.

Thanks for your help & time.


----------



## Cookiegal (Aug 27, 2003)

Alright, we are going to try something else. ComboFix did run even though it seems the Recovery Console wasn't installed. We will try to invoke a back up it created when you first ran it. Please do the following:


Insert Windows Install disk (use the one with SP2 from post no. 44) to boot from the CD.
Press any key on the keyboard when prompted to continue.
Select the option "*To repair a Windows XP installation using Recovery Console, press R*" by pressing *R* to load the Recovery Console. *Note: Be very careful to select the correct option here.*
Enter your password when prompted.
You must enter which Windows installation to log onto. Since you only have one, *type 1* and press Enter.
At the C:\Windows prompt, type the following bolded text exactly as written (including the space) and press Enter:

*cd ERDNT\Hiv-backup*

At the next prompt, type the following bolded text, and press Enter:

*batch erdnt.con*

The erunt backups will begin copying.

At the next prompt, type the following bolded text, and press Enter:

*exit*

Windows will now begin loading.


----------



## TerryNet (Mar 23, 2005)

Comments on post # 46; not suggesting that you act on this unless/until Cookiegal says to try.

On that F12 menu you might want to try (7) in case the Utility Partition contains something useful or (5) to see what is possible there. If you get to the point of wanting to boot from an XP installation CD you will want to choose (4).


----------



## Catherine-N (Sep 12, 2012)

Ok thanks Cookiegirl - can I just check - will i have to put a capital R in and then shift and the number 2 to get the double speech mark symbol? Thought I should check before I start... Should i do also what TerryNet has posted?


----------



## Cookiegal (Aug 27, 2003)

Catherine-N said:


> Ok thanks Cookiegirl - can I just check - will i have to put a capital R in and then shift and the number 2 to get the double speech mark symbol? Thought I should check before I start... Should i do also what TerryNet has posted?


It's not case sensitive and there are no quotation marks to type, it's simple the letter R all by itself. It may be necessary to change the boot sequence so that the system boots from the CD drive first so press F12 and then select option 4 there (as Terry mentioned). Once that's done, proceed with the instructions I posted for now. We may have to try another recovery if this doesn't work but if it does work then you shouldn't lose anything.


----------



## Catherine-N (Sep 12, 2012)

Thanks - I'm doing it now but it hasn't asked me for windows installation so i can't put in 1.

I'm now at a page that says

Microsoft windows xp(tm) recovery console.

The recovery console provides system repair and recovery functionality.

Type EXIT to quit the recovery console and restart the computer.

C:\>

it doesn't say C:\WINDOWS

Does that matter? Should i type the windows in & then the rest of the code you gave and remove the > symbol?... Sorry i just don't want to get wrong so thought best to ask first
Thanks


----------



## Cookiegal (Aug 27, 2003)

Well that's not good. It's not seeing the Windows installation. There are only a few commands that can run from the C:\> prompt. Let's try this one. Don't change anything when you get to the C:\> prompt, just type in the following then hit Enter:

*chkdsk c: /r*

It should run chkdsk and check for errors on the hard drive. It may fix something in the process. It can take a long time to run so let it complete and then exit the Recovery Console and try rebooting the machine.


----------



## TerryNet (Mar 23, 2005)

Is the "C" drive in the last several posts the partition with the installed Windows or the partition with the Recovery Console?

If you do not know you should be able to type *dir* at the prompt to get the directory contents.


----------



## Catherine-N (Sep 12, 2012)

Right I'm hoping this is good news!!!

Ok typed in and it after quite time the following came up (just incase you need to know this)

Found & fixed one or more errors on the volume
19543040 kilobytes total disk space.
5485316 kilobytes are available.

4096 bytes in each allocation unit.
4885760 total allocation units on disc.
1371329 allocation units available on disk.

C:\>

I did exit and it rebooted and went back to the hit any key. Got all the steps as per yr original instructions and then the final exit and it rebooted again.*

At first it went straight back to the hit any key - I didn't press anything and then it went back to that "we're sorry windows had a problem & offering safe mode etc.*
The
Cursor was on normal so i hit enter and it chugged away and then started up and opened up normally (btw - i don't have a p/word on my login - think i made it sound like that when i was referring to logging onto my tgs account).

Anyway - obviously the usb wireless thin isn't plugged - but anyway as i wasn't in safe mode and i don't know if that means i've the virus or not - i just shut down to await further instructions!!

Anyway seems like it's good news - but then what do i know??!*

Btw- Thanks so much for helping me - especially on a wkend - i really do appreciate it. Will sit tight and wait yr next advice . Thks v much *


----------



## Catherine-N (Sep 12, 2012)

Ps - have just posted this and seen Terry's post which i have absolutely no idea what the answer would nor where / at what point i shld be typing dir in...am just gonna wait til you give me my nxt moves - thanks again Cookiegirl.


----------



## Cookiegal (Aug 27, 2003)

So you're able to boot to Windows normally now?


----------



## Cookiegal (Aug 27, 2003)

When you say you followed the original instructions which ones do you mean?


----------



## Catherine-N (Sep 12, 2012)

Yes


----------



## Catherine-N (Sep 12, 2012)

The ones where i chose 1 as the installation and then put in the codes cd ERDNT\Hiv-backup etc.


----------



## Catherine-N (Sep 12, 2012)

Also i noticed the live platinum desktop icon had gone from my desktop altho the file i saved AVGIDSagent was still there


----------



## Cookiegal (Aug 27, 2003)

Wonderful! Good job. :up:

OK so we had run OTS before so you should still have it. I'd like to run that again.


Close any open browsers.
If your Real protection or Antivirus interferes with OTS, allow it to run.
Double-click on *OTS.exe* to start the program.
At the top put a check mark in the box beside "Scan All Users".
Under the *Additional Scans *section put a check in the box next to Disabled MS Config Items, IE Explorer Bars, NetSvcs, EventViewer logs (Last 10 errors) and Lop Check.
Now click the *Run Scan *button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file.
Use the *Reply* button, scroll down to the attachments section and attach the notepad file here.


----------



## Catherine-N (Sep 12, 2012)

Should i do this in safe mode or normal mode??


----------



## Cookiegal (Aug 27, 2003)

Please do it in normal mode.


----------



## Cookiegal (Aug 27, 2003)

It might be best to uninstall it if you still have it on your desktop as we ran ComboFix first and now we've restored the registry to before running OTS.

Then redownload it.


----------



## Catherine-N (Sep 12, 2012)

Hi Cookiegal - can't believe I'm sending this from my pc...!!! Amazing!

Here's the file from OTS attached.

Thanks,
Catherine.


----------



## Catherine-N (Sep 12, 2012)

Sorry - only just saw your message about Uninstalling - the scan too k ages - mse was busy sending me messages and quarantined a trojan along the way. Do i need to redo anything?


----------



## Cookiegal (Aug 27, 2003)

It's alright as long as it worked fine. 

I'd like to know what MSE found though. Please check the logs and report back where it was located.


----------



## Catherine-N (Sep 12, 2012)

Ok. Mse history:- 


Ones i agreed for it to remove (it kept discovering them & seems to still be discovering) i removed all from quarantine.

These are in detected items section - assume i should remove? :-

Trojan:Win32/Sirefef.AQ (x6 times)
Trojan:Win32/Sirefef.AL (x5 times)
Trojan:Win32/Sirefef.K
Trojan:Win32/Sirefef.AG
TrojanDownloader:Win32/Karagany.L
PWS:Win32/Zbot.gen!Y

Then these are in quarentined items section - all start Trojan:Win32/Sirefef

.AL (x 5 times)
.AQ (x 5 times)

Assume I should remove all? Thanks again!


----------



## Cookiegal (Aug 27, 2003)

Please do this first.

Please go  here and download the *TDSSKiller.exe* to your desktop.

Double-click to TDSSKiller.exe on your desktop to run it.
Click on *Start Scan*
As we don't want to fix anything yet, if any malicious objects are detected, *do NOT select Cure* but select *Skip* instead.
It will produce a log once it finishes in the root drive which should look like this example:

C:\TDSSKiller.<version_date_time>log.txt

Please copy and paste the contents of that log in your next reply.


----------



## Cookiegal (Aug 27, 2003)

I'd also like you to do the following please.

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*
Double-click *SystemLook.exe* to run it.
Copy the content of the following code box into the main text field:

```
:dir
C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data
C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\hellomoto
C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Vyda
C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Siaqn
C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Kyoxo
C:\Documents and Settings\All Users.WINDOWS\Application Data\6F63A58B2B17D97999E020957B07D287
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found on your Desktop entitled *SystemLook.txt*

And then this please.

Please go to *VirusTotal* and upload the following file for scanning.

Click *Browse*
Copy and paste the contents of the following code box into the text box next to *File name:* then click *Open* 

```
C:\WINDOWS\System32\drivinit.dll
```

Click *Send File*
If confronted with two options, choose *Reanalyse file now*
Wait for the scan to finish and then copy and paste the URL from your browser address bar in your next reply please.

Please do the same for these files as well:

C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\btbgi.dll
C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\uilap.dll


----------



## Catherine-N (Sep 12, 2012)

Just clicked...that was the file names - not where they were.

Ok looks like the 2nd pane shows me that...if it is then here's the storage place;

C:\RECYCLER\S-1-5-21-1659004503-1897051121-682003330-500\$9b5c698507560e9b12b8eda5d6dba6ef\U\[email protected]

Mse's just found some more - same address as above only ends with [email protected]


----------



## Cookiegal (Aug 27, 2003)

OK, that's fine. Thanks for getting the additional information. Please run TDSSKiller.


----------



## Catherine-N (Sep 12, 2012)

Oh no...i thought maybe i was asking really obvious/stupid question so i i let mse remove them all...sorry....will wait properly nxt time.

Should i still do the killer instructions and the nxt ones as well?


----------



## Cookiegal (Aug 27, 2003)

That's OK. Please proceed with TDSSKiller and the rest too.


----------



## Catherine-N (Sep 12, 2012)

Ok. TDSSKiller text file:

20:52:56.0138 1420 TDSS rootkit removing tool 2.8.10.0 Sep 17 2012 19:23:24
20:52:56.0232 1420 ============================================================
20:52:56.0232 1420 Current date / time: 2012/09/30 20:52:56.0232
20:52:56.0232 1420 SystemInfo:
20:52:56.0232 1420 
20:52:56.0232 1420 OS Version: 5.1.2600 ServicePack: 3.0
20:52:56.0232 1420 Product type: Workstation
20:52:56.0232 1420 ComputerName: CATHERIN-ZGE1ZI
20:52:56.0232 1420 UserName: Administrator
20:52:56.0232 1420 Windows directory: C:\WINDOWS
20:52:56.0232 1420 System windows directory: C:\WINDOWS
20:52:56.0232 1420 Processor architecture: Intel x86
20:52:56.0232 1420 Number of processors: 1
20:52:56.0232 1420 Page size: 0x1000
20:52:56.0232 1420 Boot type: Normal boot
20:52:56.0232 1420 ============================================================
20:52:59.0888 1420 Drive \Device\Harddisk0\DR0 - Size: 0x4A94F0000 (18.65 Gb), SectorSize: 0x200, Cylinders: 0x982, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
20:52:59.0919 1420 ============================================================
20:52:59.0919 1420 \Device\Harddisk0\DR0:
20:52:59.0919 1420 MBR partitions:
20:52:59.0919 1420 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x2546802
20:52:59.0919 1420 ============================================================
20:52:59.0951 1420 C: <-> \Device\Harddisk0\DR0\Partition1
20:52:59.0951 1420 ============================================================
20:52:59.0951 1420 Initialize success
20:52:59.0951 1420 ============================================================
20:53:01.0919 0704 ============================================================
20:53:01.0919 0704 Scan started
20:53:01.0919 0704 Mode: Manual; 
20:53:01.0919 0704 ============================================================
20:53:03.0279 0704 ================ Scan system memory ========================
20:53:08.0529 0704 System memory - ok
20:53:08.0544 0704 ================ Scan services =============================
20:53:08.0779 0704 Abiosdsk - ok
20:53:08.0794 0704 abp480n5 - ok
20:53:08.0888 0704 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:53:08.0919 0704 ACPI - ok
20:53:09.0029 0704 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
20:53:09.0044 0704 ACPIEC - ok
20:53:09.0185 0704 [ A9D3B95E8466BD58EEB8A1154654E162 ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
20:53:09.0419 0704 AdobeFlashPlayerUpdateSvc - ok
20:53:09.0435 0704 adpu160m - ok
20:53:09.0513 0704 [ 11C04B17ED2ABBB4833694BCD644AC90 ] aeaudio C:\WINDOWS\system32\drivers\aeaudio.sys
20:53:09.0513 0704 aeaudio - ok
20:53:09.0623 0704 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
20:53:09.0669 0704 aec - ok
20:53:09.0732 0704 [ 30BB1BDE595CA65FD5549462080D94E5 ] AegisP C:\WINDOWS\system32\DRIVERS\AegisP.sys
20:53:09.0779 0704 AegisP - ok
20:53:10.0482 0704 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
20:53:10.0498 0704 AFD - ok
20:53:10.0513 0704 Aha154x - ok
20:53:10.0544 0704 aic78u2 - ok
20:53:10.0576 0704 aic78xx - ok
20:53:10.0669 0704 [ 0940030D5A5869067CCC03E3B0B8DEC7 ] alcan5wn C:\WINDOWS\system32\DRIVERS\alcan5wn.sys
20:53:10.0794 0704 alcan5wn - ok
20:53:11.0076 0704 [ 4C9577888C53243E2991456F510488A1 ] alcaudsl C:\WINDOWS\system32\DRIVERS\alcaudsl.sys
20:53:11.0294 0704 alcaudsl - ok
20:53:11.0373 0704 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
20:53:11.0435 0704 Alerter - ok
20:53:11.0466 0704 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
20:53:11.0498 0704 ALG - ok
20:53:11.0544 0704 AliIde - ok
20:53:11.0560 0704 amsint - ok
20:53:11.0748 0704 [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
20:53:11.0779 0704 AppMgmt - ok
20:53:11.0794 0704 asc - ok
20:53:11.0826 0704 asc3350p - ok
20:53:11.0841 0704 asc3550 - ok
20:53:12.0013 0704 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
20:53:12.0154 0704 aspnet_state - ok
20:53:12.0216 0704 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:53:12.0216 0704 AsyncMac - ok
20:53:12.0326 0704 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
20:53:12.0326 0704 atapi - ok
20:53:12.0341 0704 Atdisk - ok
20:53:12.0419 0704 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:53:12.0451 0704 Atmarpc - ok
20:53:12.0498 0704 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
20:53:12.0513 0704 AudioSrv - ok
20:53:12.0591 0704 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
20:53:12.0591 0704 audstub - ok
20:53:12.0701 0704 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
20:53:12.0701 0704 Beep - ok
20:53:12.0919 0704 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll
20:53:13.0029 0704 BITS - ok
20:53:13.0123 0704 [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser C:\WINDOWS\System32\browser.dll
20:53:13.0169 0704 Browser - ok
20:53:13.0279 0704 [ 248DFA5762DDE38DFDDBBD44149E9D7A ] BVRPMPR5 C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
20:53:13.0310 0704 BVRPMPR5 - ok
20:53:13.0373 0704 [ 9955C1F82207B50A86823E73BBA9B0DC ] C-DillaCdaC11BA C:\WINDOWS\system32\drivers\CDAC11BA.EXE
20:53:25.0263 0704 C-DillaCdaC11BA - ok
20:53:25.0623 0704 catchme - ok
20:53:25.0669 0704 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
20:53:25.0669 0704 cbidf2k - ok
20:53:25.0685 0704 cd20xrnt - ok
20:53:25.0763 0704 [ 08F60F40D1A2A95A1F12EDDBD9F25C1C ] CdaC15BA C:\WINDOWS\system32\drivers\CdaC15BA.SYS
20:53:25.0810 0704 CdaC15BA - ok
20:53:25.0888 0704 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
20:53:25.0904 0704 Cdaudio - ok
20:53:25.0998 0704 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
20:53:25.0998 0704 Cdfs - ok
20:53:26.0076 0704 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
20:53:26.0091 0704 Cdrom - ok
20:53:26.0123 0704 Changer - ok
20:53:26.0201 0704 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] cisvc C:\WINDOWS\system32\cisvc.exe
20:53:26.0232 0704 cisvc - ok
20:53:26.0294 0704 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
20:53:26.0310 0704 ClipSrv - ok
20:53:26.0388 0704 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
20:53:26.0763 0704 clr_optimization_v2.0.50727_32 - ok
20:53:26.0779 0704 CmdIde - ok
20:53:26.0810 0704 COMSysApp - ok
20:53:26.0841 0704 Cpqarray - ok
20:53:26.0919 0704 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
20:53:26.0935 0704 CryptSvc - ok
20:53:26.0951 0704 dac2w2k - ok
20:53:26.0966 0704 dac960nt - ok
20:53:27.0123 0704 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
20:53:27.0154 0704 DcomLaunch - ok
20:53:27.0263 0704 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
20:53:27.0294 0704 Dhcp - ok
20:53:27.0373 0704 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
20:53:27.0388 0704 Disk - ok
20:53:27.0419 0704 dmadmin - ok
20:53:27.0576 0704 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
20:53:27.0607 0704 dmboot - ok
20:53:27.0654 0704 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
20:53:27.0669 0704 dmio - ok
20:53:27.0748 0704 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
20:53:27.0748 0704 dmload - ok
20:53:27.0810 0704 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
20:53:27.0810 0704 dmserver - ok
20:53:27.0873 0704 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
20:53:27.0873 0704 DMusic - ok
20:53:27.0935 0704 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
20:53:27.0951 0704 Dnscache - ok
20:53:28.0029 0704 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
20:53:28.0029 0704 Dot3svc - ok
20:53:28.0060 0704 dpti2o - ok
20:53:28.0123 0704 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
20:53:28.0123 0704 drmkaud - ok
20:53:28.0201 0704 [ C42009E37E377AE55968768E521E05C3 ] E1000 C:\WINDOWS\system32\DRIVERS\e1000325.sys
20:53:28.0216 0704 E1000 - ok
20:53:28.0279 0704 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
20:53:28.0279 0704 EapHost - ok
20:53:28.0310 0704 emusba10 - ok
20:53:28.0388 0704 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
20:53:28.0388 0704 ERSvc - ok
20:53:28.0451 0704 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
20:53:28.0466 0704 Eventlog - ok
20:53:28.0560 0704 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\System32\es.dll
20:53:28.0576 0704 EventSystem - ok
20:53:28.0638 0704 [ D649C57DA6FA762C64013747E5D7D2D6 ] Everet_ C:\WINDOWS\system32\drivers\ati1btxx.sys
20:53:28.0638 0704 Everet_ - ok
20:53:28.0716 0704 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
20:53:28.0732 0704 Fastfat - ok
20:53:28.0794 0704 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
20:53:28.0810 0704 FastUserSwitchingCompatibility - ok
20:53:28.0841 0704 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys
20:53:28.0857 0704 Fdc - ok
20:53:28.0873 0704 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
20:53:28.0873 0704 Fips - ok
20:53:28.0904 0704 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\DRIVERS\flpydisk.sys
20:53:28.0904 0704 Flpydisk - ok
20:53:28.0966 0704 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
20:53:28.0982 0704 FltMgr - ok
20:53:29.0123 0704 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
20:53:29.0123 0704 FontCache3.0.0.0 - ok
20:53:29.0169 0704 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:53:29.0169 0704 Fs_Rec - ok
20:53:29.0248 0704 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:53:29.0248 0704 Ftdisk - ok
20:53:29.0326 0704 [ 8182FF89C65E4D38B2DE4BB0FB18564E ] GEARAspiWDM C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
20:53:29.0326 0704 GEARAspiWDM - ok
20:53:29.0388 0704 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:53:29.0388 0704 Gpc - ok
20:53:29.0544 0704 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
20:53:29.0560 0704 helpsvc - ok
20:53:29.0576 0704 HidServ - ok
20:53:29.0654 0704 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys
20:53:29.0654 0704 HidUsb - ok
20:53:29.0716 0704 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
20:53:29.0716 0704 hkmsvc - ok
20:53:29.0732 0704 hpn - ok
20:53:29.0748 0704 hpt3xx - ok
20:53:29.0841 0704 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
20:53:29.0857 0704 HTTP - ok
20:53:29.0919 0704 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
20:53:29.0935 0704 HTTPFilter - ok
20:53:29.0951 0704 i2omgmt - ok
20:53:29.0982 0704 i2omp - ok
20:53:30.0060 0704 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
20:53:30.0060 0704 i8042prt - ok
20:53:30.0201 0704 [ 44B7D5A4F2BD9FE21AEA0BB0BACE38C4 ] ialm C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
20:53:30.0232 0704 ialm - ok
20:53:30.0435 0704 [ 6AA3F94167A12B5BCCBD0883ED27AEA0 ] IDriverT C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
20:53:30.0498 0704 IDriverT - ok
20:53:30.0669 0704 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
20:53:30.0701 0704 idsvc - ok
20:53:30.0732 0704 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
20:53:30.0748 0704 Imapi - ok
20:53:30.0826 0704 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
20:53:30.0841 0704 ImapiService - ok
20:53:30.0873 0704 ini910u - ok
20:53:30.0904 0704 IntelIde - ok
20:53:30.0982 0704 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
20:53:30.0998 0704 intelppm - ok
20:53:31.0076 0704 [ 3BB22519A194418D5FEC05D800A19AD0 ] ip6fw C:\WINDOWS\system32\drivers\ip6fw.sys
20:53:31.0076 0704 ip6fw - ok
20:53:31.0154 0704 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
20:53:31.0169 0704 IpFilterDriver - ok
20:53:31.0216 0704 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:53:31.0216 0704 IpInIp - ok
20:53:31.0279 0704 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:53:31.0279 0704 IpNat - ok
20:53:31.0357 0704 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:53:31.0357 0704 IPSec - ok
20:53:31.0419 0704 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
20:53:31.0419 0704 IRENUM - ok
20:53:31.0482 0704 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:53:31.0482 0704 isapnp - ok
20:53:31.0544 0704 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:53:31.0544 0704 Kbdclass - ok
20:53:31.0591 0704 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
20:53:31.0591 0704 kmixer - ok
20:53:31.0748 0704 [ 1A8D8CB042E2724385227F1A19A8DECC ] Kodak AiO Network Discovery Service C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
20:53:31.0810 0704 Kodak AiO Network Discovery Service - ok
20:53:31.0888 0704 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
20:53:31.0888 0704 KSecDD - ok
20:53:31.0998 0704 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
20:53:31.0998 0704 lanmanserver - ok
20:53:32.0060 0704 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
20:53:32.0076 0704 lanmanworkstation - ok
20:53:32.0091 0704 lbrtfdc - ok
20:53:32.0185 0704 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
20:53:32.0185 0704 LmHosts - ok
20:53:32.0232 0704 [ 6DFE7F2E8E8A337263AA5C92A215F161 ] MBAMProtector C:\WINDOWS\system32\drivers\mbam.sys
20:53:32.0232 0704 MBAMProtector - ok
20:53:32.0388 0704 [ 43683E970F008C93C9429EF428147A54 ] MBAMService C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
20:53:32.0435 0704 MBAMService - ok
20:53:32.0544 0704 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
20:53:32.0576 0704 Messenger - ok
20:53:32.0638 0704 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
20:53:32.0654 0704 mnmdd - ok
20:53:32.0716 0704 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\System32\mnmsrvc.exe
20:53:32.0732 0704 mnmsrvc - ok
20:53:32.0810 0704 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
20:53:32.0826 0704 Modem - ok
20:53:32.0888 0704 [ 5023875A94B0766D98A62A72BC4CB055 ] motmodem C:\WINDOWS\system32\DRIVERS\motmodem.sys
20:53:32.0888 0704 motmodem - ok
20:53:32.0935 0704 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:53:32.0935 0704 Mouclass - ok
20:53:32.0982 0704 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
20:53:32.0982 0704 mouhid - ok
20:53:33.0044 0704 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
20:53:33.0044 0704 MountMgr - ok
20:53:33.0138 0704 [ D993BEA500E7382DC4E760BF4F35EFCB ] MpFilter C:\WINDOWS\system32\DRIVERS\MpFilter.sys
20:53:33.0154 0704 MpFilter - ok
20:53:33.0326 0704 MpKsl701c2915 - ok
20:53:33.0341 0704 mraid35x - ok
20:53:33.0435 0704 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:53:33.0451 0704 MRxDAV - ok
20:53:33.0544 0704 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:53:33.0576 0704 MRxSmb - ok
20:53:33.0638 0704 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\System32\msdtc.exe
20:53:33.0638 0704 MSDTC - ok
20:53:33.0701 0704 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
20:53:33.0716 0704 Msfs - ok
20:53:33.0732 0704 MSIServer - ok
20:53:33.0794 0704 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:53:33.0794 0704 MSKSSRV - ok
20:53:33.0919 0704 [ 24516BF4E12A46CB67302E2CDCB8CDDF ] MsMpSvc c:\Program Files\Microsoft Security Client\MsMpEng.exe
20:53:33.0919 0704 MsMpSvc - ok
20:53:33.0966 0704 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:53:33.0966 0704 MSPCLOCK - ok
20:53:34.0060 0704 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
20:53:34.0076 0704 MSPQM - ok
20:53:34.0138 0704 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:53:34.0138 0704 mssmbios - ok
20:53:34.0216 0704 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
20:53:34.0216 0704 Mup - ok
20:53:34.0310 0704 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
20:53:34.0326 0704 napagent - ok
20:53:34.0404 0704 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
20:53:34.0419 0704 NDIS - ok
20:53:34.0513 0704 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:53:34.0513 0704 NdisTapi - ok
20:53:34.0576 0704 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:53:34.0576 0704 Ndisuio - ok
20:53:34.0638 0704 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:53:34.0638 0704 NdisWan - ok
20:53:34.0716 0704 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
20:53:34.0716 0704 NDProxy - ok
20:53:34.0779 0704 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
20:53:34.0779 0704 NetBIOS - ok
20:53:34.0826 0704 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
20:53:34.0841 0704 NetBT - ok
20:53:34.0919 0704 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
20:53:34.0919 0704 NetDDE - ok
20:53:34.0951 0704 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
20:53:34.0951 0704 NetDDEdsdm - ok
20:53:35.0013 0704 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
20:53:35.0013 0704 Netlogon - ok
20:53:35.0076 0704 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
20:53:35.0091 0704 Netman - ok
20:53:35.0169 0704 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
20:53:35.0185 0704 NetTcpPortSharing - ok
20:53:35.0248 0704 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll
20:53:35.0263 0704 Nla - ok
20:53:35.0326 0704 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
20:53:35.0326 0704 Npfs - ok
20:53:35.0419 0704 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
20:53:35.0435 0704 Ntfs - ok
20:53:35.0482 0704 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\System32\lsass.exe
20:53:35.0482 0704 NtLmSsp - ok
20:53:35.0623 0704 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
20:53:35.0638 0704 NtmsSvc - ok
20:53:35.0701 0704 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
20:53:35.0701 0704 Null - ok
20:53:35.0763 0704 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:53:35.0763 0704 NwlnkFlt - ok
20:53:35.0794 0704 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:53:35.0794 0704 NwlnkFwd - ok
20:53:35.0935 0704 [ 5A432A042DAE460ABE7199B758E8606C ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
20:53:35.0951 0704 ose - ok
20:53:36.0013 0704 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
20:53:36.0029 0704 Parport - ok
20:53:36.0060 0704 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
20:53:36.0060 0704 PartMgr - ok
20:53:36.0123 0704 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
20:53:36.0138 0704 ParVdm - ok
20:53:36.0216 0704 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
20:53:36.0294 0704 PCI - ok
20:53:36.0310 0704 PCIDump - ok
20:53:36.0373 0704 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
20:53:36.0373 0704 PCIIde - ok
20:53:36.0451 0704 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
20:53:36.0451 0704 Pcmcia - ok
20:53:36.0466 0704 PDCOMP - ok
20:53:36.0498 0704 PDFRAME - ok
20:53:36.0513 0704 PDRELI - ok
20:53:36.0529 0704 PDRFRAME - ok
20:53:36.0560 0704 perc2 - ok
20:53:36.0576 0704 perc2hib - ok
20:53:36.0654 0704 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
20:53:36.0654 0704 PlugPlay - ok
20:53:36.0685 0704 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
20:53:36.0701 0704 PolicyAgent - ok
20:53:36.0748 0704 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:53:36.0748 0704 PptpMiniport - ok
20:53:36.0794 0704 [ A32BEBAF723557681BFC6BD93E98BD26 ] Processor C:\WINDOWS\system32\DRIVERS\processr.sys
20:53:36.0794 0704 Processor - ok
20:53:36.0810 0704 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
20:53:36.0810 0704 ProtectedStorage - ok
20:53:36.0873 0704 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
20:53:36.0888 0704 PSched - ok
20:53:36.0966 0704 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:53:36.0966 0704 Ptilink - ok
20:53:36.0982 0704 ql1080 - ok
20:53:36.0998 0704 Ql10wnt - ok
20:53:37.0013 0704 ql12160 - ok
20:53:37.0029 0704 ql1240 - ok
20:53:37.0060 0704 ql1280 - ok
20:53:37.0279 0704 [ 9054C4B91761773F0EFA59BED70C54B6 ] RapportCerberus_42020 C:\Documents and Settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_42020.sys
20:53:37.0279 0704 RapportCerberus_42020 - ok
20:53:37.0419 0704 [ 093B6A040BCF3FD4A0FFF397BAF28330 ] RapportEI C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys
20:53:37.0419 0704 RapportEI - ok
20:53:37.0498 0704 [ 35199EC35EDC7DCBA71FDA711DFB05C0 ] RapportIaso c:\documents and settings\all users.windows\application data\trusteer\rapport\store\exts\rapportms\39624\rapportiaso.sys
20:53:37.0513 0704 RapportIaso - ok
20:53:37.0623 0704 [ 660436FBE447EBC73873EF2B0B2094B4 ] RapportKELL C:\WINDOWS\system32\Drivers\RapportKELL.sys
20:53:37.0623 0704 RapportKELL - ok
20:53:37.0763 0704 [ 61B37C0B3FD7DA7414C20D917469BFFF ] RapportMgmtService C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
20:53:37.0810 0704 RapportMgmtService - ok
20:53:37.0935 0704 [ 3DE33A522BB73E161F20D444687E978B ] RapportPG C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
20:53:37.0951 0704 RapportPG - ok
20:53:37.0998 0704 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:53:37.0998 0704 RasAcd - ok
20:53:38.0076 0704 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
20:53:38.0076 0704 RasAuto - ok
20:53:38.0154 0704 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:53:38.0154 0704 Rasl2tp - ok
20:53:38.0232 0704 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
20:53:38.0232 0704 RasMan - ok
20:53:38.0279 0704 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:53:38.0294 0704 RasPppoe - ok
20:53:38.0357 0704 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
20:53:38.0373 0704 Raspti - ok
20:53:38.0435 0704 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:53:38.0451 0704 Rdbss - ok
20:53:38.0498 0704 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:53:38.0498 0704 RDPCDD - ok
20:53:38.0576 0704 [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
20:53:38.0576 0704 rdpdr - ok
20:53:38.0669 0704 [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
20:53:38.0685 0704 RDPWD - ok
20:53:38.0763 0704 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
20:53:38.0763 0704 RDSessMgr - ok
20:53:38.0841 0704 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
20:53:38.0841 0704 redbook - ok
20:53:38.0919 0704 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
20:53:38.0951 0704 RemoteAccess - ok
20:53:39.0029 0704 [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
20:53:39.0029 0704 RemoteRegistry - ok
20:53:39.0091 0704 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\System32\locator.exe
20:53:39.0107 0704 RpcLocator - ok
20:53:39.0185 0704 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\System32\rpcss.dll
20:53:39.0201 0704 RpcSs - ok
20:53:39.0279 0704 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\System32\rsvp.exe
20:53:39.0294 0704 RSVP - ok
20:53:39.0357 0704 [ 691DB86B09E13CA5D3E8881141738CC5 ] RTLWUSB C:\WINDOWS\system32\DRIVERS\wg111v2.sys
20:53:39.0373 0704 RTLWUSB - ok
20:53:39.0404 0704 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
20:53:39.0404 0704 SamSs - ok
20:53:39.0435 0704 SANDRA - ok
20:53:39.0591 0704 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
20:53:39.0607 0704 SCardSvr - ok
20:53:39.0685 0704 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
20:53:39.0685 0704 Schedule - ok
20:53:39.0779 0704 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:53:39.0779 0704 Secdrv - ok
20:53:39.0873 0704 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
20:53:39.0873 0704 seclogon - ok
20:53:39.0951 0704 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
20:53:39.0951 0704 SENS - ok
20:53:40.0013 0704 [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
20:53:40.0013 0704 serenum - ok
20:53:40.0044 0704 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
20:53:40.0044 0704 Serial - ok
20:53:40.0107 0704 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
20:53:40.0123 0704 Sfloppy - ok
20:53:40.0216 0704 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
20:53:40.0232 0704 SharedAccess - ok
20:53:40.0263 0704 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
20:53:40.0263 0704 ShellHWDetection - ok
20:53:40.0294 0704 Simbad - ok
20:53:40.0373 0704 [ EDEBA65FE4023C9F2606537DB4320D3B ] smbusp C:\WINDOWS\system32\DRIVERS\smb.sys
20:53:40.0404 0704 smbusp - ok
20:53:40.0544 0704 [ 70B8DD8707DBF6142530C106365DF67D ] smwdm C:\WINDOWS\system32\drivers\smwdm.sys
20:53:40.0576 0704 smwdm - ok
20:53:40.0591 0704 Sparrow - ok
20:53:40.0669 0704 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
20:53:40.0669 0704 splitter - ok
20:53:40.0716 0704 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe
20:53:40.0732 0704 Spooler - ok
20:53:40.0763 0704 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
20:53:40.0763 0704 sr - ok
20:53:40.0826 0704 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
20:53:40.0857 0704 srservice - ok
20:53:40.0919 0704 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
20:53:40.0951 0704 Srv - ok
20:53:41.0013 0704 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
20:53:41.0013 0704 SSDPSRV - ok
20:53:41.0123 0704 [ 306521935042FC0A6988D528643619B3 ] StarOpen C:\WINDOWS\system32\drivers\StarOpen.sys
20:53:41.0123 0704 StarOpen - ok
20:53:41.0216 0704 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
20:53:41.0248 0704 stisvc - ok
20:53:41.0294 0704 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
20:53:41.0310 0704 swenum - ok
20:53:41.0341 0704 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
20:53:41.0341 0704 swmidi - ok
20:53:41.0357 0704 SwPrv - ok
20:53:41.0373 0704 symc810 - ok
20:53:41.0404 0704 symc8xx - ok
20:53:41.0419 0704 sym_hi - ok
20:53:41.0435 0704 sym_u3 - ok
20:53:41.0482 0704 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
20:53:41.0498 0704 sysaudio - ok
20:53:41.0576 0704 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
20:53:41.0591 0704 SysmonLog - ok
20:53:41.0669 0704 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
20:53:41.0669 0704 TapiSrv - ok
20:53:41.0748 0704 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:53:41.0763 0704 Tcpip - ok
20:53:41.0841 0704 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
20:53:41.0841 0704 TDPIPE - ok
20:53:41.0951 0704 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
20:53:41.0951 0704 TDTCP - ok
20:53:42.0044 0704 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
20:53:42.0044 0704 TermDD - ok
20:53:42.0107 0704 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
20:53:42.0138 0704 TermService - ok
20:53:42.0185 0704 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll
20:53:42.0185 0704 Themes - ok
20:53:42.0263 0704 [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr C:\WINDOWS\System32\tlntsvr.exe
20:53:42.0263 0704 TlntSvr - ok
20:53:42.0279 0704 TosIde - ok
20:53:42.0373 0704 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
20:53:42.0388 0704 TrkWks - ok
20:53:42.0419 0704 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
20:53:42.0435 0704 Udfs - ok
20:53:42.0451 0704 ultra - ok
20:53:42.0560 0704 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
20:53:42.0576 0704 Update - ok
20:53:42.0669 0704 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
20:53:42.0669 0704 upnphost - ok
20:53:42.0748 0704 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
20:53:42.0763 0704 UPS - ok
20:53:42.0779 0704 USBAAPL - ok
20:53:42.0841 0704 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
20:53:42.0857 0704 usbccgp - ok
20:53:42.0888 0704 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:53:42.0888 0704 usbehci - ok
20:53:42.0951 0704 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:53:42.0966 0704 usbhub - ok
20:53:43.0013 0704 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
20:53:43.0013 0704 usbprint - ok
20:53:43.0076 0704 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
20:53:43.0076 0704 usbscan - ok
20:53:43.0154 0704 [ 49106EE29074E6A3D3AC9E24C6D791D8 ] usbsermptxp C:\WINDOWS\system32\DRIVERS\usbsermptxp.sys
20:53:43.0154 0704 usbsermptxp - ok
20:53:43.0216 0704 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:53:43.0216 0704 USBSTOR - ok
20:53:43.0279 0704 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
20:53:43.0279 0704 usbuhci - ok
20:53:43.0341 0704 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
20:53:43.0341 0704 VgaSave - ok
20:53:43.0357 0704 ViaIde - ok
20:53:43.0419 0704 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
20:53:43.0435 0704 VolSnap - ok
20:53:43.0544 0704 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
20:53:43.0544 0704 VSS - ok
20:53:43.0623 0704 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll
20:53:43.0638 0704 W32Time - ok
20:53:43.0701 0704 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:53:43.0701 0704 Wanarp - ok
20:53:43.0966 0704 [ FD47474BD21794508AF449D9D91AF6E6 ] Wdf01000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
20:53:44.0060 0704 Wdf01000 - ok
20:53:44.0091 0704 WDICA - ok
20:53:44.0154 0704 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
20:53:44.0185 0704 wdmaud - ok
20:53:44.0263 0704 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
20:53:44.0310 0704 WebClient - ok
20:53:44.0529 0704 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
20:53:44.0576 0704 winmgmt - ok
20:53:44.0669 0704 [ C51B4A5C05A5475708E3C81C7765B71D ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll
20:53:44.0685 0704 WmdmPmSN - ok
20:53:44.0826 0704 [ E76F8807070ED04E7408A86D6D3A6137 ] Wmi C:\WINDOWS\System32\advapi32.dll
20:53:44.0841 0704 Wmi - ok
20:53:45.0013 0704 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\System32\wbem\wmiapsrv.exe
20:53:45.0044 0704 WmiApSrv - ok
20:53:45.0341 0704 [ F74E3D9A7FA9556C3BBB14D4E5E63D3B ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe
20:53:45.0373 0704 WMPNetworkSvc - ok
20:53:45.0419 0704 [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys
20:53:45.0419 0704 WS2IFSL - ok
20:53:45.0482 0704 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll
20:53:45.0498 0704 wscsvc - ok
20:53:45.0560 0704 [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv C:\WINDOWS\system32\wuauserv.dll
20:53:45.0560 0704 wuauserv - ok
20:53:45.0669 0704 [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys
20:53:45.0685 0704 WudfPf - ok
20:53:45.0716 0704 [ 28B524262BCE6DE1F7EF9F510BA3985B ] WudfRd C:\WINDOWS\system32\DRIVERS\wudfrd.sys
20:53:45.0716 0704 WudfRd - ok
20:53:45.0763 0704 [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll
20:53:45.0779 0704 WudfSvc - ok
20:53:45.0888 0704 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
20:53:45.0919 0704 WZCSVC - ok
20:53:45.0998 0704 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
20:53:45.0998 0704 xmlprov - ok
20:53:46.0029 0704 ================ Scan global ===============================
20:53:46.0091 0704 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
20:53:46.0169 0704 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
20:53:46.0216 0704 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
20:53:46.0263 0704 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
20:53:46.0263 0704 [Global] - ok
20:53:46.0279 0704 ================ Scan MBR ==================================
20:53:46.0310 0704 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
20:53:46.0513 0704 \Device\Harddisk0\DR0 - ok
20:53:46.0513 0704 ================ Scan VBR ==================================
20:53:46.0529 0704 [ 331ABF24E556577EDD88D402EC9E2E7F ] \Device\Harddisk0\DR0\Partition1
20:53:46.0529 0704 \Device\Harddisk0\DR0\Partition1 - ok
20:53:46.0529 0704 ============================================================
20:53:46.0529 0704 Scan finished
20:53:46.0529 0704 ============================================================
20:53:46.0560 2500 Detected object count: 0
20:53:46.0560 2500 Actual detected object count: 0
20:54:11.0701 1664 Deinitialize success

SystemLook text:

SystemLook 30.07.11 by jpshortstuff
Log created at 20:56 on 30/09/2012 by Administrator
Administrator - Elevation successful
========== dir ==========
C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data - Parameters: "(none)"
---Files---
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini --a--c- 18944 bytes [22:14 16/05/2008] [16:22 30/04/2012]
FASTWiz.log --a--c- 90 bytes [14:56 02/08/2009] [14:56 02/08/2009]
GDIPFONTCACHEV1.DAT --a--c- 48592 bytes [19:20 22/09/2007] [11:36 05/04/2009]
IconCache.db --ah-c- 1227704 bytes [12:27 13/09/2008] [18:42 30/09/2012]
LaunchHomeCenter.log --a--c- 230 bytes [18:04 30/01/2011] [18:04 30/01/2011]
¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ --a--c- 0 bytes [18:14 23/09/2012] [18:20 23/09/2012]
---Folders---
ACD Systems d----c- [20:29 08/05/2008]
Adobe d----c- [20:34 14/11/2007]
Apple d----c- [23:12 26/09/2007]
Apple Computer d----c- [23:09 26/09/2007]
Downloaded Installations d----c- [20:07 08/05/2008]
Eastman Kodak Company d----c- [17:00 30/01/2011]
Eastman_Kodak_Company d----c- [17:21 30/01/2011]
Google d----c- [21:52 14/12/2007]
Help d----c- [14:16 30/12/2007]
Identities d----c- [19:13 25/11/2009]
Microsoft d----c- [18:44 22/09/2007]
Microsoft Corporation d----c- [17:20 30/01/2011]
Microsoft Help d----c- [22:35 02/10/2007]
MTV Networks d----c- [11:16 23/09/2007]
PackageAware d----c- [17:48 11/12/2011]
PCHealth d----c- [19:58 28/09/2010]
Siemens d----c- [10:53 23/08/2009]
Temp d----c- [10:21 07/05/2012]
Trusteer d----c- [18:23 22/04/2011]
C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\hellomoto - Parameters: "(none)"
---Files---
None found.
---Folders---
None found.
C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Vyda - Parameters: "(none)"
---Files---
fogud.pae --a--c- 0 bytes [10:25 01/05/2010] [10:25 01/05/2010]
---Folders---
None found.
C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Siaqn - Parameters: "(none)"
---Files---
None found.
---Folders---
None found.
C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Kyoxo - Parameters: "(none)"
---Files---
_esnum.exe --a--c- 176640 bytes [22:08 04/02/2010] [22:08 04/02/2010]
---Folders---
None found.
C:\Documents and Settings\All Users.WINDOWS\Application - Unable to find folder.
-= EOF =-

And Virus Tool links (i couldn't paste the links in - I had to click choose file and then paste them into theopen file dialogue box - so i hope that was the right thing to do)

1. https://www.virustotal.com/file/e3b...649b934ca495991b7852b855/analysis/1349035105/

2. https://www.virustotal.com/file/e3b...649b934ca495991b7852b855/analysis/1349035645/

3. https://www.virustotal.com/file/e3b...649b934ca495991b7852b855/analysis/1349035775/

MSE keeps popping up and telling me detected threats are being sorted out - i don't remember it ever working as often before - and now there's more files being quarantined as well...anyway - not sure if you need to know that but just in case you do.

Seems like we're winning now though doesn't it? (touch wood..)


----------



## Cookiegal (Aug 27, 2003)

We need to run ComboFix again. Please drag it to the Recycle Bin and grab the latest version then disable all security programs and run a scan then post the log. Let's see if we can get the Recovery Console installed this time.

Please visit *Combofix Guide & Instructions * for instructions for installing the Recovery Console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.


----------



## Cookiegal (Aug 27, 2003)

The last folder I had you search for with SystemLook, you didn't copy the entire line so it said it couldn't find the folder.

Please run SystemLook again with this script:


```
:dir
C:\Documents and Settings\All Users.WINDOWS\Application Data\6F63A58B2B17D97999E020957B07D287
```


----------



## Catherine-N (Sep 12, 2012)

Ok thanks. Here's the systemlook text - am going to do combofix now.

SystemLook 30.07.11 by jpshortstuff
Log created at 21:32 on 30/09/2012 by Administrator
Administrator - Elevation successful
========== dir ==========
C:\Documents and Settings\All Users.WINDOWS\Application Data\6F63A58B2B17D97999E020957B07D287 - Parameters: "(none)"
---Files---
6F63A58B2B17D97999E020957B07D287 --a--c- 1872 bytes [18:15 23/09/2012] [17:16 30/09/2012]
6F63A58B2B17D97999E020957B07D287.exe ---hsc- 462848 bytes [18:13 23/09/2012] [18:13 23/09/2012]
6F63A58B2B17D97999E020957B07D287.ico --a--c- 4286 bytes [18:13 23/09/2012] [18:13 23/09/2012]
---Folders---
None found.
-= EOF =-


----------



## Cookiegal (Aug 27, 2003)

Please also run this script in SystemLook:


```
:dir
C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ
```


----------



## Cookiegal (Aug 27, 2003)

I'll be off for a bit for dinner. But will be back later.


----------



## Catherine-N (Sep 12, 2012)

Ok - thanks - here's the combofix text:

ComboFix 12-09-30.01 - Administrator 30/09/2012 21:46:24.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.452 [GMT 1:00]
Running from: c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Desktop\puppy.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\scptsd.dll
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Vyda
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Vyda\fogud.pae
c:\documents and settings\All Users.WINDOWS\Application Data\6F63A58B2B17D97999E020957B07D287
c:\documents and settings\All Users.WINDOWS\Application Data\6F63A58B2B17D97999E020957B07D287\6F63A58B2B17D97999E020957B07D287
c:\documents and settings\All Users.WINDOWS\Application Data\6F63A58B2B17D97999E020957B07D287\6F63A58B2B17D97999E020957B07D287.exe
c:\documents and settings\All Users.WINDOWS\Application Data\6F63A58B2B17D97999E020957B07D287\6F63A58B2B17D97999E020957B07D287.ico
c:\recycler\S-1-5-21-1659004503-1897051121-682003330-500\$9b5c698507560e9b12b8eda5d6dba6ef\@
c:\recycler\S-1-5-21-1659004503-1897051121-682003330-500\$9b5c698507560e9b12b8eda5d6dba6ef\n
.
.
((((((((((((((((((((((((( Files Created from 2012-08-28 to 2012-09-30 )))))))))))))))))))))))))))))))
.
.
2012-09-30 19:53 . 2012-09-30 19:53 29904 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{29E9A5CB-5E42-4036-B64C-68851B8D2869}\MpKsl701c2915.sys
2012-09-30 19:08 . 2012-09-30 19:08 56200 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{29E9A5CB-5E42-4036-B64C-68851B8D2869}\offreg.dll
2012-09-30 19:07 . 2012-08-30 08:17 6980552 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{29E9A5CB-5E42-4036-B64C-68851B8D2869}\mpengine.dll
2012-09-30 18:22 . 2012-08-22 23:15 7022536 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-09-30 17:16 . 2012-09-30 17:16 -------- dc----w- c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\hellomoto
2012-09-23 18:14 . 2012-09-30 18:23 -------- dc----w- c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Kyoxo
2012-09-23 18:14 . 2012-09-23 18:20 -------- dc----w- c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Siaqn
2012-09-23 10:25 . 2012-09-23 10:25 -------- dc----w- C:\_OTS
2012-09-20 15:13 . 2012-09-20 15:29 -------- dc----w- C:\puppy
2012-09-12 13:09 . 2012-09-12 13:09 -------- dc----w- c:\program files\Microsoft Windows OneCare Live
2012-09-09 15:41 . 2012-09-09 15:41 -------- dc----w- c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Malwarebytes
2012-09-09 15:40 . 2012-09-09 15:40 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2012-09-09 15:40 . 2012-09-09 15:40 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-09 15:40 . 2012-07-03 12:46 22344 -c--a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-29 19:58 . 2012-05-07 10:15 426184 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-29 19:58 . 2011-12-18 18:29 70344 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-29 19:52 . 2012-07-29 19:52 65848 -c--a-w- c:\windows\system32\drivers\RapportKELL.sys
2012-07-06 13:58 . 2001-08-23 12:00 78336 -c--a-w- c:\windows\system32\browser.dll
2012-07-04 14:05 . 2007-09-22 18:25 139784 -c--a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40 . 2001-08-23 12:00 1866112 -c--a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=
"c:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\Kodak\\Installer\\Setup.exe"=
"c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery
"5353:UDP"= 5353:UDP:Bonjour Port 5353
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [29/07/2012 20:52 65848]
R1 MpKsl701c2915;MpKsl701c2915;c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{29E9A5CB-5E42-4036-B64C-68851B8D2869}\MpKsl701c2915.sys [30/09/2012 20:53 29904]
R1 RapportCerberus_42020;RapportCerberus_42020;c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_42020.sys [11/08/2012 15:26 228376]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [29/07/2012 20:52 71480]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [29/07/2012 20:52 166840]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [09/09/2012 16:40 655944]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [09/09/2012 16:40 22344]
R3 RapportIaso;RapportIaso;c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys [06/06/2012 17:52 21520]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [27/03/2006 17:53 167808]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [13/09/2010 18:18 308656]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [07/05/2012 11:15 250056]
S3 emusba10;E-MU USB-Audio 1.0 Driver;c:\windows\system32\DRIVERS\emusba10.sys --> c:\windows\system32\DRIVERS\emusba10.sys [?]
S4 Everet_;Everet_;c:\windows\system32\drivers\ati1btxx.sys [22/09/2007 20:11 56623]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 39376515
*NewlyCreated* - 73293228
*NewlyCreated* - MPKSL701C2915
*Deregistered* - 39376515
*Deregistered* - 73293228
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-07 19:58]
.
2012-09-30 c:\windows\Tasks\User_Feed_Synchronization-{13B53172-B98C-4AF0-AC9B-BD5D56344E2C}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: orange search - file://c:\program files\ORANGE4\Cache\SelectedContextSearch.htm
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-30 21:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1659004503-1897051121-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9d,44,22,f2,ee,ea,06,46,92,8a,c5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,57,c8,4e,54,da,d8,7b,42,80,f8,6f,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,13,2f,59,e9,78,d7,52,47,b9,53,cb,\
.
Completion time: 2012-09-30 22:01:41
ComboFix-quarantined-files.txt 2012-09-30 21:01
ComboFix2.txt 2012-09-21 18:50
ComboFix3.txt 2012-09-20 15:29
.
Pre-Run: 5,338,886,144 bytes free
Post-Run: 5,462,360,064 bytes free
.
- - End Of File - - 7646E7404D84BF81F5EBF578A705F82B

and here's the next systemlook results -

SystemLook 30.07.11 by jpshortstuff
Log created at 22:13 on 30/09/2012 by Administrator
Administrator - Elevation successful
========== dir ==========
C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ - Unable to find folder.
-= EOF =-

I'm going to go to bed now as up early for work - thanks for all your help today - enjoy the rest of your evening. Catherine.


----------



## Cookiegal (Aug 27, 2003)

Yes, it's late in the UK.

Please run SystemLook again with this script:

```
:filefind
C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ
```
I'd like to ask a colleague to take a look at those files as they are suspicious. Please go to the forum *here* and upload this (these) file(s):

*C:\WINDOWS\System32\drivinit.dll
C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\btbgi.dll
C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\uilap.dll
*

Here are the directions for uploading files:

Just register to create an account then click "New Topic", fill in the needed details and post a link to your thread here. Click the "Browse" button. Navigate to the file on your computer. When the file is listed in the window click "Post" to upload the file.

Then please do the following:

Open Notepad and copy and paste the text in the code box below into it:


```
File::
C:\WINDOWS\assembly\Desktop.ini

Folder::
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\hellomoto
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Kyoxo
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Siaqn
```
Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*

Lastly, I need you to export a couple of registry keys that may be altered by this infection and need to be repaired so please do the following:

Go to *Start *- *Run *and copy and paste the following then click OK:

*regedit /e C:\look.txt "HKEY_CLASSES_ROOT\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32"*

You won't see anything happen and it will only take a second. You will find the report it creates at C:\look.txt. Please open it in Notepad and then copy and paste the report here.

Please do this same for this command.

*regedit /e C:\look2.txt "HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32"*

This will create a log at C:\look2.txt. Please copy and paste the contents of this one as well.


----------



## Catherine-N (Sep 12, 2012)

Hi Cookiegal. I was just googling around in my break to see what it said about those virus do that mse found. Anyway on a microsoft answers site someone was being told to download the free version of malewarebytes and click decline to trial option. That made me remember how before i found yr site that i'd seen similar advice for the West Yorks Ukash virus - but it hadn't said where to download it from nor to click decline. So now i'm wondering if i downloaded Mwbytes from an unsafe site & that's how i got all the additional viruses + i clicked accept free trial & yday when i turned mse on when it allowed me to boot to normal a dialogue box came up saying there were multiple antivirus packages so am wondering if MWBytes is messing up MSE....anyway i want to uninstall M/warebytes as i don't trust what i did before i found TGS's site...but obviously won't do this unless you say it's ok. Is it ok to uninstall?

Will do the new steps you've posted when i get home tonight. Thanks again - I'm actually really enjoying following all the instructions & seeing things progress!!


----------



## Cookiegal (Aug 27, 2003)

You actually had several infections. In addition to the West Yorkshire ukash you also had Live Security Platinum and ZeroAccess. Often the first infection opens a backdoor for others to infiltrate the system.

These infections often come from legitimate sites that have been hacked so that their URL has malicious code injected which then takes advantage of vulnerabilities in outdated programs on your machine to launch their exploits. When we finish up we will see what needs to be updated to help you stay safe in the future.

Your theory about MalwareBytes is plausible if you downloaded it from a dubious site but I checked and the files are signed by MalwareBytes and everything seems legitimate. It's an excellent program and one that I recommend that you keep once we're finished to use on a regular basis as part of your security package.


----------



## Catherine-N (Sep 12, 2012)

Ok - thanks for the advice, glad i managed by chance to download it from a decent site!

Have followed all the instructions in your post 82.

1. Systemlook text (incidentally - took ages)

SystemLook 30.07.11 by jpshortstuff
Log created at 20:18 on 01/10/2012 by Administrator
Administrator - Elevation successful
========== filefind ==========
Searching for "C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ"
No files found.
-= EOF =-

2. Joined the site on the link and started the new post - but I couldn't locate those 3 files. I tried pasting them into open to see if it would do automatically (but it just kept saying can't the files) and then I tried doing it by eye, sorting each bit of the path alphabetically - and i couldn't find them....could Combofix have deleted them last night when I ran it (it did spend ages on the deleting files bit).

3. Did the notepad text and combofix run. Log text to follow. Just to say - when I ran combofix yesterday i forgot to mention the notes I took as it went: a) it didn't do the backing up windows registry step as per the instructions on the combofix site. b) the recovery console message - didn't come up. c) it didn't disconnect form internet until right at the end (and then i had to follow the insturctions for getting internet back & reboot as it had gone) and it also didn't change my clock format (it never has done that actually). This time - it did everything it said in the steps it would. Here's the text:

ComboFix 12-09-30.03 - Administrator 01/10/2012 20:54:17.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.454 [GMT 1:00]
Running from: c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Desktop\puppy.exe
Command switches used :: c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\windows\assembly\Desktop.ini"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\hellomoto
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Kyoxo
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Kyoxo\_esnum.exe
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Siaqn
c:\windows\EventSystem.log
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\drivers\etc\hosts.ics
.
.
((((((((((((((((((((((((( Files Created from 2012-09-01 to 2012-10-01 )))))))))))))))))))))))))))))))
.
.
2012-10-01 19:50 . 2012-08-30 08:17 6980552 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E89095E9-A2F6-41B4-BFB4-871FE1F379B3}\mpengine.dll
2012-10-01 19:35 . 2012-10-01 19:35 -------- dc----w- c:\windows\LastGood
2012-09-30 21:15 . 2012-10-01 19:14 -------- dc----w- C:\2ee1f7bdd3b675c42c7dc10467c760
2012-09-30 21:02 . 2012-08-30 08:17 6980552 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-09-23 10:25 . 2012-09-23 10:25 -------- dc----w- C:\_OTS
2012-09-20 15:13 . 2012-09-20 15:29 -------- dc----w- C:\puppy
2012-09-12 13:09 . 2012-09-12 13:09 -------- dc----w- c:\program files\Microsoft Windows OneCare Live
2012-09-09 15:41 . 2012-09-09 15:41 -------- dc----w- c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Malwarebytes
2012-09-09 15:40 . 2012-09-09 15:40 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2012-09-09 15:40 . 2012-09-09 15:40 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-09 15:40 . 2012-07-03 12:46 22344 -c--a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-30 21:03 . 2012-03-20 19:44 193552 -c--a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-29 19:58 . 2012-05-07 10:15 426184 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-29 19:58 . 2011-12-18 18:29 70344 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-29 19:52 . 2012-07-29 19:52 65848 -c--a-w- c:\windows\system32\drivers\RapportKELL.sys
2012-07-06 13:58 . 2001-08-23 12:00 78336 -c--a-w- c:\windows\system32\browser.dll
2012-07-04 14:05 . 2007-09-22 18:25 139784 -c--a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=
"c:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\Kodak\\Installer\\Setup.exe"=
"c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery
"5353:UDP"= 5353:UDP:Bonjour Port 5353
.
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 emusba10;E-MU USB-Audio 1.0 Driver;c:\windows\system32\DRIVERS\emusba10.sys [x]
R4 Everet_;Everet_;c:\windows\system32\drivers\ati1btxx.sys [x]
S0 RapportKELL;RapportKELL;c:\windows\System32\Drivers\RapportKELL.sys [x]
S1 RapportCerberus_42020;RapportCerberus_42020;c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_42020.sys [x]
S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [x]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 RapportIaso;RapportIaso;c:\documents and settings\all users.windows\application data\trusteer\rapport\store\exts\rapportms\39624\rapportiaso.sys [x]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPFILTER
*NewlyCreated* - MPKSL1D59E970
*Deregistered* - MpKsl1d59e970
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-07 19:58]
.
2012-10-01 c:\windows\Tasks\User_Feed_Synchronization-{13B53172-B98C-4AF0-AC9B-BD5D56344E2C}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: orange search - file://c:\program files\ORANGE4\Cache\SelectedContextSearch.htm
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-01 21:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1659004503-1897051121-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9d,44,22,f2,ee,ea,06,46,92,8a,c5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,57,c8,4e,54,da,d8,7b,42,80,f8,6f,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,13,2f,59,e9,78,d7,52,47,b9,53,cb,\
.
Completion time: 2012-10-01 21:13:54
ComboFix-quarantined-files.txt 2012-10-01 20:13
ComboFix2.txt 2012-09-30 21:01
ComboFix3.txt 2012-09-21 18:50
ComboFix4.txt 2012-09-20 15:29
.
Pre-Run: 5,286,793,216 bytes free
Post-Run: 5,474,295,808 bytes free
.
- - End Of File - - 78E1213E5A207973CDCCF02AD3F213DE

3. And finally - did the start / run paste and here's the text for that:

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32]
@=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,00,62,00,\
65,00,6d,00,5c,00,66,00,61,00,73,00,74,00,70,00,72,00,6f,00,78,00,2e,00,64,\
00,6c,00,6c,00,00,00
"ThreadingModel"="Free"

5. Sorry - just spotted this before I hit post reply - here's the other Start / Run text result:

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,53,00,48,00,\
45,00,4c,00,4c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"

Actually - not sure if this is worth mentioning, but MSE was on, but the windows security centre was red and telling me that the virus protection wasn't on. Also, when i was setting up my account on the other site, MSE switched itself off and I had turn it all back on again. Don't know if that's relevant?

Thanks again - Catherine.


----------



## Cookiegal (Aug 27, 2003)

You have to navigate to the files to upload but they are hidden so we'll have to unhide them first.

Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders". Click "Apply" then "OK".

Then seen if you can upload these files to TheSpyKiller for analysis please.

C:\WINDOWS\System32\drivinit.dll
C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\btbgi.dll
C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Application Data\uilap.dll

Also, I think you overlooked the registry key export I asked for in post no. 82. If you could do that and post it that would be helpful.


----------



## Catherine-N (Sep 12, 2012)

Hi Cookiegal - ok, went to the folder options - everything that needed to be checked was checked & everything unchecked was unchecked - still couldn't find those files. I tried by eye and also did a search (just for the end bit) ...

Also - the registry key export - i'm a bit confused by....isn't that what i posted at the end of the last combofix text file?

Where I numbered them (the start/run with the text regedit /e C:\look.txt "HKEY_CLASSES_ROOT\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32") - 

"3. And finally - did the start / run paste and here's the text for that" 

and the other one :

"5. Sorry - just spotted this before I hit post reply - here's the other Start / Run text result"

(obvioulsy forgot 4 came after 3..) If it's not those bits, then I don't know where the instructions are for the bit i've missed?


----------



## Catherine-N (Sep 12, 2012)

Hello again - thought I should update you - MSE has just done a full scan and told me it detected 7 potential threats. I wasn't sure what to do as I don't want to tell it to clean machine if I shouldn't be doing that yet...anyway, I hit apply action to see what my options were and it started chugging away and has now quarantined them. I notice some of them look like similar / same names as the ones it found the other day. Anyway - thought I should let you know in case it's important info - here's the virus names & paths.


Trojan:Win32Sirefef!cfg & it found it in C:\Qoobox\C\RECYCLERS\S-1-5-21-1659004503-1897051121-682003330-500\$9b5c698507560e9b128eda5d6dba6ef\@.vir

Trojan:Win32/Medfos.B 
& it found it in C:\Qoobox\Quarantine\C\Documents & Settings\Administrator.CATHERIN.ZGE1ZI\Application Data\scptsd.dll.vir

TrojanDownloader:WIn32\Karagany.I
found in C:\Documents & Settings\Administrator.CATHERIN.ZGE1ZI\Application data\Sun\Java\Deployment\Cache\6.0\60\565801fc-10636195
and also
C:\Documents & Seetings\Administrator.CATHERIN.ZGE1ZI\Application data\Sun\Java\Deployment\Cache\6.0\13\ 
9a5efcd-7c187595

BAckdoor:Win32/Simda
found in C:\Documents & Seetings\Administrator.CATHERIN.ZGE1ZI\Application data\Sun\Java\Deployment\Cache\6.0/596395907b-340ca18e

Rogue:Win32\Winwebsec
C:\Qoobox\Quarantine\C\Document & Settings \All Users.WINDOWS\Application data\lots of nuumbers...

VirTool:Win32\CeeInject.EE
found in C:\Qoobox\Quarantine\C\Documents & Settings\Administrator.CATHERIN.ZGE1ZI\application data\Kyoxo\_esnum.exe.vir

Trojan:Win32:Sirefef.BC which is in c:\Qoobox\Quarantine\RECYCLERS\lots of letters & numbers...


----------



## Cookiegal (Aug 27, 2003)

Sorry, I missed those exports at the end of the ComboFix log. They look good so no problem there.

Everything MSE found that says "qoobox" has already been quarantined by ComboFix. The others, are Java exploits.

Open HijackThis and click on the *Open Misc Tools section* button. Click on the *Open Uninstall Manager* button. Click the *Save List* button. Save the list then copy and paste it here.


----------



## Catherine-N (Sep 12, 2012)

Ok thanks. Should I click remove all on the detected files history of MSE? Also - just incase you need to know this - everytime I log on, MSE is switched off and I have to manually switch it on. 

Ok - here's the Hijack this list:


ACDSee for PENTAX 3.0
Adobe Acrobat 4.0
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player 11.5
aiofw
aioprnt
aioscnnr
AmpliTube LE
C4USelfUpdater
center
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
GEAR 32bit Driver Installer
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) Extreme Graphics Driver
Intel(R) PRO Ethernet Adapter and Software
Java(TM) 6 Update 6
KODAK AiO Home Centre
ksDIP
Malwarebytes Anti-Malware version 1.62.0.1300
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft Security Client
Microsoft Security Essentials
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser
NETGEAR WG111v2 wireless USB 2.0 adapter
OGA Notifier 2.0.0048.0
Orange Search Toolbar
PreReq
Rapport
Rapport
SafeCast Shared Components
Samsung PC Studio 3
Samsung PC Studio 3 USB Driver Installer
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SoundMAX
Uniblue PowerSuite
Uniblue RegistryBooster
Uniblue SpeedUpMyPC
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676-v2)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
ViewSonic Monitor Drivers
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3


----------



## Cookiegal (Aug 27, 2003)

If you can, just remove the ones that are not indicated as being in qoobox with MSE.

I recommend uninstalling the following. These types of programs shouldn't be needed on a well-maintained computer and can cause more harm than good.

Uniblue PowerSuite
Uniblue RegistryBooster
Uniblue SpeedUpMyPC

Your *Java* is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application.

*Upgrading Java*:


Download the latest version of *Java Runtime Environment (JRE) 6 Update 35*.
Accept the License Agreement and then select the option to download the *Windows x86 Offline* version 
Save the executable file to your desktop.
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with * Java Runtime Environment, JRE, J2SE or Java(TM)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download and follow the prompts to install the newest version.

I would try uninstalling MSE and reinstalling it. It may have been damaged.


----------



## Cookiegal (Aug 27, 2003)

Please download aswMBR.exe and save it to your desktop.

Double click aswMBR.exe to start the tool (Vista/Windows 7 users - right click to run as administrator) and allow it to download the Avast database.

Click *Scan*.

Upon completion of the scan, click *Save log* then save it to your desktop and post that log in your next reply for review. 
*Note - do NOT attempt any Fix yet. *


----------



## Catherine-N (Sep 12, 2012)

Ok thank you. Had a bitty / all over the place work day today, will try & do tomorrow eve if i get home early enough, otherwise won't be able to get to do until Thursday. Hope that's ok. Catherine.


----------



## Cookiegal (Aug 27, 2003)

No problem. I know the time difference doesn't help but we'll get there.


----------



## Catherine-N (Sep 12, 2012)

Thanks - I'm just really grateful for the help you're giving me. I feel a bit guilty that I'm taking up so much time - page 7 & counting....oops! I think it's a brilliant service that you all give and it's just a shame that viruses are created to cause so much trouble for the likes of the computer illiterate like me in the first place...anyway, Oscar speech over...

So, I uninstalled the uniblue stuff (didn't think it speeded up my pc anyway - actually seemed to slow it down!! so wasn't that impressed)

Went to just remove the viruses in MSE history that weren't quoobox - but there wasn't option - it was remove all, or if i ticked a box i could keep individual ones, but not remove individual ones. So didn't remove any of them just in case I'm not supposed to yet.

Java - there was only one thing to uninstall that I could see - did that and rebooted. Actually I shut down - I've noticed when I shut down that one of htose programmes ending dialogue boxes comes up - you know where you can click "end now" - anyway it only flashes up quickly so I can't quite see what's ending - but it looks like something itwh a load of starts (**************)...not sure if that's a virus?

Logged back on and clicked on the icon and clicked on run and a dialogue box came up (with a warning noise) saying "C:\Documents and SEttings\Administrator.CATHERIN.ZGE1ZI\Desktop\jre-6u34-windows.i586.exe is not a valid Win32 application.

Tried twice, same message - so couldn't install it.

Next, MSE - I didn't uninstall & reinstall as I wasn't sure as the viruses that weren't in quoobox were still in the detected history - if uninstalling it would mean they'd suddenly be realized back onto the computer - maybe that's just completely laughable - but I think we've established I know even less than I thought I did & am clearly gullible as had I not been being instructed by you - I would've fallen for the clear viruses on the premium live thing that actually was a virus itself....

Next - aswMBR.exe - all went smoothly - well sort of - it said "This programme can use Avast! Free Antivirus for scanning. It is recommended to download it for better detection reuslts. Would you like to download it." I said No because I've got MSE so that would mean I'd have multiple virus packages - or maybe it wouldn't - anyway - thought that was the right guess - but let me know if I got it wrong & need to do it again and click yes and then run the scan again....

here's the log anyway (one of the lines went orange - but can't remember which one now..) :-

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-10-04 16:37:13
-----------------------------
16:37:13.687 OS Version: Windows 5.1.2600 Service Pack 3
16:37:13.687 Number of processors: 1 586 0x207
16:37:13.687 ComputerName: CATHERIN-ZGE1ZI UserName: Administrator
16:37:17.265 Initialize success
16:38:20.562 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
16:38:20.562 Disk 0 Vendor: WDC_WD200EB-75CPF0 06.04G06 Size: 19092MB BusType: 3
16:38:20.593 Disk 0 MBR read successfully
16:38:20.593 Disk 0 MBR scan
16:38:20.593 Disk 0 Windows XP default MBR code
16:38:20.593 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 19085 MB offset 63
16:38:20.609 Disk 0 scanning sectors +39086145
16:38:20.671 Disk 0 scanning C:\WINDOWS\system32\drivers
16:38:36.265 Service scanning
16:38:44.593 Service MpKsl13252d2a c:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F5BCD396-E0A7-44E6-8F2E-6AEA01791F72}\MpKsl13252d2a.sys **LOCKED** 32
16:38:54.984 Modules scanning
16:39:05.421 Disk 0 trace - called modules:
16:39:05.468 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS 
16:39:05.468 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x83b58ab8]
16:39:05.968 3 CLASSPNP.SYS[f7717fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x83bd2d98]
16:39:05.968 Scan finished successfully
16:39:13.296 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\MBR.dat"
16:39:13.375 The log file has been saved successfully to "C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\aswMBR.txt"

Just one more thing - I thought I'd try uninstalling the samsung thing again - have tried before - and it just gives me an error message that it can't be done - could that be because of virus? I'm now thinking everything's because of a virus  

Thanks again.


----------



## Cookiegal (Aug 27, 2003)

OK. You can allow MSE to quarantine everything then, it's not a problem.

You should have allowed aswmbr to download because that is what is meant by this portion of the instructions "allow it to download the Avast database". You could run it again and do that and then post the new log.

I would also like you to run OTS again. This time, please change the "File Age" at the top from 30 days to 60 days. Here are the full instructions.


Close any open browsers.
If your Real protection or Antivirus interferes with OTS, allow it to run.
Double-click on *OTS.exe* to start the program.
At the top put a check mark in the box beside "Scan All Users" and change the "File Age" from 30 days to 60 days.
Under the *Additional Scans *section put a check in the box next to Disabled MS Config Items, NetSvcs and EventViewer logs (Last 10 errors)
Now click the *Run Scan *button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file.
Use the *Reply* button, scroll down to the attachments section and attach the notepad file here.


----------



## Catherine-N (Sep 12, 2012)

Oh I see, right, ok - sorry. Here's the rerun version pasted below & have attached the OTS file.

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-10-04 16:37:13
-----------------------------
16:37:13.687 OS Version: Windows 5.1.2600 Service Pack 3
16:37:13.687 Number of processors: 1 586 0x207
16:37:13.687 ComputerName: CATHERIN-ZGE1ZI UserName: Administrator
16:37:17.265 Initialize success
16:38:20.562 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
16:38:20.562 Disk 0 Vendor: WDC_WD200EB-75CPF0 06.04G06 Size: 19092MB BusType: 3
16:38:20.593 Disk 0 MBR read successfully
16:38:20.593 Disk 0 MBR scan
16:38:20.593 Disk 0 Windows XP default MBR code
16:38:20.593 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 19085 MB offset 63
16:38:20.609 Disk 0 scanning sectors +39086145
16:38:20.671 Disk 0 scanning C:\WINDOWS\system32\drivers
16:38:36.265 Service scanning
16:38:44.593 Service MpKsl13252d2a c:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F5BCD396-E0A7-44E6-8F2E-6AEA01791F72}\MpKsl13252d2a.sys **LOCKED** 32
16:38:54.984 Modules scanning
16:39:05.421 Disk 0 trace - called modules:
16:39:05.468 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS 
16:39:05.468 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x83b58ab8]
16:39:05.968 3 CLASSPNP.SYS[f7717fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x83bd2d98]
16:39:05.968 Scan finished successfully
16:39:13.296 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\MBR.dat"
16:39:13.375 The log file has been saved successfully to "C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\aswMBR.txt"

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-10-04 18:13:21
-----------------------------
18:13:21.093 OS Version: Windows 5.1.2600 Service Pack 3
18:13:21.093 Number of processors: 1 586 0x207
18:13:21.093 ComputerName: CATHERIN-ZGE1ZI UserName: Administrator
18:13:26.218 Initialize success
18:20:39.750 AVAST engine defs: 12100302
18:33:49.156 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:33:49.156 Disk 0 Vendor: WDC_WD200EB-75CPF0 06.04G06 Size: 19092MB BusType: 3
18:33:49.171 Disk 0 MBR read successfully
18:33:49.171 Disk 0 MBR scan
18:33:49.203 Disk 0 Windows XP default MBR code
18:33:49.203 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 19085 MB offset 63
18:33:49.250 Disk 0 scanning sectors +39086145
18:33:49.406 Disk 0 scanning C:\WINDOWS\system32\drivers
18:34:52.859 Service scanning
18:35:22.281 Service MpKsle7a8a1d6 c:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{89F29EBD-2656-4DA5-8E2E-1B60847EB3C7}\MpKsle7a8a1d6.sys **LOCKED** 32
18:35:49.156 Modules scanning
18:35:57.968 Disk 0 trace - called modules:
18:35:57.984 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS 
18:35:58.546 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x83b8dab8]
18:35:58.546 3 CLASSPNP.SYS[f7717fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x83bced98]
18:35:59.671 AVAST engine scan C:\WINDOWS
18:36:47.203 AVAST engine scan C:\WINDOWS\system32
18:44:01.843 AVAST engine scan C:\WINDOWS\system32\drivers
18:44:53.656 AVAST engine scan C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI
18:49:48.984 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\MBR.dat"
18:49:49.046 The log file has been saved successfully to "C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\aswMBR.txt"


----------



## Cookiegal (Aug 27, 2003)

I'd like you to navigate to this folder please:

C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\*Application Data*

In that folder, do you see any file that has odd characters or symbols in the name? I'm asking because the logs show this:

C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ

The tools are not able to read the name of the file correctly. I'm afraid if I tell OTS to delete it, it may delete something else and cause the machine to be unbootable (like what happened last time with OTL).

Perhaps you can take a screenshot of what's in there and upload it.


----------



## Catherine-N (Sep 12, 2012)

Good evening Cookiegal. 

Tonight, I've uninstalled & installed MSE again.

Have looked in the folder and couldn't see any odd symbols. I saw odd symbols in C:\document & settings - a folder called ADMIN~CAT~ which looked odd.

Also in c\doc&settings\ADMININISTRATOR\CATHERIN.ZGEIZI\APPLICATION DATA\Identities 
and
in C:\Documents & settings \ All users.WINDOWS\application data - there were a couple of odd looking folders.

I wasn't sure how to print screen them to you, so have just pasted the screen prints onto a word document - and attached it.

Appreciate it's Friday night so hoping you're taking a break. Thanks again as always. Have a lovely eve.


----------



## Cookiegal (Aug 27, 2003)

Hi Catherine. Unfortunately, there is no attachment.


----------



## Catherine-N (Sep 12, 2012)

oh ok thanks for letting me know - it was too big...have uploaded the 4 screen prints as separate files


----------



## Cookiegal (Aug 27, 2003)

That's good but none of them contained the location I was questioning. Can you upload a screenshot of this one please?

C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data


----------



## Catherine-N (Sep 12, 2012)

sorry - i missed the local settings bit - been a long day.

got the right one now I think and can see that file name from the other post. attached now, thanks.


----------



## Cookiegal (Aug 27, 2003)

Please right-click on the file in question and select "Properties". If you can take a screenshot of that it would be great.


----------



## Catherine-N (Sep 12, 2012)

Hi Cookiegal - lovely sunny day over here. Ok - did the properties print screen - now attached.

Incidentally - not sure if this is anything relevant, but I still have to manually start MSE and word takes an unbelievably long time to load.

Have a lovely day. Catherine.


----------



## Cookiegal (Aug 27, 2003)

I'd like a colleage to take a look at that file. I'm fairly certain it's malicious but the last time we deleted it was when the machine became unbootable so I'm being cautious. Please go to the forum *here* and upload this (these) file(s):


```
C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ
```
Here are the directions for uploading the file:

Just register to create an account then click "New Topic", fill in the needed details and post a link to your thread here. Click the "Browse" button. Navigate to the file on your computer. When the file is listed in the window click "Post" to upload the file.


----------



## Catherine-N (Sep 12, 2012)

Hi Cookiegal,

Ok - I think I've done it properly....

here's the link:

http://thespykiller.co.uk/index.php?topic=9997.new#new

Thanks again.


----------



## Cookiegal (Aug 27, 2003)

OK, thanks. I know you can't see the upload but I can see it's there. We just have to wait to hear back about it.


----------



## Catherine-N (Sep 12, 2012)

So we have a reply - they said : That is an empty file so we can do nothing with it.


----------



## Cookiegal (Aug 27, 2003)

As you can see at TheSpyKiller, I asked further questions about deleting this file. You can now go ahead and delete the file manually. 

Are you still having to restart MSE every time you reboot?


----------



## Catherine-N (Sep 12, 2012)

Thanks - have deleted it.

MSE seems to be ok if i don't switch pc off at wall. If i switch off at wall and then have to go through the whole F2 setting date and time etc - then it seems to be off. But I don't mind that, I can live with it if it's not a bad thing.

Also - have noticed when I switch pc on, it momentarily flashes at the screen - pick windows normal / pick recover console - and then flashes off and comes on with the logo and everything propoerly. Again - I don't mind that - so long as it's working I'm happy. 

Thanks for all your help Cookiegal. I really appreciate the time you've given me & the other site's help too (will donate to Epham Forest hedgehogs!!)

So does that mean all the viruses removed now? Can I just check - will they have infected my 2 usb keys & if they have - can I just plug them in and scan them to remove any viruses? Many thanks for your advice. Catherine.


----------



## Catherine-N (Sep 12, 2012)

Oh - Apols - I hope i haven't spoken to soon...i just logged of and a dialogue box saying ending programme flashed up (cldn't catch name) and then a dialogue box popped up ending MSE and then finally a dialogue box popped up with a file name of lots of little "o" letters (or they may've been lots of degree symbols (looked like ooopoooooooooooo - is that anything to be worried about?


----------



## TerryNet (Mar 23, 2005)

> If i switch off at wall and then have to go through the whole F2 setting date and time etc


That probably means that your BIOS battery is not charging. Replace it, or keep the PC plugged in.


----------



## Cookiegal (Aug 27, 2003)

I was going to say the same thing Terry did. The battery should keep the time when the computer is unplugged, if it's not for an extended period of time. Sounds like a battery failure. How old is this computer?

As for the programs shutting down, can you get a picture with a camera of what you're seeing and post it?

We can also check the Event View for errors that may be occurring on shutdown.

Please go to *Start *- *Run *- type in *eventvwr.msc* to open the event viewer. Look under both "Application" and "System" for recent (the last 48 hours or so) errors (shown in red) and if found, do this for each one.

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.


----------



## Catherine-N (Sep 12, 2012)

Thanks Terry & Cookiegal. It's about 7 yearsish maybe i think - yes some one said to me it was internal battery - i just put up with it but obviously now i've had these viruses it's clearly a hazard - will definitely sort it out now & get myself down to the shop for a
Demo on how to fit one.

I'm not sure if i'll be able to capture as they flash up so fast but will try. Will do the event thing now.


----------



## Cookiegal (Aug 27, 2003)

Catherine-N said:


> Also - have noticed when I switch pc on, it momentarily flashes at the screen - pick windows normal / pick recover console - and then flashes off and comes on with the logo and everything propoerly. Again - I don't mind that - so long as it's working I'm happy


Sorry, I forgot to answer this question. This is the Recovery Console that we had you install using ComboFix. It will flash briefly as a boot option if you need to access it before automatically loading windows as the default option. If it's not a problem for you it's best to leave it as it can be useful to recover the system (and would have meant we could have used that without the need for borrowing an installation CD when your system wouldn't boot).


----------



## Catherine-N (Sep 12, 2012)

Ok - thanks. It's not a problem at all, and if it's a good thing, I'd rather keep it.

Have done the event log thing and have attached them here (3 more in next post) - there were some warnings as well so did those in case they're important. 

Will try & do photo of what flashes up but my reactions are quite slow so not holding my hopes up for catching anything....


----------



## Catherine-N (Sep 12, 2012)

Ok these were the only 2 application errors that were in the last few days.


----------



## Cookiegal (Aug 27, 2003)

Those could have all been pasted into one document so I've combined them all together and will post there here for easier reference. Also, it doesn't give the full error. Did you actually open them up before copying them?

EventType mptelemetry, P1 0x80070003, P2 moac, P3 cachereset, P4 4.1.522.0, P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

****

The IP address lease 192.168.1.11 for the Network Card with network address 001B2F733B47 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

*****

Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 001B2F733B47. The following error occurred: 
The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

****

Your computer has automatically configured the IP address for the Network Card with network address 001B2F733B47. The IP address being used is 169.254.184.184.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

****

The server could not bind to the transport \Device\NetBT_Tcpip_{E5845F11-365B-433F-BB6D-550870630CDB}.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

****

The Kodak AiO Network Discovery Service service depends on the following nonexistent service: Bonjour Service

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

****

EventType mptelemetry, P1 unspecified, P2 hardeningtelemetry, P3 hardeningtelemetrydisablertp, P4 4.1.522.0, P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## Catherine-N (Sep 12, 2012)

HI Cookiegal - sorry about that - I didn't realize that would be ok (didn't actually occur to me to do that...) Sorry to put you to extra work. Yes I double clicked them....should I do them again? Should I be doing something with the links you've pasted?

RE: screen shots - I tried & tried last night and tonight to log on and off to get the dialogue boxes, but just like the car being ok when you take it to the garage - those funny ones (with ooooooooo) didn't pop up. I've attached the 2 that did - but it's just MSE and explorer (with the explorer one as all I'd done was log on and then log off - hadn't opened anything so not sure why it was working away)

Thanks again.


----------



## Catherine-N (Sep 12, 2012)

this time when I logged off, the oooooo dialogue box came up. Managed to get a photo but it's a bit blurry - atttached. I wonder if it's because I have logged into a site on the internet - as that's the only difference between the other times when I was switching on and off.


Also, meant to say the MSE has been random as to wehter it's on or off & doesn't appear to be anything to do with wehther it's been on or off at the wall.


Also - when I just logged on again so that I could attach the ooooo photo, I now have the MSE icon in green and saying on when I doulbe click it, but the Security Centre in red and telling me virus protection is off....don't know what to believe? Can't attach screen shot in word I took as it's too large and don't know how to make it smaller....

This is my second attempt at trying to do this as I got thrown off the internet (when I was trying to upload the files) I got a message saying click this link to find out how to avoid this happening in future - and this is the page it took me to: http://wer.microsoft.com/responses/...9&BucketHash=945f7217dc151e26a63cea192494c1bd

I'm so sorry to be taking up so much of your time - I feel really awful that I'm proving so problematic - will donate some more. If you think i'm a hopeless case & i need to just take the machine to the shop, I don't mind you saying so...


----------



## Cookiegal (Aug 27, 2003)

The screenshots are too small to make out what they say. Even if I enlarge them I still can't read it. Can you tell me what they say?


----------



## Catherine-N (Sep 12, 2012)

Last one's a bit blurry so not sure how many oooo's there are

1. *End program - Microsoft Security Essentials

Ending programme please wait

If you choose to end the programme immediately you will lose any unsaved data. To end the programme now click end now

2*End program *- explorer.exe

Ending programme please wait

If you choose to end the programme immediately you will lose any unsaved data. To end the programme now click end now

3. *End program - ooooooooooooooooo

Ending programme please wait

If you choose to end the programme immediately you will lose any unsaved data. To end the programme now click end now


----------



## Cookiegal (Aug 27, 2003)

Please run OTL again and post the new log.


----------



## Catherine-N (Sep 12, 2012)

Thanks - here's the OTL text - incidentally another text popped up as well called Extras.txt - I don't remember it doing two last time, anyway will post the extra's one separately so you can see where one starts & one finishes:

OTL logfile created on: 10/10/2012 13:24:17 - Run 1
OTL by OldTimer - Version 3.2.66.0 Folder = C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

765.99 Mb Total Physical Memory | 322.48 Mb Available Physical Memory | 42.10% Memory free
1.83 Gb Paging File | 1.46 Gb Available in Paging File | 80.21% Paging File free
Paging file location(s): C:\pagefile.sys 1147 1147E:\pagef [Binary data over 200 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.64 Gb Total Space | 4.97 Gb Free Space | 26.66% Space Free | Partition Type: NTFS

Computer Name: CATHERIN-ZGE1ZI | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/23 18:53:08 | 000,601,600 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\OTL.exe
PRC - [2012/09/12 17:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2012/09/12 17:19:44 | 000,947,176 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2012/07/29 20:52:22 | 000,976,728 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
PRC - [2012/07/29 20:52:20 | 001,673,048 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
PRC - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2010/09/02 09:23:28 | 001,638,400 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/28 18:38:57 | 000,054,784 | ---- | M] (Macrovision) -- C:\WINDOWS\system32\drivers\CDAC11BA.EXE

========== Modules (No Company Name) ==========

MOD - [2012/06/06 17:52:56 | 000,520,464 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportMS.dll
MOD - [2012/02/01 14:43:10 | 000,557,056 | ---- | M] () -- C:\Program Files\Trusteer\Rapport\bin\js32.dll

========== Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2012/10/08 18:57:18 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/09/12 17:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2012/07/29 20:52:22 | 000,976,728 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2010/09/13 18:18:32 | 000,308,656 | ---- | M] (Eastman Kodak Company) [Auto | Stopped] -- C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe -- (Kodak AiO Network Discovery Service)
SRV - [2008/02/28 18:38:57 | 000,054,784 | ---- | M] (Macrovision) [Auto | Running] -- C:\WINDOWS\system32\drivers\CDAC11BA.EXE -- (C-DillaCdaC11BA)
SRV - [2004/08/03 22:29:30 | 000,056,623 | ---- | M] (ATI Technologies Inc.) [Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ati1btxx.sys -- (Everet_)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\usbaapl.sys -- (USBAAPL)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (SANDRA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\emusba10.sys -- (emusba10)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\ADMINI~1.CAT\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2012/08/11 15:26:29 | 000,228,376 | ---- | M] () [Kernel | System | Running] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_42020.sys -- (RapportCerberus_42020)
DRV - [2012/07/29 20:52:38 | 000,166,840 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - [2012/07/29 20:52:38 | 000,071,480 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys -- (RapportEI)
DRV - [2012/07/29 20:52:38 | 000,065,848 | ---- | M] (Trusteer Ltd.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\RapportKELL.sys -- (RapportKELL)
DRV - [2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012/06/06 17:52:51 | 000,021,520 | ---- | M] (Trusteer Ltd.) [Kernel | On_Demand | Running] -- c:\Documents and Settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys -- (RapportIaso)
DRV - [2012/01/10 19:58:02 | 000,022,050 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smb.sys -- (smbusp)
DRV - [2010/02/16 05:38:12 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2008/02/28 18:37:51 | 000,012,464 | ---- | M] (Macrovision Europe Ltd) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CdaC15BA.SYS -- (CdaC15BA)
DRV - [2007/02/27 14:31:28 | 000,021,504 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2006/07/24 16:05:00 | 000,005,632 | ---- | M] () [File_System | System | Running] -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2006/03/27 17:53:28 | 000,167,808 | ---- | M] (NETGEAR Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wg111v2.sys -- (RTLWUSB)
DRV - [2003/12/08 11:53:48 | 000,053,600 | ---- | M] (THOMSON) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\alcan5wn.sys -- (alcan5wn)
DRV - [2003/12/08 11:53:46 | 000,070,688 | ---- | M] (THOMSON) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\alcaudsl.sys -- (alcaudsl)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {4ED64256-D2C7-48A2-93CA-71172E98F252}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{4ED64256-D2C7-48A2-93CA-71172E98F252}: "URL" = http://www.google.com/search?q={sea...putEncoding}&oe={outputEncoding}&sourceid=ie7

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1659004503-1897051121-682003330-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\S-1-5-21-1659004503-1897051121-682003330-500\..\SearchScopes,DefaultScope = {4ED64256-D2C7-48A2-93CA-71172E98F252}
IE - HKU\S-1-5-21-1659004503-1897051121-682003330-500\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-1659004503-1897051121-682003330-500\..\SearchScopes\{20F6C098-5252-458B-91F3-B1201AB3D1F8}: "URL" = http://uk.search.yahoo.com/search?p={searchTerms}&fr=FP-tab-web-t340&ei=UTF-8&meta=vc=
IE - HKU\S-1-5-21-1659004503-1897051121-682003330-500\..\SearchScopes\{4ED64256-D2C7-48A2-93CA-71172E98F252}: "URL" = http://www.google.com/search?q={sea...putEncoding}&sourceid=ie7&rlz=1I7ADFA_enGB483
IE - HKU\S-1-5-21-1659004503-1897051121-682003330-500\..\SearchScopes\{5C6A7172-72BD-481B-B6C5-1D6517A91047}: "URL" = http://www.bing.com/search?q={searchTerms}&form=IE8SRC&src=IE-SearchBox
IE - HKU\S-1-5-21-1659004503-1897051121-682003330-500\..\SearchScopes\{C671450A-FB91-48E9-BE07-60AD54D3A0D0}: "URL" = http://search.lycos.co.uk/cgi-bin/pursuit?SITE=uk&query={searchTerms}&cat=loc
IE - HKU\S-1-5-21-1659004503-1897051121-682003330-500\..\SearchScopes\{CCD6B7BE-C69A-4022-BF80-21FB59A32AC0}: "URL" = http://search.aol.co.uk/web?query={...nit=true&invocationType=aolhathp_uk_Po&avtype=
IE - HKU\S-1-5-21-1659004503-1897051121-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1659004503-1897051121-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_4_402_287.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

[2006/10/15 19:48:39 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2006/10/15 19:43:48 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

O1 HOSTS File: ([2012/10/01 21:10:22 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Conime] C:\WINDOWS\system32\conime.exe (Microsoft Corporation)
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1659004503-1897051121-682003330-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1659004503-1897051121-682003330-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1659004503-1897051121-682003330-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1659004503-1897051121-682003330-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: orange search - C:\Program Files\ORANGE4\Cache\SelectedContextSearch.htm ()
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E5845F11-365B-433F-BB6D-550870630CDB}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/10/06 11:37:40 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/10/05 19:24:51 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2012/10/04 16:36:53 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\aswMBR.exe
[2012/10/04 16:18:25 | 004,229,304 | ---- | C] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\jre-6u34-windows-i586.exe
[2012/10/02 13:22:26 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/10/01 21:13:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/09/30 22:15:53 | 000,000,000 | ---D | C] -- C:\2ee1f7bdd3b675c42c7dc10467c760
[2012/09/30 21:36:25 | 004,759,381 | R--- | C] (Swearware) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\puppy.exe
[2012/09/30 20:52:05 | 002,212,440 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\tdsskiller.exe
[2012/09/23 18:53:03 | 000,601,600 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\OTL.exe
[2012/09/23 11:25:57 | 000,000,000 | ---D | C] -- C:\_OTS
[2012/09/22 10:45:28 | 000,646,656 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\OTS.exe
[2012/09/20 16:13:51 | 000,000,000 | ---D | C] -- C:\puppy
[2012/09/19 18:31:18 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/09/19 18:28:32 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/09/19 18:28:32 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/09/19 18:28:32 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/09/19 18:28:32 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/09/19 18:28:19 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/09/19 18:28:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
[2012/09/12 14:56:58 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\dds.com
[2012/09/12 14:54:39 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\HijackThis.exe
[2012/09/12 14:09:15 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Windows OneCare Live
[2008/02/26 11:02:15 | 000,079,328 | ---- | C] (MCCI) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\mqdmserd.sys
[2008/02/26 11:02:15 | 000,005,936 | ---- | C] (MCCI) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\mqdmwhnt.sys
[2008/02/26 11:02:14 | 000,092,064 | ---- | C] (MCCI) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\mqdmmdm.sys
[2008/02/26 11:02:14 | 000,009,232 | ---- | C] (MCCI) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\mqdmmdfl.sys
[2008/02/26 11:02:14 | 000,004,048 | ---- | C] (MCCI) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\mqdmcr.sys
[2008/02/26 11:02:13 | 000,066,656 | ---- | C] (MCCI) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\mqdmbus.sys
[2008/02/26 11:02:13 | 000,006,208 | ---- | C] (MCCI) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\mqdmcmnt.sys
[2008/02/26 11:02:12 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\usbsermptxp.sys
[2008/02/26 11:02:11 | 000,022,768 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\usbsermpt.sys

========== Files - Modified Within 30 Days ==========

[2012/10/10 13:32:31 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2012/10/10 13:26:33 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{13B53172-B98C-4AF0-AC9B-BD5D56344E2C}.job
[2012/10/10 13:21:57 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/10/10 13:21:31 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/10/08 18:59:01 | 000,037,328 | ---- | M] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\photoA.JPG
[2012/10/08 18:57:21 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/10/08 18:57:17 | 000,696,760 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/10/08 18:57:13 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/10/08 18:37:59 | 000,039,271 | ---- | M] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\photo2.JPG
[2012/10/08 18:37:40 | 000,034,827 | ---- | M] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\photo.JPG
[2012/10/05 19:30:04 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2012/10/04 18:49:48 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\MBR.dat
[2012/10/04 16:37:02 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\aswMBR.exe
[2012/10/04 16:18:30 | 004,229,304 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\jre-6u34-windows-i586.exe
[2012/10/01 22:03:46 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/10/01 21:10:22 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/10/01 20:46:51 | 004,759,381 | R--- | M] (Swearware) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\puppy.exe
[2012/09/30 20:55:45 | 000,139,264 | ---- | M] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\SystemLook.exe
[2012/09/30 20:52:31 | 002,212,440 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\tdsskiller.exe
[2012/09/23 19:19:38 | 000,012,146 | ---- | M] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\AVGIDSAgent
[2012/09/23 18:53:08 | 000,601,600 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\OTL.exe
[2012/09/22 10:45:33 | 000,646,656 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\OTS.exe
[2012/09/19 18:31:24 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/09/19 18:16:19 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/09/12 15:00:42 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\3yiexhpn.exe
[2012/09/12 14:57:14 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\dds.com
[2012/09/12 14:55:08 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\HijackThis.exe

========== Files Created - No Company Name ==========

[2012/10/08 18:58:57 | 000,037,328 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\photoA.JPG
[2012/10/08 18:37:58 | 000,039,271 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\photo2.JPG
[2012/10/08 18:37:37 | 000,034,827 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\photo.JPG
[2012/10/05 19:27:50 | 000,001,698 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/10/04 16:39:13 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\MBR.dat
[2012/10/01 21:14:29 | 000,000,384 | -H-- | C] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2012/09/30 20:55:36 | 000,139,264 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\SystemLook.exe
[2012/09/23 19:19:38 | 000,012,146 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\AVGIDSAgent
[2012/09/19 18:31:24 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/09/19 18:31:20 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/09/19 18:28:32 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/09/19 18:28:32 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/09/19 18:28:32 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/09/19 18:28:32 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/09/19 18:28:32 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/09/19 18:16:19 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/09/12 15:00:39 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\3yiexhpn.exe
[2012/02/18 13:26:43 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2008/10/12 21:19:07 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\LauncherAccess.dt
[2008/06/16 19:43:11 | 000,063,730 | ---- | C] () -- C:\Program Files\viewsonicinstruct_xp.pdf
[2008/05/16 23:14:18 | 000,018,944 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/02/26 11:02:13 | 000,009,913 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\MCCI_MDM.INF
[2008/02/26 11:02:13 | 000,004,477 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\MCCI_SDM.INF
[2008/02/26 11:02:12 | 000,009,232 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\USB_MOT_BRIT.INF
[2008/02/26 11:02:12 | 000,006,989 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\MCCI_BUS.INF
[2008/02/26 11:02:12 | 000,006,141 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\USBMOT2000XP.INF
[2008/02/26 11:02:12 | 000,005,960 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\USB_MOT_A1000.INF
[2008/02/26 11:02:12 | 000,005,880 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\USB_CMCS_2000.INF
[2008/02/26 11:02:11 | 000,007,201 | ---- | C] () -- C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\USBMOT2000.INF

========== ZeroAccess Check ==========

[2007/09/22 21:35:35 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/14 01:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/14 01:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
< End of report >


----------



## Catherine-N (Sep 12, 2012)

And here's the one from Extras.Txt

OTL Extras logfile created on: 10/10/2012 13:24:17 - Run 1
OTL by OldTimer - Version 3.2.66.0 Folder = C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

765.99 Mb Total Physical Memory | 322.48 Mb Available Physical Memory | 42.10% Memory free
1.83 Gb Paging File | 1.46 Gb Available in Paging File | 80.21% Paging File free
Paging file location(s): C:\pagefile.sys 1147 1147E:\pagef [Binary data over 200 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.64 Gb Total Space | 4.97 Gb Free Space | 26.66% Space Free | Partition Type: NTFS

Computer Name: CATHERIN-ZGE1ZI | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = SafariHTML] -- Reg Error: Key error. File not found
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-1659004503-1897051121-682003330-500\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
https [open] -- "C:\Program Files\Safari\Safari.exe" -url "%1"
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [ACDSee 9.0.Browse] -- "C:\Program Files\ACD Systems\ACDSee\9.0\ACDSeeQV.exe" "%1" (ACD Systems Ltd.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabledxpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabledxpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabledxpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabledxpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabledxpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabledxpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabledxpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabledxpsp2res.dll,-22002
"9322:TCP" = 9322:TCP:*:Enabled:EKDiscovery
"5353:UDP" = 5353:UDP:*:Enabled:Bonjour Port 5353

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\Kodak\AiO\Center\AiOHomeCenter.exe" = C:\Program Files\Kodak\AiO\Center\AiOHomeCenter.exe:*:Enabled:Kodak.AiO.HomeCenter -- (Eastman Kodak Company)
"C:\Program Files\Kodak\AiO\Center\Kodak.Statistics.exe" = C:\Program Files\Kodak\AiO\Center\Kodak.Statistics.exe:*:Enabled:Kodak.AiO.Statistics -- (Eastman Kodak Company)
"C:\Program Files\Kodak\AiO\Center\NetworkPrinterDiscovery.exe" = C:\Program Files\Kodak\AiO\Center\NetworkPrinterDiscovery.exe:*:Enabled:Kodak.AiO.SetupUtility -- (Eastman Kodak Company)
"C:\Program Files\Kodak\AiO\Firmware\KodakAiOUpdater.exe" = C:\Program Files\Kodak\AiO\Firmware\KodakAiOUpdater.exe:*:Enabled:Kodak.AiO.FwUpdater -- (Eastman Kodak Company)
"C:\Documents and Settings\All Users.WINDOWS\Application Data\Kodak\Installer\Setup.exe" = C:\Documents and Settings\All Users.WINDOWS\Application Data\Kodak\Installer\Setup.exe:*:Enabled:Kodak.AiO.Installer -- (Eastman Kodak Company)
"C:\WINDOWS\network diagnostic\xpnetdiag.exe" = C:\WINDOWS\network diagnostic\xpnetdiag.exe:*:Enabled:Network Diagnostic for Windows XP -- (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0645A454-AD44-4F0D-99CF-6B762735AD1F}" = aioprnt
"{10934A28-0CC6-4B98-A14F-76B3546003AF}" = ksDIP
"{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}" = Rapport
"{216EAAD9-D733-4141-BEAF-2C0B6F6B1D04}" = AmpliTube LE
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{48B41C3A-9A92-4B81-B653-C97FEB85C910}" = C4USelfUpdater
"{56BA241F-580C-43D2-8403-947241AAE633}" = center
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics Driver
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{92022F8E-2E55-4A16-88EB-B4778B35E942}" = ACDSee for PENTAX 3.0
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{98EABC7F-B1A1-43A5-B505-5B4EC3908DCD}" = Microsoft Security Client
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B4FEA924-630D-11D4-B78E-005004566E4D}" = ViewSonic Monitor Drivers
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C4A4722E-79F9-417C-BD72-8D359A090C97}" = Samsung PC Studio 3
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DA5BDB2A-12F0-4343-8351-21AAEB293990}" = PreReq
"{DE6B7599-D3EF-4436-8836-BAA0B0D7768D}" = aiofw
"{E0F252A6-DE85-4E93-A93B-DFC3537B3965}" = NETGEAR WG111v2 wireless USB 2.0 adapter
"{E0F274B7-592B-4669-8FB8-8D9825A09858}" = KODAK AiO Home Centre
"{E89B484C-B913-49A0-959B-89E836001658}" = GEAR 32bit Driver Installer
"{EBA29752-DDD2-4B62-B2E3-9841F92A3E3A}" = Samsung PC Studio 3 USB Driver Installer
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{FE24086F-3B0C-4C47-A874-97A7B8E2FBBE}" = aioscnnr
"Adobe Acrobat 4.0" = Adobe Acrobat 4.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"CdaC13Ba" = SafeCast Shared Components
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{E0F252A6-DE85-4E93-A93B-DFC3537B3965}" = NETGEAR WG111v2 wireless USB 2.0 adapter
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Client" = Microsoft Security Essentials
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"orange4" = Orange Search Toolbar
"PROSet" = Intel(R) PRO Ethernet Adapter and Software
"Rapport_msi" = Rapport
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 30/09/2012 14:33:11 | Computer Name = CATHERIN-ZGE1ZI | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P2 4.0.1526.0, P3 timeout, P4 1.1.8704.0, P5 fixed, P6 1 _ 1024, P7 5 _ not boot,
P8 NIL, P9 NIL, P10 NIL.

Error - 30/09/2012 14:33:12 | Computer Name = CATHERIN-ZGE1ZI | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P2 4.0.1526.0, P3 passthrough, P4 1.1.8704.0, P5 fixed, P6 1 _ 1024, P7 5 _ not
boot, P8 NIL, P9 NIL, P10 NIL.

Error - 30/09/2012 14:45:35 | Computer Name = CATHERIN-ZGE1ZI | Source = Microsoft Security Client | ID = 5000
Description =

Error - 30/09/2012 14:57:43 | Computer Name = CATHERIN-ZGE1ZI | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0x8000ffff, P2 patchapplication, P3 am bde,
P4 11.1.3927.0, P5 mpsigstub.exe, P6 4.0.1526.0, P7 microsoft security essentials,
P8 NIL, P9 NIL, P10 NIL.

Error - 01/10/2012 15:49:27 | Computer Name = CATHERIN-ZGE1ZI | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 unspecified, P2 hardeningtelemetry, P3 hardeningtelemetrydisablertp,
P4 4.1.522.0, P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10
NIL.

Error - 05/10/2012 14:27:18 | Computer Name = CATHERIN-ZGE1ZI | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0x80070003, P2 moac, P3 cachereset, P4 4.1.522.0,
P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

Error - 08/10/2012 14:14:39 | Computer Name = CATHERIN-ZGE1ZI | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 08/10/2012 14:14:39 | Computer Name = CATHERIN-ZGE1ZI | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 08/10/2012 14:15:02 | Computer Name = CATHERIN-ZGE1ZI | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.

Error - 08/10/2012 14:15:06 | Computer Name = CATHERIN-ZGE1ZI | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.

[ OSession Events ]
Error - 07/10/2007 13:08:03 | Computer Name = CATHERIN-ZGE1ZI | Source = Microsoft Office 12 Sessions | ID = 7001
Description =

[ System Events ]
Error - 07/10/2012 13:59:45 | Computer Name = CATHERIN-ZGE1ZI | Source = Service Control Manager | ID = 7003
Description = The Kodak AiO Network Discovery Service service depends on the following
nonexistent service: Bonjour Service

Error - 07/10/2012 17:34:49 | Computer Name = CATHERIN-ZGE1ZI | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 07/10/2012 17:34:49 | Computer Name = CATHERIN-ZGE1ZI | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 07/10/2012 17:34:53 | Computer Name = CATHERIN-ZGE1ZI | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 07/10/2012 17:34:53 | Computer Name = CATHERIN-ZGE1ZI | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 08/10/2012 13:32:54 | Computer Name = CATHERIN-ZGE1ZI | Source = Service Control Manager | ID = 7003
Description = The Kodak AiO Network Discovery Service service depends on the following
nonexistent service: Bonjour Service

Error - 08/10/2012 13:35:01 | Computer Name = CATHERIN-ZGE1ZI | Source = Service Control Manager | ID = 7003
Description = The Kodak AiO Network Discovery Service service depends on the following
nonexistent service: Bonjour Service

Error - 08/10/2012 13:40:08 | Computer Name = CATHERIN-ZGE1ZI | Source = Service Control Manager | ID = 7003
Description = The Kodak AiO Network Discovery Service service depends on the following
nonexistent service: Bonjour Service

Error - 08/10/2012 13:54:24 | Computer Name = CATHERIN-ZGE1ZI | Source = Service Control Manager | ID = 7003
Description = The Kodak AiO Network Discovery Service service depends on the following
nonexistent service: Bonjour Service

Error - 10/10/2012 08:21:47 | Computer Name = CATHERIN-ZGE1ZI | Source = Service Control Manager | ID = 7003
Description = The Kodak AiO Network Discovery Service service depends on the following
nonexistent service: Bonjour Service

< End of report >


----------



## Cookiegal (Aug 27, 2003)

Did you uninstall the Bonjour Service at some point?

Do you get this notices on every shutdown?

Please run OTL again but this time make the following changes:

Under Processes, select "All" (instead of "Use Safe List") and do the same under "Services", "Modules" and "Drivers" then run the scan and post the log please.


----------



## Catherine-N (Sep 12, 2012)

Hi Cookiegal - apols only just seen this - email went into bulk. Will do OtL tom as away for the night. Re: bonjour services - i don't know - maybe i did on one of the times when i thought if i removed packages i didn't think i used the machine would go faster & clear up more gigs or ram or whatever space is called. I've noticed it says associated with Kodak, that's my printer & it works ok so whatever bonjour did it hasnt stopped the printer from working.

Re: notices - not on every shutdown but particularly notice them after i've logged
Into tech guy or yahoo to do things as instructed.


----------



## Cookiegal (Aug 27, 2003)

OK, thanks.


----------



## Catherine-N (Sep 12, 2012)

Goodevening. Have been trying to paste & Post intermittently since 5 pm UK time. Have checked task manager - when i log into tech guy the CPU usage history is a long line at the highest point & then when i hit post reply it trucks along - the CPU usage history drops, but i eventually get redirected to the following page with nothing on it

http://forums.techguy.org/newreply.php?do=postreply&t=1068691&503retry=1

So am going to try & see if I can load the file as an attachment...thanks.


----------



## Catherine-N (Sep 12, 2012)

Not sure if this is relevant, but just in case it's relevant -I just logged off after the last post and shut down internet - and discovered I'd lost my background picture that was tiled across my desk top...not sure how that happened or if it's relevant. (CPU usage history at top line again as it's been every time i log onto site...) Thanks


----------



## Cookiegal (Aug 27, 2003)

Let's try disabling the Kodak AiO Network Discovery Service and see if it affects the printer. If not then we can leave it disabled because it keeps trying to start but shuts down because the Bonjour Service is not there.

Go to *Sart *- *Run *- type in *msconfig *then hit enter. Now click on the Services tab. Scroll down to this one:

Kodak AiO Network Discovery Service

Uncheck it then click Apply and OK. Let me know if there's any problem with the printer after doing this.

Also, the error message you get with a bunch of "ooooos" is intriguing. Let see if we can find anything that looks like that.

Please run SystemLook again. I'll post the full instructions in case you don't have it installed any longer.

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*
Double-click *SystemLook.exe* to run it.
Copy the content of the following code box into the main text field:

```
:filefind
*ooooo*
:regfind
ooooo
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found on your Desktop entitled *SystemLook.txt*


----------



## Cookiegal (Aug 27, 2003)

Catherine-N said:


> Goodevening. Have been trying to paste & Post intermittently since 5 pm UK time. Have checked task manager - when i log into tech guy the CPU usage history is a long line at the highest point & then when i hit post reply it trucks along - the CPU usage history drops, but i eventually get redirected to the following page with nothing on it
> 
> http://forums.techguy.org/newreply.php?do=postreply&t=1068691&503retry=1


Unfortunately, that happens from time to time when there's a glitch with the database server at TSG.


----------



## Catherine-N (Sep 12, 2012)

Re: post 133 - ok thanks for explaining - i thought it was my computer. PC taking an inordinately long time to load pages on internet, but it always did so not sure if that means there was always a virus before the ukash thing or just my computer's rubbish .

Have unclicked Kodak thing and it said it needed to reboot (incidentally - when i agreed to shut it down, it momentarily flashed up my old wallpaper picture that i had tiled. No errors messages though (and actually I realize now there was no error message when i shut down after losing the wallpaper earlier on before my last post. Could it've been that photo? I've right clicked on the desktop & clicked properties, and i can still see the photo name - but it seems to have no image....

Anyway - logged back on - printer printed a doc in word fine so assume it doesn't need that kodak thing to work. 

As soon as I logged on a message came up saying however - "Service Configuration Utility. You have used Svs Config Ut. to make changes to the way windows start. The SCU is currently running in Diagnositc or Selective startup mode, causing this mesage to be displayed & the utility to run every time Windows starts. Choose the Normal setup on the General tab to start Windows normally and undo the changes you made using the SCU".

I clicked ok - and then the SCU box cam up again - I could see it was checked by Selectirve start up mode in the general tab - I don't understand why though as I only went to the Services tab and unchecked the Kodak thing. I logged off and logged on again to see if anything happened differently (the wallpaper picture popped up again as it shut down) & when it switched back on again, same dialogue mesage and the SCU box popping up after happened.

Anyway...not sure if any of that is important and/or relevant.

Did Systemlook - didn't find anything - here's the log:

SystemLook 30.07.11 by jpshortstuff
Log created at 22:02 on 13/10/2012 by Administrator
Administrator - Elevation successful
========== filefind ==========
Searching for "*ooooo*"
No files found.
========== regfind ==========
Searching for "ooooo"
No data found.
-= EOF =-

Thanks for your perserverence & help with me!!


----------



## Cookiegal (Aug 27, 2003)

Let's run SystemLook again with the following script please.


```
:filefind
*drivinit*
*scptsd*
:Dir
C:\WINDOWS\CSC
c:\recycler\S-1-5-21-1659004503-1897051121-682003330-500
```


----------



## Catherine-N (Sep 12, 2012)

Ok thanks - am working long days today and tom so won't be able to do nxt steps until wednesday.


----------



## Cookiegal (Aug 27, 2003)

That's fine.


----------



## Catherine-N (Sep 12, 2012)

Afternoon  As my latest bedtime reading has become, slightly obsessively, virus and related, I don't if this useful/relevant, but I read somewhere that you could look at your task manager & google what the various things running were to see if there was anything odd. All of the names i checked seemed ok, but what did strike me as odd was that i had an explorer.exe which ran at between 18-12k memory usage, and then when i opened explorer (which took 5 minutes to load for some reason) i could see two iexplore.exe - now I read somewhere that's ok - but that if they used more than 40k then be worried...well, one uses between 13-35k and the ohter one starts off at around 25k and continues to rise and rise up to 131k so far... As for CPU usage, the thing that seems to use it most is the system idle process - even though i'm doing something & it's not idle... I do appreciate I don't know what I'm talking about(!) but thought it might be helpful to you to know what's going on with the machine this end on that side of things.

Second thing- the service utility dialogue box is still coming up when i log on and says i'm in selective login and asks me do i want to restart etc etc. Also the ooooo's - came up again when i rebooted just now and they're not zero's but more like little squares - it was up for a while but couldn't quite get my camera to hand in time. Will be ready for it next time!

Anyway. Have done the next system look and text file below- Thanks:

SystemLook 30.07.11 by jpshortstuff
Log created at 14:30 on 17/10/2012 by Administrator
Administrator - Elevation successful
========== filefind ==========
Searching for "*drivinit*"
No files found.
Searching for "*scptsd*"
No files found.
========== Dir ==========
C:\WINDOWS\CSC - Parameters: "(none)"
---Files---
00000001 --a-s-- 64 bytes [15:35 09/09/2012] [18:13 23/09/2012]
00000002 --a-s-- 64 bytes [15:35 09/09/2012] [15:35 09/09/2012]
---Folders---
d1 d------ [15:35 09/09/2012]
d2 d------ [15:35 09/09/2012]
d3 d------ [15:35 09/09/2012]
d4 d------ [15:35 09/09/2012]
d5 d------ [15:35 09/09/2012]
d6 d------ [15:35 09/09/2012]
d7 d------ [15:35 09/09/2012]
d8 d------ [15:35 09/09/2012]
c:\recycler\S-1-5-21-1659004503-1897051121-682003330-500 - Parameters: "(none)"
---Files---
desktop.ini ---hsc- 65 bytes [12:22 02/10/2012] [13:09 17/10/2012]
INFO2 --ah-c- 20 bytes [12:22 02/10/2012] [13:13 17/10/2012]
---Folders---
None found.
-= EOF =-


----------



## Cookiegal (Aug 27, 2003)

The tools we've been using show us what's running in the Task Manager. It's common for CPU usage to go up depending on what you're doing at the time, like watching a video or something like that which is resource intensive.

System Idle will generally be the highest, even when you're doing something. Whatever you're doing will be reflected in the usage of the other application and System Idle will have the rest of the available resources.

But it seems there are still some issues but because this thread is quite lengthy now, can you please give me a summary of what problems remain?


----------



## Catherine-N (Sep 12, 2012)

Thanks. Yes - it is isn't it.

Ok summary:

System Config Utility dialogue box still comes up once turned on re: selective start up - this has been since we unticked the kodak package.

The following I can live with and provided it's not because of a virus I don't really mind:

Lost the desktop picture - only appears briefly when I turn computer on and when I shut down, then just a blue screen
V slow loading internet page (approx 1.5 - 3 mins)
No space - yet I hardly have any files saved on the C drive.
The little square boxes dialogue box (or ooo's) which comes up intermittently when I shut down

As I say - I can live with the 4 above provided they're not virus related and accept i may just have to wait to buy a new machine for a faster life.

If I'm clear of viruses now - thanks v much for your help!


----------



## Cookiegal (Aug 27, 2003)

OK, thanks for that.

The utility that comes up has an option to check so that it doesn't appear again. The next time you see it, put a check in that box and then click on OK.

Let's run DDS again but we'll grab the latest version so please delete the one you have by dragging it to the Recycle Bin.

Please download DDS by sUBs to your desktop from the following location:

http://download.bleepingcomputer.com/sUBs/dds.scr

Double-click the *dds.scr* file to run the program.

It will automatically run in silent mode and then you will see the following note:

"Two logs shall be created on your Desktop"

The logs will be named *dds.txt* and* attach.txt*".

Wait until the logs appear and then copy and paste their contents in your post.


----------



## Catherine-N (Sep 12, 2012)

Thanks - sorry for delay - here's the first log - DDS.txt:

DDS (Ver_2012-10-19.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702
Run by Administrator at 17:01:01 on 2012-10-20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.400 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ================
.
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Conime] c:\windows\system32\conime.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: orange search - c:\program files\orange4\cache\SelectedContextSearch.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{E5845F11-365B-433F-BB6D-550870630CDB} : DHCPNameServer = 192.168.1.1
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-8-30 193552]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2012-7-29 65848]
R1 RapportCerberus_42020;RapportCerberus_42020;c:\documents and settings\all users.windows\application data\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_42020.sys [2012-8-11 228376]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2012-7-29 71480]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2012-7-29 166840]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-10-17 399432]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-9-9 22856]
R3 RapportIaso;RapportIaso;c:\documents and settings\all users.windows\application data\trusteer\rapport\store\exts\rapportms\39624\RapportIaso.sys [2012-6-6 21520]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2006-3-27 167808]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-9-9 676936]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-7 250808]
S3 emusba10;E-MU USB-Audio 1.0 Driver;c:\windows\system32\drivers\emusba10.sys --> c:\windows\system32\drivers\emusba10.sys [?]
S4 Everet_;Everet_;c:\windows\system32\drivers\ati1btxx.sys [2007-9-22 56623]
S4 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\ekdiscovery.exe [2010-9-13 308656]
.
=============== Created Last 30 ================
.
2012-10-20 15:56:04 6918632 -c--a-w- c:\documents and settings\all users.windows\application data\microsoft\microsoft antimalware\definition updates\{e0431ba5-d9a2-4180-b9ed-41f5654afa79}\mpengine.dll
2012-10-18 15:44:40 6918632 -c----w- c:\documents and settings\all users.windows\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-10-13 20:46:23 -------- dc----w- c:\windows\pss
2012-10-05 18:24:51 -------- dc----w- c:\program files\Microsoft Security Client
2012-09-30 21:15:53 -------- dc----w- C:\2ee1f7bdd3b675c42c7dc10467c760
2012-09-23 10:25:57 -------- dc----w- C:\_OTS
.
==================== Find3M ====================
.
2012-10-08 17:57:17 696760 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-08 17:57:13 73656 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-07 16:04:46 22856 -c--a-w- c:\windows\system32\drivers\mbam.sys
2012-08-30 21:03:50 193552 -c--a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:14:53 916992 -c--a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14:53 43520 -c--a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52 1469440 -c--a-w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 -c--a-w- c:\windows\system32\html.iec
2012-08-24 13:53:22 177664 -c--a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:29:19 2192896 -c--a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58:06 2069632 -c--a-w- c:\windows\system32\ntkrnlpa.exe
2012-07-29 19:52:38 65848 -c--a-w- c:\windows\system32\drivers\RapportKELL.sys
.
============= FINISH: 17:08:43.03 ===============


----------



## Catherine-N (Sep 12, 2012)

& here's the attach.txt one - thanks again.

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-10-19.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 22/09/2007 19:37:09
System Uptime: 20/10/2012 16:45:28 (1 hours ago)
.
Motherboard: Dell Computer Corp. | | 02X378
Processor: Intel(R) Pentium(R) 4 CPU 2.00GHz | Microprocessor | 1992/400mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 19 GiB total, 5.13 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1098: 13/10/2012 15:58:44 - Software Distribution Service 3.0
RP1099: 17/10/2012 15:18:57 - Software Distribution Service 3.0
RP1100: 18/10/2012 16:43:19 - Software Distribution Service 3.0
RP1101: 20/10/2012 16:55:52 - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
ACDSee for PENTAX 3.0
Adobe Acrobat 4.0
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player 11.5
aiofw
aioprnt
aioscnnr
AmpliTube LE
C4USelfUpdater
center
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
GEAR 32bit Driver Installer
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) Extreme Graphics Driver
Intel(R) PRO Ethernet Adapter and Software
KODAK AiO Home Centre
ksDIP
Malwarebytes Anti-Malware version 1.65.0.1400
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft Security Client
Microsoft Security Essentials
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser
NETGEAR WG111v2 wireless USB 2.0 adapter
OGA Notifier 2.0.0048.0
Orange Search Toolbar
PreReq
Rapport
SafeCast Shared Components
Samsung PC Studio 3
Samsung PC Studio 3 USB Driver Installer
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SoundMAX
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676-v2)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
ViewSonic Monitor Drivers
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
13/10/2012 22:04:51, error: Dhcp [1002] - The IP address lease 192.168.1.11 for the Network Card with network address 001B2F733B47 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
13/10/2012 15:51:25, error: Service Control Manager [7003] - The Kodak AiO Network Discovery Service service depends on the following nonexistent service: Bonjour Service
.
==== End Of File ===========================


----------



## Cookiegal (Aug 27, 2003)

Please go to *Start * *Run *- type *msconfig*  click OK and click on the *startup tab*. Uncheck everything there except for your anti-virus program. Then reboot and let me know if the problems persists please.


----------



## Catherine-N (Sep 12, 2012)

Ok -

internet page definitely seems to load much more quickly now so thanks for that.

other things the same, i.e.:
desktop picture still only showing briefly when I log on or shut down
still not much space considering i hardly have anything saved to to the c drive


----------



## TerryNet (Mar 23, 2005)

> desktop picture still only showing briefly when I log on or shut down


That used to happen to me, but I cannot remember the cause or the fix. I think--no guarantees--that the fix is to set the background picture to NONE, reboot, and then set it to the picture you want.


----------



## Cookiegal (Aug 27, 2003)

I was going to suggest what Terry did. That may fix it.

How much RAM do you have? Your computer specs show only 768 mb so that's not much for XP. You should at least bring it up to 1024 MB.


----------



## Cookiegal (Aug 27, 2003)

It looks to be a very small hard drive. How old is this computer? What's the make and model?
*
Go to Start *- *My Computer* - then right-click on *Local Disk (C* and select "properties". Please report back what it says for "total capacity" as well as for "used space" and "free space".


----------



## Catherine-N (Sep 12, 2012)

Thanks Terry & Cookiegal.

Desktop picutre - did as Terry suggested. Lost the pic flashing up, but it's also not an option to choose anymore - original is on the usb key (that i don't plug in anymore) as onyl keep a few files on the c drive and the file name's not showing in the property sections anymore. Anyway, have selected a diff jpg and that seems to be ok and showing now.

I don't know how to tell how much RAM i have? A flat mate I had 3 years agoish who knew about these things bought something space wise for me & added it to the machine and it did work faster after he fitted it - only more recently it's got so slow.

It's about 7ish?8ish yrs? Make & model...I think it's an Optiplex GX260 or 280 

Total capacity (it didn't say total - just capacity) - 20,012,072,960 bytes 18.6 GB
Used 14,247,235,584 bytes 13.2 gB
Free 5,764,837,376 Bytes 5.36 GB


----------



## Cookiegal (Aug 27, 2003)

Click on Start and then right-click on "My Computer" and select "properties". Click on the General tab and it will show you how much RAM you have under "Computer:" near the bottom. I'm pretty sure it's 768 as it shipped with 512 and your friend likely added another 256 three years ago. It looks like this model supports up to 2 GB of RAM so it would be good to add more. I'm sure you will notice a difference.

You should take a look at the programs listed in the Control Panel - Add or Remove Programs and uninstall any that you no longer use and aren't needed to free up more space.

Do you defragment the computer regularly?


----------



## TerryNet (Mar 23, 2005)

Continuing the RAM theme ...

Open Task Manager after you have been running for awhile and take a look at the Total Physical Memory and Peak Commit Charge. If the Peak is getting above your physical memory (as in my attachment) you are paging, and more memory will help. After several years my Dell desktop with XP got noticeably slower and I noticed numbers similar to the attached. Bought another 1 GB for 1.5 GB total and performance markedly increased (after that my Peak never exceeded 1 GB so I bought more than needed).


----------



## Catherine-N (Sep 12, 2012)

ok it says I have 1.99 Ghz 768 mb RAM

So yes - it is 768.

I defragment the other pc as they specifically told me to do it monthly. I did start doing this one too - but more recently it said I didn't have enough space to perform the operation & to remove unwanted programmes - which I did but there don't seem to be that many programms installed (can't remove the samsung thing as it never lets me).

Re: Terry's post - haven't been on that long but the commit just got close to the Physical number. 

Looks like I definitely have to buy some more memory and get it installed.

Thanks for your help both  Catherine. Oo - commit just exceeded physical!!!


----------



## TerryNet (Mar 23, 2005)

I'm pretty clueless at figuring out memory chips and have always relied on the Crucial scan to determine what I can get for a particular system. You will probably discover that you have two slots now occupied by 512 and 256 MB chips. So, to add memory, if my prediction is accurate, you will need to replace at least one of those.


----------



## Cookiegal (Aug 27, 2003)

Are you still getting that error with the zeros in it on shutdown? If so, the next time it occurs, please check the Event Viewer to see if anything was generated under both Application and System.


----------



## Catherine-N (Sep 12, 2012)

It didn't happen Saturday nor today - i wonder if it was something to do with the old desktop picture which when i unchose and rebooted the file name disapeared?

It seems only prob now is the speed and i can solve that with buying some memory.

Thanks so much for your help - i've learnt about viruses and how convincing they can be - like that platinum one - would've really fooled me if i'd not had yr help so many thanks. Really appreciate the time and advice you've given me - and Terry's time/advice too. What a great site


----------



## Cookiegal (Aug 27, 2003)

That's possible. You're quite welcome. 

Here are some final instructions for you.

As with any infection, I recommend that you change all passwords for logging into to sites that you use on your computer as a precaution.

Please open OTS again and click on the button that says "CleanUp" at the top. This will remove some of the tools we've used and will also uninstall the OTS program.

*Follow these steps to uninstall Combofix and all of its files and components.*

 Click *START* then *RUN*
 Now type *ComboFix /uninstall* in the runbox and click *OK*. Note the *space* between the *X* and the */uninstall*, it needs to be there (the screenshot is just for illustration purposes but the actual command uses the entire word "uninstall" and not just the "u" as shown in the picture).










Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.


----------



## Catherine-N (Sep 12, 2012)

Ok - have done all instructions. 

System restore was actually already off - though I didn't realize and so actually turned it on, rebooted, realized it must've been already off the first time but turned it off again anyway & rebooted & then turned it on again....

It's sod's law, but when it rebooted after OTS instructions, the zeros/little squares came up for ages and gave me plenty of time to take a photo - so have attached that just incase . It's come up every time I've rebooted today.

Should I remove HIjack this & the other packages as well? Thanks.


----------



## Cookiegal (Aug 27, 2003)

OK, thanks for that. It's probably unable to display the name correctly for some reason. Are there any error messages in the Event Viewer that correspond to around the time you got that error message under either Application or System?


----------



## Catherine-N (Sep 12, 2012)

There's an error and a warning - I've pasted them below:

Error:
The IP address lease 192.168.1.11 for the Network Card with network address 001B2F733B47 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

and Warning:
The server could not bind to the transport \Device\NetBT_Tcpip_{E5845F11-365B-433F-BB6D-550870630CDB}.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## Cookiegal (Aug 27, 2003)

I'm still thinking that this is related to that odd file we deleted since it seemed to have started around then. Let's try running SystemLook again with the following script to see if we can find anything we these in their names:


```
:filefind
ûü
¼½¾ 

:regfind
ûü
¼½¾
```
Also, I'd like to check a registry key so I'll need you to export it for me.

Go to *Start *- *Run *and copy and paste the following then click OK:


```
regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services"
```
You won't see anything happen and it will only take a second. You will find the report it creates at C:\look.txt. It will be very large so please upload it here as an attachment. If it's still too large as a text file then zip it up and attach the zipped file. To zip a file, right-click on it and then select "Send To" and then "Compressed (Zipped) Folder".


----------



## Catherine-N (Sep 12, 2012)

Ok - thanks.

Have attached the regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services"

and pasted system look report:

SystemLook 30.07.11 by jpshortstuff
Log created at 21:01 on 24/10/2012 by Administrator
Administrator - Elevation successful
========== filefind ==========
Searching for "ûü"
No files found.
Searching for "¼½¾ "
No files found.
========== regfind ==========
Searching for "ûü"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU]
"c"="C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ"
[HKEY_USERS\S-1-5-21-1659004503-1897051121-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU]
"c"="C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ"
Searching for "¼½¾"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU]
"c"="C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ"
[HKEY_USERS\S-1-5-21-1659004503-1897051121-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU]
"c"="C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ"
-= EOF =-


----------



## Cookiegal (Aug 27, 2003)

Catherine-N said:


> There's an error and a warning - I've pasted them below:
> 
> Error:
> The IP address lease 192.168.1.11 for the Network Card with network address 001B2F733B47 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
> ...


Sorry for the delay. I had my eyes dilated today for an exam and still can't see 100% clearly.

Would you please open that error and warning and post them?

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.


----------



## Catherine-N (Sep 12, 2012)

Not a problem at all - hope the tests turned out ok

Here's the text from notepad - thanks:

Event Type: Warning
Event Source: Server
Event Category: None
Event ID: 2504
Date: 24/10/2012
Time: 15:01:30
User: N/A
Computer: CATHERIN-ZGE1ZI
Description:
The server could not bind to the transport \Device\NetBT_Tcpip_{E5845F11-365B-433F-BB6D-550870630CDB}.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: aa 05 00 00 ª...

Event Type: Error
Event Source: Dhcp
Event Category: None
Event ID: 1002
Date: 24/10/2012
Time: 15:01:16
User: N/A
Computer: CATHERIN-ZGE1ZI
Description:
The IP address lease 192.168.1.11 for the Network Card with network address 001B2F733B47 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## Cookiegal (Aug 27, 2003)

I assume you're not having any connection issues. How do you connect to the Internet, wirelessly or wired?


----------



## Catherine-N (Sep 12, 2012)

Wireless. I quite often have to go thru that whole diagnostic stuff because it says limited connectivity when i first load the internet but it's ok after that.


----------



## Cookiegal (Aug 27, 2003)

Go to *Start *- *Run *- type in cmd and click OK to open a command prompt:

Type the following command (be sure to include the space between the g and the /:

*Ipconfig /all*

Hit Enter.

Right click in the command window and choose Select All, then hit Enter. Paste the results in a message here please.


----------



## Catherine-N (Sep 12, 2012)

Ok thanks. I did it twice. First time - turned out the internet had limited connectivity when I logged on to a page. So did it second time when internet was connected - just to check & they had slightly different entries - so pasted both below:

1. Version before internet properly connected

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI>Ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : catherin-zge1zi
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Mixed
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connect
ion
Physical Address. . . . . . . . . : 00-08-74-F9-F6-63
Ethernet adapter Wireless Network Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NETGEAR WG111v2 54Mbps Wireless USB
2.0 Adapter
Physical Address. . . . . . . . . : 00-1B-2F-73-3B-47
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 255.255.255.255
C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI>

and second time once connection restored:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI>Ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : catherin-zge1zi
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Mixed
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : SE572
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connect
ion
Physical Address. . . . . . . . . : 00-08-74-F9-F6-63
Ethernet adapter Wireless Network Connection:
Connection-specific DNS Suffix . : SE572
Description . . . . . . . . . . . : NETGEAR WG111v2 54Mbps Wireless USB
2.0 Adapter
Physical Address. . . . . . . . . : 00-1B-2F-73-3B-47
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.1
Lease Obtained. . . . . . . . . . : 27 October 2012 13:27:55
Lease Expires . . . . . . . . . . : 31 October 2012 13:27:55
C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI>


----------



## TerryNet (Mar 23, 2005)

Does your router tend to get turned off at night or reset or power cycled frequently? If so that is probably what is causing those Dhcp errors--the computer thinks it still owns the lease on an IP address and the router thinks differently and sends the deny. Windows 7 will simply shrug and try for a new IP, but XP waits for you to do something.

Regardless of the cause I suggest that you will encounter the error much less frequently with no loss of any functionality if you change the Dhcp lease period on the router to something shorter than four days; I suggest three hours ('cause that's what I'm using now  ).


----------



## Cookiegal (Aug 27, 2003)

Let's check the NetGear driver. Please run SystemLook using this script and post the report:


```
:filefind
*wg111v2*
```


----------



## Catherine-N (Sep 12, 2012)

Re - dhcp setting - thanks Terry - have just had a quick google and it seems easy enough to do so will try that out.

Re - system look, thanks Cookiegal- have to go out this morn but will do when i get back this afternoon


----------



## Cookiegal (Aug 27, 2003)

That's fine.


----------



## Catherine-N (Sep 12, 2012)

Ok just to say that DhCP setting Terry said about - the site I googled earlier was just to configure windows xp to use DHCP - so was no good & when I googled around it seemed like conflicting responses - like one saying your server provider had to set it for you & another saying adminstrative tools - but couldn't see that on the start menu. Anyway - it probably is because I switch the rooter off - I switch everything off when I'm not using it to save money....

On to the system look - here's the text:

SystemLook 30.07.11 by jpshortstuff
Log created at 14:37 on 28/10/2012 by Administrator
Administrator - Elevation successful
========== filefind ==========
Searching for "*wg111v2*"
C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\wg111v2_3_4_0.zip --a--c- 6251583 bytes [16:23 09/08/2009] [16:23 09/08/2009] 15A5A3F5C296C8B0C393AD5CCD71AAB4
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\NETGEAR WG111v2 Smart Wizard\NETGEAR WG111v2 Smart Wizard.lnk --a--c- 780 bytes [12:58 13/10/2007] [12:58 13/10/2007] 634B057EB45BED877A2E67839D9A7044
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\NETGEAR WG111v2 Smart Wizard\Uninstall NETGEAR WG111v2 Software.lnk --a--c- 2038 bytes [12:58 13/10/2007] [12:58 13/10/2007] F93154B2FE3044254BB231460A24115C
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe --a--c- 2297856 bytes [15:05 17/05/2006] [15:05 17/05/2006] 406D48F47093FBC7A3205CF1CA97E996
C:\Program Files\NETGEAR\WG111v2\wg111v2.sys -----c- 167808 bytes [12:58 13/10/2007] [16:53 27/03/2006] 691DB86B09E13CA5D3E8881141738CC5
C:\Program Files\NETGEAR\WG111v2\Driver\Win2KXP\wg111v2.sys --a--c- 167808 bytes [16:53 27/03/2006] [16:53 27/03/2006] 691DB86B09E13CA5D3E8881141738CC5
C:\WINDOWS\system32\drivers\wg111v2.sys --a--c- 167808 bytes [16:53 27/03/2006] [16:53 27/03/2006] 691DB86B09E13CA5D3E8881141738CC5
Searching for " "
No files found.
-= EOF =-


----------



## Cookiegal (Aug 27, 2003)

The file is an older version of the driver but it's not infected. Sometimes it's not worth updating drivers as that can cause more problems. We may have to reinstall tcpip but first let's try running these commands.

Go to *Start *- *Run *- type in *cmd *and click OK.

At the command prompt type in:

*netsh winsock reset catalog*

Press enter.

then type in:

*netsh int ip reset resetlog.txt*

Press enter.

You will need to reboot afterwards.

Let us know if you see any difference after doing the above please.


----------



## Catherine-N (Sep 12, 2012)

Wow, yes - definitely noticed a difference...rebooted and normally - even if i get a connection first time, it takes a while to do - internet connection came up within seconds. I can't remember it ever connecting so quickly....thanks for that!


----------



## Cookiegal (Aug 27, 2003)

That's great. What I'd like you to do is try a few reboots and connections to see if that wasn't a one time fluke. After doing that, please check the Event Viewer as I'd like to see if the following warning and error are still happening:


```
Event Type: Warning
Event Source: Server
Event Category: None
Event ID: 2504
Date: 24/10/2012
Time: 15:01:30
User: N/A
Computer: CATHERIN-ZGE1ZI
Description:
The server could not bind to the transport \Device\NetBT_Tcpip_{E5845F11-365B-433F-BB6D-550870630CDB}.

Event Type: Error
Event Source: Dhcp
Event Category: None
Event ID: 1002
Date: 24/10/2012
Time: 15:01:16
User: N/A
Computer: CATHERIN-ZGE1ZI
Description:
The IP address lease 192.168.1.11 for the Network Card with network address 001B2F733B47 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
```
Also, by chance does this eliminate that error you were getting on shutdown with all the zeros? That may be wishful thinking but one can hope.


----------



## TerryNet (Mar 23, 2005)

The error is going to happen tomorrow after you've put everything to sleep tonight. 

Type 192.168.1.1 into your browser's address bar and login to the router. Every brand of router uses slightly different terminology but there should be a LAN section and part of that should include the Dhcp server. That's where you can set the lease time. I've shown mine, but it is an old ultra-simple router so don't be surprised if yours is a little harder to find. If you have a brand name router you can find its user guide online at the manufacturer's web site.


----------



## Catherine-N (Sep 12, 2012)

Afraid to say...It must've been a fluke as first time I rebooted it came up with the limited / no connectivity.

Checked the event logs. Those ones you listed weren't there - have pasted the 2 warnings that were there (have also at the end pasted one from the 13th October - an error that was in application -there were 3 - one I've pasted has zeros and little squares & says application hang and so thought that cuold be the shutdown warning. The hang address it shows as hang address 0x00000000.
after the full stop there are what looks like little squares (with feint side lines & heavy top & bottom lines) in notepad - but it won't paste here for some reason - pastes as blank. Btw - it hasn[t appeared today - nor yesterday...

in the Application section - this Warning

Event Type: Warning
Event Source: WinMgmt
Event Category: None
Event ID: 63
Date: 28/10/2012
Time: 17:01:07
User: CATHERIN-ZGE1ZI\Administrator
Computer: CATHERIN-ZGE1ZI
Description:
A provider, OffProv11, has been registered in the WMI namespace, Root\MSAPPS11, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

In System section - the following Warning:

Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1007
Date: 28/10/2012
Time: 17:00:28
User: N/A
Computer: CATHERIN-ZGE1ZI
Description:
Your computer has automatically configured the IP address for the Network Card with network address 001B2F733B47. The IP address being used is 169.254.86.88.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....

Application error from the 13th October

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 13/10/2012
Time: 18:44:54
User: N/A
Computer: CATHERIN-ZGE1ZI
Description:
Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 69 65 78 70 6c 6f iexplo
0018: 72 65 2e 65 78 65 20 38 re.exe 8
0020: 2e 30 2e 36 30 30 31 2e .0.6001.
0028: 31 38 37 30 32 20 69 6e 18702 in
0030: 20 68 75 6e 67 61 70 70 hungapp
0038: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0040: 20 61 74 20 6f 66 66 73 at offs
0048: 65 74 20 30 30 30 30 30 et 00000
0050: 30 30 30 000


----------



## Cookiegal (Aug 27, 2003)

Terry, why does the lease matter? Mine is 3 days and I don't have this problem.


----------



## TerryNet (Mar 23, 2005)

I cannot guarantee it, but what I think is happening is that when she boots the computer in the morning it notifies the router "I'm back and continuing with that IP you gave me." But the router's tables were reset (when it was unplugged) and so it replies, "Not so fast there; I have no record of giving you any IP." But it wouldn't be causing the problem she just got. Even if that is not the problem, or not the entire problem, shortening the lease will hurt nothing.

Making sure of having the latest driver from Netgear, and reinstalling it if the latest is already installed, is a good thing to do. I believe you started down that path with Catherine.


----------



## Cookiegal (Aug 27, 2003)

Thanks Terry. How about resetting the modem?


----------



## Cookiegal (Aug 27, 2003)

Catherine,

Go to the following page at the Netgear web site:

http://downloadcenter.netgear.com/en/default.aspx

Beside "Enter a Product Name/Model Number" copy and paste the following:
*
WG111v2*

Also put a check mark in the box that says "Firmware/Software" then click on the button that says "Product Drilldown".

Under "Select Product Category" choose "Adapters".

Under "Select Product Family" choose "Wireless Adapters".

Under "Select Product" choose "WG111v2".

Then download and install "Software Version 4.0.0 for Windows".


----------



## TerryNet (Mar 23, 2005)

Cookiegal said:


> Thanks Terry. How about resetting the modem?


For what I've been squawking about? Should make no difference.


----------



## Cookiegal (Aug 27, 2003)

LOL! Feel free to squawk anytime.


----------



## Cookiegal (Aug 27, 2003)

Catherine,

The warning that says "A provider, OffProv11, has been registered in the WMI namespace, Root\MSAPPS11, to use the LocalSystem account" is inconsequential and by design as per this MS article, so nothing to worry about:

"http://support.microsoft.com/kb/891642


----------



## Catherine-N (Sep 12, 2012)

Ok - thanks I was a bit worried about that because it was saying about root.

Re: the 168 business Terry said about - I did that and the lease was on never expire. 3 hours wasn't an option, so i chose 2 hours. 

Did the netgear update. Had a kafuffle with it saying netgear was controlling the connection and windows couldn't connect, but clicked around and found a tick box to let windows manage it and now everything seems to be up and running - and I have a new icon which is a green machine indicating the netgear thing. 

Thanks so much for your help both - do you think I'm virus free now and ok to carry on removing the applications we used? (It's Homelands just starting now so going to go watch that for rest of eve)


----------



## Cookiegal (Aug 27, 2003)

The infection should be gone now but I wanted to see if we could clear up these problems.

Please try it out for a day or two and report back how things are with the Internet connection, Event Viewer messages and that shutdown thing (if you get it again).


----------



## Catherine-N (Sep 12, 2012)

Ok great - thank you. Will report back in a few days!


----------



## Cookiegal (Aug 27, 2003)

Sounds good. We'll wait until then to remove the tools we've used.


----------



## Catherine-N (Sep 12, 2012)

Hi Cookiegal - think we're ok to clean up.

Seems like everything's working fine - in fact better than before i even had the virus! 

Thanks so much again for your (and Terry's) help. Much appreciated.

Catherine


----------



## Cookiegal (Aug 27, 2003)

That's great! 

Here are some final instructions for you.

As with any infection, I recommend that you change all passwords for logging into to sites that you use on your computer as a precaution.

Please open OTS again and click on the button that says "CleanUp" at the top. This will remove some of the tools we've used and will also uninstall the OTS program.

*Follow these steps to uninstall Combofix and all of its files and components.*

 Click *START* then *RUN*
 Now type *ComboFix /uninstall* in the runbox and click *OK*. Note the *space* between the *X* and the */uninstall*, it needs to be there (the screenshot is just for illustration purposes but the actual command uses the entire word "uninstall" and not just the "u" as shown in the picture).










Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.


----------



## Catherine-N (Sep 12, 2012)

Hi Cookiegal, sorry for the delay. The removing combifix & resetting network restore we had done when we started to remove everything last time.

Hijack this / system lookup and aswmbr are stil on the desktop though. Thanks, Catherine.


----------



## Cookiegal (Aug 27, 2003)

OK, thanks. Those three can just be dragged to the Recycle Bin.


----------



## Catherine-N (Sep 12, 2012)

Ok - done. I've marked this solved as assume that's what I'm supposed to do.

Thanks again for all your help & have a great rest of the year! Catherine.


----------



## Cookiegal (Aug 27, 2003)

Yes, thanks for marking it solved. It was a pleasure working with you.


----------

