# Backup questions



## Justletmepost (Mar 11, 2012)

Sorry if this is in the wrong subforum, I wasn't sure.

Right now I'm looking into making a complete backup of my HDD before I start trying to sort out a virus (which I'll be posting about once this is done). 

The virus'd computer can't connect to the internet and thus may have trouble installing the imaging software I need, so I was thinking of doing this by way of another computer and a pair of usb drive enclosures, for the virus'd drive and the backup drive. Am I correct in thinking that (with autoplay disabled) the virus couldn't contaminate the other computer running the imaging software?


----------



## Justletmepost (Mar 11, 2012)

Forgot this in the original post: 
If I use imaging software to "clone" an hdd, then I assume that means the orginal drive could be physically replaced with the backup drive, rather than needing to run software to "restore" the backup?


----------



## Justletmepost (Mar 11, 2012)

bump


----------



## eddie5659 (Mar 19, 2001)

Hiya and welcome to Tech Support Guy 

The only problem with cloning the drive, is that the virus will also be cloned, so you wouldn't be able to use it safely.

However, do you know which virus you have? Are there any alerts from your virus scanner?

Can you run the tools in this thread:

http://forums.techguy.org/virus-other-malware-removal/943214-everyone-must-read-before-posting.html

And then post the following:

1. *Copy and paste* the HijackThis log.
2. *Copy and paste* the contents of the DDS.txt file.
3. *Upload as an attachment* the Attach.txt file. *There is no need to zip it as suggested in the DDS instructions* 
4. *Copy and paste* the contents of the ark.txt file.

Regards

eddie


----------



## Justletmepost (Mar 11, 2012)

Originally I was going to post the logs in a new topic, as this one was questions about hard drive backups(which...haven't really been answered) rather than about the virus, but okay. Someone's lent me a computer they were about to reformat anyway, so I did all the backing up via that and I can reformat it when I'm done with all this.

Now, the full story. (textwall warning!)
I was infected when the casual gaming site Jayisgames was compromised last week. Given that other people exposed to the same thing have mentioned totally different symptoms from mine, and that the symptoms I have seem unlikely to be caused by a single virus, I suspect that the Jayisgames virus was a trojan or something that downloads other viruses.

The first symptom was the appearance of "Smart Fortress 2012", one of those fake anti-malwares that prevents you from running any other programs and tries to get you to buy the "full version". The really alarming thing about this one was that it got itself to autostart even in Safe Mode, which I didn't think was even possible. In the end though my googling I found a site that mentioned a 'full version code' which had been used in previous versions of Smart Fortress. I tried it and it worked, tricking it into thinking I'd bought it, and then I was able to run my antivirus: Bullguard.

It caught a bunch of things and fixed or quarantined them, except for a running process that it couldn't fix - unprecedentedly, it told me to submit my log to Bullguard Support for instructions.
I did, and they just told me to boot in safe mode and manually delete the process mentioned in the log: mswsock.dll

But some googling told me that although there's a virus with this name, it's also the name of a vital Windows process, and my instance of it was in the location that the real process is found(windows\system32\mswsock.dll). After continued correspondence with Bullguard support just resulted in continued unhelpful automated responses (I've since learned they also have a live chat support, which may have been more useful, but if I tried it now I'm sure they'd just tell me this is all my own fault for uninstalling =_=), I uninstalled Bullguard, downloaded AGV, ran that. Didn't help. Uninstalled that, downloaded Avast, ran boot scan. It was a bit overzealous, turning up several things I know for a fact aren't viruses. I left the things I wasn't sure about alone, deleted the things that looked overly suspicious (mainly two files with very long randomized-looking names). Uninstalled Avast...can't remember why.

Upon restarting, new problems appeared. Internet connection completely broken (browsers, instant messengers, nothing, as if the ethernet cable was unplugged - which it now is), desktop image randomly changed to a basic blue screen, left half of start menu was completely blank, and every folder on HDD turned "hidden". Oh, and my keyboard mappings for " and @ have switched round. I initially thought I must have accidentally deleted some important system files despite my caution, but after google revealing that the hidden folders thing can be caused by a virus, it seems likely I have more infections. Besides, I STILL have Smart Fortress 2012. Although it doesn't seem seem to be doing anything anymore, and its icon in the start menu 'all programs' list has changed to a generic executable icon, it's still THERE in the start menu...on closer inspection as I type this, it has an Uninstall option that wasn't there before I entered that purchase code. It doesn't seem likely that a virus would consent to being removed, though, so I'm not touching it for now.

Before I realized the lack of internet is probably due to infection, I acquired and ran winsockpfix. Didn't help.
At some point after this this I did...something...that involved attempting to backup my registry with ERDNT, which is why my dds log mentions a "aaaaaaREGBACKUP_ERONT" (I misread ERDNT at the time) - I deliberately created it for this purpose, although I can't remember why >_>.
I also tried to use System Restore, which was a total failure. I can restore just fine to points made AFTER the avast scan, so one or more of the restore files must have been deleted, either by the virus or by one of the antivirus...es. Joy.

At wit's end, found this forum. Eventually managed to make full backup of HDD, then acquired and ran Hijackthis, DDS and GMER. Hijackthis and DDS were fine, but I can't get GMER to run successfully (yes, I have IAT/EAT unchecked, and no, I don't touch the mouse during the scan). The first time (not in safe mode) it seemed to finish the scan, but when I tried to save the gmer log, it said "insufficient system resources" and "cannot access My Docments"; also, I couldn't open any folders or run any programs (not even task manager!) and the tooltip for all folders on the desktop read "folder is empty"...and shortly aferwards, I got a BlueScreen, citing BAD_POOL_CALLER. The second time (in safe mode), didn't even get that far - it bluescreened during the scan, this time with DRIVER_IRQL_NOT_LESS_OR_EQUAL.
The third time (in safe mode and logged in as admin) it did this again - I wasn't near the computer that time, so I don't know what the error was.

I should also probably mention that this computer has an...unusual history. After my previous computer's motherboard died, I tried to avoid having to reinstall all my programs by doing a partial Registry Hive transplant. This was unexpectedly successful, so I stuck with it. So if anything about my registry seems particularly baffling, that may be why.

If you guys can fix this for me, I shall shower you with adoration forever. Or not, whatever's the better incentive. Here follow the logs.

=============================================
*HIJACK THIS LOG*
=============================================
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:22:26 PM, on 3/15/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Documents and Settings\Finn\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1169214453\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'Default user')
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Home Hub\Help\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\IMJP81K.DLL
O9 - Extra button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\WINDOWS\system32\IMJP81K.DLL
O9 - Extra 'Tools' menuitem: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\WINDOWS\system32\IMJP81K.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1231200248818
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v6.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apache - Apache Software Foundation - C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\apache\apache.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: BGRaSvc - Unknown owner - C:\Program Files\BullGuard Software\BullGuard\support\bgrasvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Maya 7 PLE Documentation Server (mple7docserver) - Unknown owner - C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: RosettaStoneDaemon - Rosetta Stone Ltd. - C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 12504 bytes

=================================================
*DDS LOG*
=================================================
.
DDS (Ver_2011-08-26.01) - NTFSx86 
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_26
Run by Finn at 15:23:36 on 2012-03-15
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe
C:\WINDOWS\System32\dllhost.exe
C:\Documents and Settings\Finn\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Finn\Desktop\dds.scr
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
mStart Page = about:blank
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
mSearchAssistant = hxxp://www.google.com/ie
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
mRun: [btbb_wcm_McciTrayApp] c:\program files\btbb_wcm\McciTrayApp.exe
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [<NO NAME>] 
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [HostManager] c:\program files\common files\aol\1169214453\ee\AOLSoftware.exe
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [Motive SmartBridge] c:\progra~1\bthome~1\help\smartb~1\BTHelpNotifier.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [CHotkey] zHotkey.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: Microsoft XML Parser for Java
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231200248818
DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v6.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} - hxxp://cdn1.acclaimdownloads.com/solidstateion.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\finn\application data\mozilla\firefox\profiles\47edvphp.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.hyrulianwar.com/
FF - component: c:\documents and settings\finn\application data\mozilla\firefox\profiles\47edvphp.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\finn\application data\mozilla\firefox\profiles\47edvphp.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCore.dll
FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Adobe DLM (powered by getPlus(R)): {CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} - %profile%\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
FF - Ext: Tabloc: {60520222-6bbf-45dd-b547-3641ea9cd9cb} - %profile%\extensions\{60520222-6bbf-45dd-b547-3641ea9cd9cb}
FF - Ext: Google Wave Add-on for Firefox: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - %profile%\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Adblock Plus Pop-up Addon: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R? BGRaSvc;BGRaSvc
R? gupdate;Google Update Service (gupdate)
R? gupdatem;Google Update Service (gupdatem)
R? McrdSvc;Media Center Extender Service
R? mple7docserver;Maya 7 PLE Documentation Server
R? msvsmon80;Visual Studio 2005 Remote Debugger
R? StarWindService;StarWind iSCSI Service
S? ASKService;ASKService
S? ASKUpgrade;ASKUpgrade
S? HWiNFO32;HWiNFO32 Kernel Driver
S? RapportCerberus_34302;RapportCerberus_34302
S? RapportEI;RapportEI
S? RapportIaso;RapportIaso
S? RapportKELL;RapportKELL
S? RapportMgmtService;Rapport Management Service
S? RapportPG;RapportPG
S? RosettaStoneDaemon;RosettaStoneDaemon
.
=============== Created Last 30 ================
.
2012-03-09 17:41:08 -------- d-----w- C:\aaaaaaREGBACKUP_ERONT
2012-03-09 17:27:30 -------- d-----w- C:\zzzwinsockfix
2012-03-09 17:16:47 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-03-09 17:16:47 -------- d-----w- c:\windows\system32\wbem\Repository
2012-03-08 23:20:00 -------- d-----w- c:\program files\AVAST Software
2012-03-08 23:20:00 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2012-03-08 22:15:05 -------- d-----w- c:\documents and settings\finn\application data\AVG2012
2012-03-08 22:13:55 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2012-03-08 22:13:19 -------- d-----w- c:\program files\AVG
2012-03-08 22:03:32 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2012-03-08 22:02:17 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2012-03-07 20:37:36 -------- d-----w- c:\documents and settings\finn\application data\Qerayw
2012-03-07 20:37:27 -------- d-----w- c:\documents and settings\finn\application data\Tuyzynv
2012-03-07 20:37:27 -------- d-----w- c:\documents and settings\all users\application data\F4D55F17000073230120E1C3D151FC4E
2012-02-25 11:30:59 -------- d-----w- c:\documents and settings\finn\lmms
2012-02-25 11:29:22 -------- d-----w- c:\program files\LMMS
.
==================== Find3M ====================
.
2012-01-25 10:16:44 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2006-05-03 11:06:54 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 12:47:16 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 14:30:52 216064 --sha-r- c:\windows\system32\nbDX.dll
2010-01-06 23:00:00 107520 --sha-r- c:\windows\system32\TAKDSDecoder.dll
.
============= FINISH: 15:24:32.84 ===============


----------



## eddie5659 (Mar 19, 2001)

Hiya

The reason why I was concerned for virus removal was making sure that it was all gone, as sometimes when you create an image, the virus will also be created in the image. This means that when you remove it off one drive, you'll have to do the same for the backup.

As for the virus/malware, lets see if we can get it all gone, and your computer back to how it was 

So, lets begin...

Firstly, can you uninstall these via AddRemove Programs or Start | Programs:
*
Viewpoint Media Player
DAEMON Tools Toolbar*

--

Also, your Java is out of date, so lets get that sorted before we start:

Please download *JavaRa* to your desktop and unzip it to its own folder 

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions. 
Accept any prompts. 
Now, go *here* and download the latest Java Version.

For the remains of the Java, can you do this:

Open Java in the Control Panel and under the General tab, under Temporary Internet Files, click the Settings button. Then click on Delete Files.

Make sure both of these options are checked:


Applications and Applets
Trace and Log Files
OK out of all the screens. 

------

Download ComboFix from one of these locations:

*Link 1*
*Link 2*

** IMPORTANT !!! As you download it rename it to username123.exe and save it to your Desktop *


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.








Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:










Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the *C:\ComboFix.txt* in your next reply.

eddie


----------



## Justletmepost (Mar 11, 2012)

Oh, if this all works I'll just be reformatting the backup drive. Simple. The backup is just in case I somehow make things even worse while doing this.

Anyway, depressingly basic problem.

Uninstalled VMP and Daemon successfully.
Ran JavaRa, no problems.

But when I try to run the offline Java installer, its progress bar gets most of the way there and then produces an error: 
"Error 1330: A file that is required cannot be installed because the cabinet file C:\Documents and Settings\Finn\Apllication Data\Sun\Java\...Data1.cab has an invalid digital signature. This may indicate that the cabinet file is corrupt."

Unless I run it in safe mode. Then it fails immediately with a different error, even if I'm logged in as admin:
"The system administrator has set policies to prevent this installation"

Oh, and despite JavaRa 'removing' java, the java icon is still present in the Control Panel - it just gives me an error message when I click it.

Any ideas on how to get around this?

Meanwhile: Should I avoid running programs on the infected computer? Could they becomed 'infected' as a result? Or can I go ahead and actually get some stuff done?


----------



## eddie5659 (Mar 19, 2001)

With regards to using the computer, its up to you. I think most people are okay, just don't do any banking related things, just in case 

Okay, lets have a look at that Java problem. First, although you have used the JavaRa tool, uninstalling via AddRemove Programs may work.

So, go to Control Panel | AddRemove Programs, and uninstall these:

*J2SE Runtime Environment 5.0 Update 2
Java(TM) 6 Update 26*

Then, try the installer below (delete the copy of the one you already have, in case its corrupt)

http://www.java.com/winoffline_installer/

And let me know how that goes


----------



## Justletmepost (Mar 11, 2012)

No joy.

When I tried to uninstall *J2SE Runtime Environment 5.0 Update 2*, I got this error window:
"The feature you are trying to use is on a network resource that is unavailable

Click OK to try again, or enter an alternate path to a folder containing the installation package 'J2SE Runtim Environment 5.0 Update 2.msi' in the box below."

The current path in the box is "C:\Documents an Settings\Administrator\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150020}\"

Trying it in Safe Mode logged in as admin just gives me a standard error message telling me I can't use the microsoft installer in safe mode.

*Java(TM) 6 Update 26 *wasn't present on the Add/Remove list, but there was a similair JDK item, so I uninstalled that instead. It didn't occur to me to note down its name until afterwards, but I think it was "Java(TM) Development Kit 6 Update 2 "

There's also a "Java Auto Updater" in the list, but that presents no Change or Remove buttons.

Redownloaded and retried the offline onstaller - same result as before.

*sits and waits*


----------



## eddie5659 (Mar 19, 2001)

Edit, links not working


----------



## eddie5659 (Mar 19, 2001)

Sorry about that, old speech has died since I last used it.

See if this works:

Uninstalling Programs Using Revo Uninstaller Free

--------------------

Revo Uninstaller is more thorough in deleting programs on your computer than using the Add/Remove option in Windows. Since it is a more powerful tool, please *be sure to follow the instructions carefully*.

Please note there is a chance when you look for this program to uninstall through Revo it might not be listed because of the previous uninstall. If that is the case simply stop and let me know.
Please download and install Revo Uninstaller Free 
Double click *Revo Uninstaller* to run it.
From the list of programs double click on the listed program(s), or anything similar, to remove it
*J2SE Runtime Environment 5.0 Update 2*
When prompted if you want to uninstall click *Yes*.
Be sure the *Moderate* option is selected then click *Next*.
The program will run, If prompted again click *Yes*
When the built-in uninstaller is finished click on *Next*
Once the program has searched for leftovers click *Next*.
Check the *items in bold only* on the list then click *Delete*. You may have to expand some folders by clicking the "+" mark.
When prompted click on *Yes* and then on *Next*.
Put a check on any folders that are found and select *Delete*
When prompted select *Yes* then *Next*
Once done click *Finish*.


----------



## Justletmepost (Mar 11, 2012)

Nope.

Ran Revo, after it ran the base uninstaller (and got the same "The feature you are trying to use is on a network resource that is unavailable", unsurprisingly), it came up with a bunch of bold registry entries. Deleted them. And that was that. But even after restarting, I still can't get the java offline installer to work: it gives the same Error 1330 as ever. 

Meanwhile, when I restarted the computer, I got an "Program Not Responding/End Now" prompt for something I've never heard of: MCI Command Handling Window.


----------



## eddie5659 (Mar 19, 2001)

Okay, lets see if installing Java whilst online works:

http://java.com/en/download/help/ie_online_install.xml

When the file download box appears, select Run, not save, and it should install.

As for the message on startup, that can be related to many things: multimedia, malware etc.

Can you also try running ComboFix as well, after the Java, as there may be something else causing the problems. originally you have said that you have a virus from Jayisgames, and other problems that sound virus related.

http://forums.techguy.org/8291001-post6.html

eddie


----------



## Justletmepost (Mar 11, 2012)

As I said before, the infected computer has been rendered unable to connect to the internect in any capcity - that's why I was using the offline installer.

And I haven't run ComboFix because I assumed the Java business was a prerequisite.

To be clear, when you say:

*IMPORTANT !!! As you download it rename it to username123.exe and save it to your Desktop *

,seeing as it's so important, do you mean literally "username123.exe", or should I be replacing "username" with my username? So Finn123.exe in my case? Or does it not matter so long as I rename it to anything other than ComboFix.exe?


----------



## eddie5659 (Mar 19, 2001)

Ah, sorry about that. As its not connected to the internet yet, we can leave the Java until we get it back online.

You can save it as the name you suggested, Finn123.exe 

Yep, you're correct, as malware see's the name and stops it from running, which is why the renaming is done


----------



## Justletmepost (Mar 11, 2012)

Ran Combofix twice, with the same result both times.

-It asks to install windows recovery console, I say no. Because, y'know, no internet. (I later tried to install it manually from my XP disc, but I just get an error telling me it can't proceed because the version of windows on my computer is newer than the version on the disc)

-Just after "attempting to make a restore point", it says "CScript Error: Loading Your _Settings Failed_ <_Access_ is _denied_>'"

-It detects Rootkit.ZeroAccess, which has inserted itself into the tcp/ip stack. Hello, cause of internet problems!

-It tells me that it's found rootkits and needs to restart the computer. My computer restarts, and then...nothing. There's no C:\Combofix.txt file, and ComboFix takes no further action unless I run it again.
...however, I notice now that it's created a folder, C:\Finn123. (No, there's no C:\Finn123.txt either)
What next?


----------



## Justletmepost (Mar 11, 2012)

I noticed a new symptom today - the computer's sound drivers don't seem to be working - clicking on the slider in Volume Control results in a generic system beep (regardless of slider position) from the tower, rather than the usual sound from the speakers.

So I randomly tried logging in as admin in safe mode to see if it would make a difference to this - and combofix started up! I can't believe I forgot to try that. It restarted the machine again (with me going straight into safe mode/admin this time), and it deleted a bunch of files and folders. Here's the log.

ComboFix 12-03-18.04 - Administrator 03/21/2012 19:15:32.1.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2031.1773 [GMT 0:00]
Running from: c:\documents and settings\Finn\Desktop\Finn123.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Finn\WINDOWS
C:\jau38uj.bin
c:\windows\kb913800.exe
c:\windows\system32\config\systemprofile\WINDOWS
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_usnjsvc
.
.
((((((((((((((((((((((((( Files Created from 2012-02-21 to 2012-03-21 )))))))))))))))))))))))))))))))
.
.
2012-03-18 23:40 . 2012-03-19 00:32 2617176 ----a-w- C:\revosetup.exe
2012-03-16 20:38 . 2012-03-16 20:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2012-03-09 20:54 . 2012-03-09 20:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2012-03-09 17:41 . 2012-03-09 17:46 -------- d-----w- C:\aaaaaaREGBACKUP_ERONT
2012-03-09 17:27 . 2012-03-09 17:39 -------- d-----w- C:\zzzwinsockfix
2012-03-09 17:16 . 2012-03-09 17:16 -------- d-----w- c:\windows\system32\wbem\Repository
2012-03-08 23:20 . 2012-03-09 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-03-08 23:20 . 2012-03-08 23:20 -------- d-----w- c:\program files\AVAST Software
2012-03-08 22:13 . 2012-03-08 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2012-03-08 22:13 . 2012-03-08 22:13 -------- d-----w- c:\program files\AVG
2012-03-08 22:03 . 2012-03-08 22:03 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-03-08 22:02 . 2012-03-08 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-03-07 20:37 . 2012-03-08 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E
2012-02-25 11:30 . 2012-02-25 12:15 -------- d-----w- c:\documents and settings\Finn\lmms
2012-02-25 11:29 . 2012-02-25 11:30 -------- d-----w- c:\program files\LMMS
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-25 10:16 . 2012-01-25 10:16 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2006-05-03 11:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 12:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 14:30 216064 --sha-r- c:\windows\system32\nbDX.dll
2010-01-06 23:00 107520 --sha-r- c:\windows\system32\TAKDSDecoder.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 12:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2006-12-08 543232]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"HostManager"="c:\program files\Common Files\AOL\1169214453\ee\AOLSoftware.exe" [2006-05-24 50760]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"Motive SmartBridge"="c:\progra~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 462935]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 16377344]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-06 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-06 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-06 138008]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-12 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-10-11 421888]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-09 966656]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"CHotkey"="zHotkey.exe" [2004-12-08 550912]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Finn\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BT Broadband Desktop Help.lnk - c:\program files\BT Home Hub\Help\bin\matcli.exe [2009-1-5 217088]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
backup=c:\windows\pss\ATI CATALYST System Tray.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Nintendo Wi-Fi USB Connector Registration Tool.lnk]
backup=c:\windows\pss\Run Nintendo Wi-Fi USB Connector Registration Tool.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Finn^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\svc]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lionhead Studios Ltd\\Black & White\\runblack.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1169214453\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1169214453\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Documents and Settings\\Finn\\Desktop\\eclipse-java-ganymede-SR1-win32\\eclipse\\eclipse.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3 DEMO\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3 DEMO\\RosettaStoneVersion3.exe"=
"c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Ltd Services
"c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Daemon
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone TOTALe\\RosettaStoneTOTALe.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\explorer.exe"= %windir%\explorer.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP"= 9842:TCP:*isabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*isabled:SolidNetworkManager
"57224:TCP"= 57224:TCPando Media Booster
"57224:UDP"= 57224:UDPando Media Booster
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"<NO NAME>"= 
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/4/2009 02:36 717296]
S0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [1/25/2012 10:16 56208]
S1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [12/15/2011 16:55 228208]
S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [1/25/2012 10:16 71440]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [1/25/2012 10:16 164112]
S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [12/30/2009 18:04 464264]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [12/30/2009 18:04 234888]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 06:26 135664]
S2 HWiNFO32;HWiNFO32 Kernel Driver;c:\documents and settings\Finn\Desktop\hw32_236\HWiNFO32.sys [11/21/2008 09:48 16616]
S2 mple7docserver;Maya 7 PLE Documentation Server;c:\program files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe [1/2/2009 20:39 126976]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [1/25/2012 10:16 931640]
S2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe [5/17/2010 13:45 1615176]
S3 BGRaSvc;BGRaSvc;"c:\program files\BullGuard Software\BullGuard\support\bgrasvc.exe" --> c:\program files\BullGuard Software\BullGuard\support\bgrasvc.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 06:26 135664]
S3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportIaso.sys [8/7/2011 12:43 21520]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 07:01 2799808]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs REG_MULTI_SZ ???t eaphost
dot3svc REG_MULTI_SZ ???c dot3svc
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-01-02 12:42]
.
2012-03-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 06:26]
.
2012-03-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 06:26]
.
2012-03-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1214440339-725345543-1003Core.job
- c:\documents and settings\Finn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-08 11:57]
.
2012-03-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1214440339-725345543-1003UA.job
- c:\documents and settings\Finn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-08 11:57]
.
2011-02-08 c:\windows\Tasks\Reimage Reminder.job
- c:\program files\Reimage\Reimage Repair\ReimageReminder.exe [2011-02-03 13:09]
.
.
------- Supplementary Scan -------
.
mStart Page = about:blank
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0sgtbcgg.default\
FF - Ext: Click to call with Skype: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
.
- - - - ORPHANS REMOVED - - - -
.
Notify-WgaLogon - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-21 19:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1420)
c:\windows\system32\WININET.dll
.
Completion time: 2012-03-21 19:41:47 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-21 19:41
.
Pre-Run: 9,947,312,128 bytes free
Post-Run: 11,421,810,688 bytes free
.
- - End Of File - - 459FB8B5F0A827884E096B9CC230793B


----------



## eddie5659 (Mar 19, 2001)

Sorry about the lateness, I've been off work for the past 3 days sick, so not really looked at the computer much 

Feel a bit better (off today as well), so will try and get back to it all

-------------

Okay, for the Recovery Console, can you do this:

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to *Step 1*, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

*Note:If you have SP3, use the SP2 package.*

---------------------------------------------------------------------

*Transfer all files you just downloaded, to the desktop of the infected computer.*

--------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools











Drag the setup package onto ComboFix.exe and drop it.

Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.










At the next prompt, click 'Yes' to run the full ComboFix scan.

When finished, it shall produce a log for you. Please include the *C:\ComboFix.txt* in your next reply.

============================

Also, can you run this tool for me as well:

Download *OTL* to your Desktop 

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. 
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long. 
When the scan completes, it will open two notepad windows. *OTL.Txt* and *Extras.Txt*. These are saved in the same location as OTL. 
Please copy *(Edit->Select All, Edit->Copy)* the contents of these files, one at a time and post them in your topic 


eddie


----------



## Justletmepost (Mar 11, 2012)

No apologies necessary, I understand completely.

Successfully installed the Recovery Console through combofix with that link, so hooray for that.

Aside from that, Combofix process was much the same as last time - it still gives a warning about Rootkit.ZeroAccess and its presence in the TCP/IP stack. But it deleted a bunch of new things, on top of the things it deleted last time (as listed in my previous combofix log post). OTL went off without a hitch, too. Here are the logs.

=========================================================
*COMBOFIX.TXT*
=========================================================
ComboFix 12-03-18.04 - Administrator 03/23/2012 18:55:22.2.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2031.1772 [GMT 0:00]
Running from: c:\documents and settings\Finn\Desktop\Finn123.exe
Command switches used :: c:\documents and settings\Finn\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\desktop.ini
C:\readme.txt
c:\windows\EventSystem.log
c:\windows\system\libeay32.dll
c:\windows\system\ssleay32.dll
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\drivers\etc\hosts.ics
.
.
((((((((((((((((((((((((( Files Created from 2012-02-23 to 2012-03-23 )))))))))))))))))))))))))))))))
.
.
2012-03-18 23:40 . 2012-03-19 00:32 2617176 ----a-w- C:\revosetup.exe
2012-03-16 20:38 . 2012-03-16 20:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2012-03-09 20:54 . 2012-03-09 20:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2012-03-09 17:41 . 2012-03-09 17:46 -------- d-----w- C:\aaaaaaREGBACKUP_ERONT
2012-03-09 17:27 . 2012-03-09 17:39 -------- d-----w- C:\zzzwinsockfix
2012-03-09 17:16 . 2012-03-09 17:16 -------- d-----w- c:\windows\system32\wbem\Repository
2012-03-08 23:20 . 2012-03-09 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-03-08 23:20 . 2012-03-08 23:20 -------- d-----w- c:\program files\AVAST Software
2012-03-08 22:13 . 2012-03-08 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2012-03-08 22:13 . 2012-03-08 22:13 -------- d-----w- c:\program files\AVG
2012-03-08 22:03 . 2012-03-08 22:03 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-03-08 22:02 . 2012-03-08 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-03-07 20:37 . 2012-03-08 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E
2012-02-25 11:30 . 2012-02-25 12:15 -------- d-----w- c:\documents and settings\Finn\lmms
2012-02-25 11:29 . 2012-02-25 11:30 -------- d-----w- c:\program files\LMMS
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-25 10:16 . 2012-01-25 10:16 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2006-05-03 11:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 12:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 14:30 216064 --sha-r- c:\windows\system32\nbDX.dll
2010-01-06 23:00 107520 --sha-r- c:\windows\system32\TAKDSDecoder.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 12:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2006-12-08 543232]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"HostManager"="c:\program files\Common Files\AOL\1169214453\ee\AOLSoftware.exe" [2006-05-24 50760]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"Motive SmartBridge"="c:\progra~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 462935]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 16377344]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-06 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-06 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-06 138008]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-12 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-10-11 421888]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-09 966656]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"CHotkey"="zHotkey.exe" [2004-12-08 550912]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Finn\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BT Broadband Desktop Help.lnk - c:\program files\BT Home Hub\Help\bin\matcli.exe [2009-1-5 217088]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
backup=c:\windows\pss\ATI CATALYST System Tray.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Nintendo Wi-Fi USB Connector Registration Tool.lnk]
backup=c:\windows\pss\Run Nintendo Wi-Fi USB Connector Registration Tool.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Finn^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\svc]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lionhead Studios Ltd\\Black & White\\runblack.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1169214453\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1169214453\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Documents and Settings\\Finn\\Desktop\\eclipse-java-ganymede-SR1-win32\\eclipse\\eclipse.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3 DEMO\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3 DEMO\\RosettaStoneVersion3.exe"=
"c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Ltd Services
"c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Daemon
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone TOTALe\\RosettaStoneTOTALe.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\explorer.exe"= %windir%\explorer.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP"= 9842:TCP:*isabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*isabled:SolidNetworkManager
"57224:TCP"= 57224:TCPando Media Booster
"57224:UDP"= 57224:UDPando Media Booster
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"<NO NAME>"= 
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/4/2009 02:36 717296]
S0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [1/25/2012 10:16 56208]
S1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [12/15/2011 16:55 228208]
S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [1/25/2012 10:16 71440]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [1/25/2012 10:16 164112]
S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [12/30/2009 18:04 464264]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [12/30/2009 18:04 234888]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 06:26 135664]
S2 HWiNFO32;HWiNFO32 Kernel Driver;c:\documents and settings\Finn\Desktop\hw32_236\HWiNFO32.sys [11/21/2008 09:48 16616]
S2 mple7docserver;Maya 7 PLE Documentation Server;c:\program files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe [1/2/2009 20:39 126976]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [1/25/2012 10:16 931640]
S2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe [5/17/2010 13:45 1615176]
S3 BGRaSvc;BGRaSvc;"c:\program files\BullGuard Software\BullGuard\support\bgrasvc.exe" --> c:\program files\BullGuard Software\BullGuard\support\bgrasvc.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 06:26 135664]
S3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportIaso.sys [8/7/2011 12:43 21520]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 07:01 2799808]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs REG_MULTI_SZ ???t eaphost
dot3svc REG_MULTI_SZ ???c dot3svc
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-01-02 12:42]
.
2012-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 06:26]
.
2012-03-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 06:26]
.
2012-03-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1214440339-725345543-1003Core.job
- c:\documents and settings\Finn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-08 11:57]
.
2012-03-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1214440339-725345543-1003UA.job
- c:\documents and settings\Finn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-08 11:57]
.
2011-02-08 c:\windows\Tasks\Reimage Reminder.job
- c:\program files\Reimage\Reimage Repair\ReimageReminder.exe [2011-02-03 13:09]
.
.
------- Supplementary Scan -------
.
mStart Page = about:blank
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0sgtbcgg.default\
FF - Ext: Click to call with Skype: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-23 19:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-03-23 19:13:14
ComboFix-quarantined-files.txt 2012-03-23 19:13
ComboFix2.txt 2012-03-21 19:41
.
Pre-Run: 11,412,459,520 bytes free
Post-Run: 11,394,965,504 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
.
- - End Of File - - 849DBAEAF41CE1EAF37F9E913A82086C

=========================================================
*OTL.TXT*
=========================================================
OTL logfile created on: 23/03/2012 19:43:06 - Run 1
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\Finn\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: | Country: | Language: | Date Format:

1.98 Gb Total Physical Memory | 1.55 Gb Available Physical Memory | 78.39% Memory free
3.83 Gb Paging File | 3.59 Gb Available in Paging File | 93.76% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 127.99 Gb Total Space | 10.66 Gb Free Space | 8.33% Space Free | Partition Type: NTFS
Drive F: | 61.21 Mb Total Space | 50.62 Mb Free Space | 82.69% Space Free | Partition Type: FAT32

Computer Name: FINN-GE6QC5 | User Name: Finn | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/03/23 19:26:00 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Finn\Desktop\OTL.exe
PRC - [2012/01/25 10:16:28 | 000,931,640 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
PRC - [2010/05/17 13:45:32 | 001,615,176 | ---- | M] (Rosetta Stone Ltd.) -- C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe
PRC - [2009/04/02 12:47:04 | 000,234,888 | ---- | M] () -- C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
PRC - [2009/04/02 12:47:02 | 000,464,264 | ---- | M] () -- C:\Program Files\AskBarDis\bar\bin\AskService.exe
PRC - [2008/12/16 21:59:50 | 000,150,040 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2006/02/06 11:55:42 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
PRC - [2005/04/26 23:37:56 | 000,020,537 | ---- | M] (Apache Software Foundation) -- C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\apache\apache.exe
PRC - [2005/04/02 01:51:48 | 000,217,600 | ---- | M] (Rocket Division Software) -- C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
PRC - [2004/07/16 21:26:44 | 000,126,976 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe
PRC - [2004/05/07 08:20:52 | 000,024,681 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.exe

========== Modules (No Company Name) ==========

MOD - [2011/11/03 15:28:36 | 001,292,288 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll
MOD - [2011/08/07 12:43:07 | 000,516,368 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportMS.dll
MOD - [2011/02/04 17:48:30 | 000,291,840 | ---- | M] () -- C:\WINDOWS\system32\sbe.dll
MOD - [2009/04/30 23:31:06 | 000,466,944 | ---- | M] () -- C:\WINDOWS\system32\nvshell.dll
MOD - [2009/04/02 12:47:04 | 000,234,888 | ---- | M] () -- C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
MOD - [2009/04/02 12:47:02 | 000,464,264 | ---- | M] () -- C:\Program Files\AskBarDis\bar\bin\AskService.exe
MOD - [2009/02/12 09:38:25 | 000,051,716 | ---- | M] () -- C:\WINDOWS\system32\pdf995mon.dll
MOD - [2008/04/14 00:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/14 00:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2006/05/14 04:23:40 | 000,138,752 | ---- | M] () -- C:\Program Files\7-Zip\7-zip.dll
MOD - [2005/07/11 15:26:52 | 000,671,744 | ---- | M] () -- C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\php4\extensions\php_pdf.dll
MOD - [2005/07/11 15:26:52 | 000,040,960 | ---- | M] () -- C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\php4\extensions\php_sockets.dll
MOD - [2005/07/11 15:26:52 | 000,028,672 | ---- | M] () -- C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\php4\php4apache2.dll
MOD - [2005/07/11 15:26:50 | 001,531,904 | ---- | M] () -- C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\php4\extensions\php_mbstring.dll
MOD - [2005/07/11 15:26:50 | 000,794,624 | ---- | M] () -- C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\php4\extensions\php_gd2.dll
MOD - [2005/07/11 15:26:44 | 000,061,440 | ---- | M] () -- C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\php4\extensions\php_bz2.dll
MOD - [2004/09/29 08:16:30 | 000,118,867 | ---- | M] () -- C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\apache\modules\mod_perl.so
MOD - [2004/07/16 21:26:44 | 000,126,976 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe
MOD - [2004/07/16 21:26:44 | 000,065,536 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\lib\wrapper.dll
MOD - [2004/05/07 08:20:54 | 000,057,455 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\net.dll
MOD - [2004/05/07 08:20:54 | 000,057,453 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\verify.dll
MOD - [2004/05/07 08:20:54 | 000,053,364 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\zip.dll
MOD - [2004/05/07 08:20:52 | 000,102,515 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.dll
MOD - [2004/05/07 08:20:52 | 000,028,791 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\hpi.dll
MOD - [2004/05/07 08:20:52 | 000,024,681 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.exe
MOD - [2004/05/07 08:20:50 | 001,212,546 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\client\jvm.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (MSDTC)
SRV - File not found [Auto | Stopped] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - File not found [On_Demand | Stopped] -- -- (iPod Service)
SRV - File not found [On_Demand | Stopped] -- C:\Program Files\BullGuard Software\BullGuard\support\bgrasvc.exe -- (BGRaSvc)
SRV - [2012/01/25 10:16:28 | 000,931,640 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2011/08/30 12:39:52 | 001,045,256 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/05/17 13:45:32 | 001,615,176 | ---- | M] (Rosetta Stone Ltd.) [Auto | Running] -- C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe -- (RosettaStoneDaemon)
SRV - [2009/04/02 12:47:04 | 000,234,888 | ---- | M] () [Auto | Running] -- C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe -- (ASKUpgrade)
SRV - [2009/04/02 12:47:02 | 000,464,264 | ---- | M] () [Auto | Running] -- C:\Program Files\AskBarDis\bar\bin\AskService.exe -- (ASKService)
SRV - [2008/12/16 21:59:50 | 000,150,040 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2006/02/06 11:55:42 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) [Auto | Running] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [2005/09/23 07:01:16 | 002,799,808 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe -- (msvsmon80)
SRV - [2005/04/26 23:37:56 | 000,020,537 | ---- | M] (Apache Software Foundation) [Auto | Running] -- C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\apache\apache.exe -- (Apache)
SRV - [2005/04/02 01:51:48 | 000,217,600 | ---- | M] (Rocket Division Software) [Auto | Running] -- C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe -- (StarWindService)
SRV - [2004/07/16 21:26:44 | 000,126,976 | ---- | M] () [Auto | Running] -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe -- (mple7docserver)
SRV - [2003/05/19 16:07:38 | 000,086,016 | ---- | M] (Yahoo! Inc.) [On_Demand | Stopped] -- C:\WINDOWS\System32\YPCSER~1.EXE -- (YPCService)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (EagleNT)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (axs71oml)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (autvhncu)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\AFGSp50.sys -- (AFGSp50)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\AFGMp50.sys -- (AFGMp50)
DRV - [2012/01/25 10:16:44 | 000,164,112 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - [2012/01/25 10:16:44 | 000,071,440 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys -- (RapportEI)
DRV - [2012/01/25 10:16:44 | 000,056,208 | ---- | M] (Trusteer Ltd.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\RapportKELL.sys -- (RapportKELL)
DRV - [2011/12/15 16:55:49 | 000,228,208 | ---- | M] () [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys -- (RapportCerberus_34302)
DRV - [2011/08/07 12:43:07 | 000,021,520 | ---- | M] (Trusteer Ltd.) [Kernel | On_Demand | Stopped] -- c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\28896\rapportiaso.sys -- (RapportIaso)
DRV - [2009/08/22 18:25:00 | 000,009,088 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner32.sys -- (RivaTuner32)
DRV - [2009/01/08 02:19:41 | 000,025,280 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\hamachi.sys -- (hamachi)
DRV - [2009/01/06 11:51:45 | 000,717,296 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2008/12/17 06:02:08 | 000,023,832 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\lvuvcflt.sys -- (FilterService)
DRV - [2008/12/17 06:01:44 | 006,364,440 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\lvuvc.sys -- (LVUVC) Logitech QuickCam Pro 9000(UVC)
DRV - [2008/12/17 06:01:22 | 000,041,752 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\LVUSBSta.sys -- (LVUSBSta)
DRV - [2008/12/17 06:00:14 | 000,768,024 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\lvrs.sys -- (LVRS)
DRV - [2008/12/16 21:58:54 | 000,025,624 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\DRIVERS\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2008/11/21 09:48:56 | 000,016,616 | ---- | M] (REALiX(tm)) [Kernel | Auto | Running] -- C:\Documents and Settings\Finn\Desktop\hw32_236\HWiNFO32.SYS -- (HWiNFO32)
DRV - [2008/04/13 18:53:09 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\NMnt.sys -- (nm)
DRV - [2008/04/13 18:45:34 | 000,046,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\IrBus.sys -- (IrBus)
DRV - [2007/06/22 18:14:40 | 004,432,384 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/03/24 16:53:07 | 000,018,003 | ---- | M] (Motive, Inc.) [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS -- (MRENDIS5)
DRV - [2005/12/14 20:46:58 | 000,160,256 | ---- | M] (Hauppauge Computer Works, Inc.) [23|25|26]xxx) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\hcwPP2.sys -- (hcwPP2)
DRV - [2005/10/24 23:17:40 | 000,162,816 | ---- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\rt25usbap.sys -- (RT25USBAP)
DRV - [2005/09/26 15:07:00 | 003,644,800 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/03/17 16:51:16 | 001,033,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/03/17 16:50:36 | 000,221,440 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2005/03/17 16:50:32 | 000,705,280 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys -- (winachsf)
DRV - [2004/11/15 17:41:54 | 000,036,804 | ---- | M] (Alcor Micro Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\sunkfilt.sys -- (SunkFilt)
DRV - [2004/04/14 04:14:12 | 000,070,144 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\Rtlnicxp.sys -- (RTL8023xp)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://uk.red.clientapps.yahoo.com/...s/*http://uk.docs.yahoo.com/info/bt_side.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}:5.6.0.8153
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@bittorrent.com/BitTorrentDNA: C:\Program Files\DNA\plugins\npbtdna.dll (BitTorrent, Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll File not found
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.1: C:\Program Files\Yahoo!\Shared\npYState.dll ( )
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nexon.net/NxGame: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@unity3d.com/UnityPlayer: C:\Program Files\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF - HKLM\Software\MozillaPlugins\@yverinfo.yahoo.com/YahooVersionInfoPlugin;version=1.0.0.1: File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/08 03:21:32 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/06 17:23:21 | 000,000,000 | ---D | M]

[2012/03/18 00:08:28 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/09/05 23:06:16 | 000,000,000 | ---D | M] (Click to call with Skype) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
File not found (No name found) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
File not found (No name found) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2011/07/20 00:59:31 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2009/05/20 02:46:27 | 000,239,432 | ---- | M] (Pando Networks) -- C:\Program Files\mozilla firefox\plugins\npPandoWebInst.dll
[2010/07/15 16:08:59 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2010/07/15 16:08:59 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2010/07/15 16:08:59 | 000,000,769 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2010/07/15 16:08:59 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{googleriginalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Disabled) = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Chrome\User Data\PepperFlash\11.1.31.203\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Chrome\Application\17.0.963.66\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Chrome\Application\17.0.963.66\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Chrome\Application\17.0.963.66\pdf.dll
CHR - plugin: Skype Toolbars (Enabled) = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.6.0.8153_0\npSkypeChromePlugin.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Acrobat 7.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.260.3 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java(TM) Platform SE 6 U26 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Microsoft\u00AE Windows Media Player Firefox Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
CHR - plugin: DivX\u00AE Web Player (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npdivx32.dll
CHR - plugin: Windows Genuine Advantage (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
CHR - plugin: Pando Web Installer (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll
CHR - plugin: QuickTime Plug-in 7.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: AOL Media Playback Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npunagi2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Update\1.3.21.99\npGoogleUpdate3.dll
CHR - plugin: Unity Player (Enabled) = C:\Documents and Settings\Finn\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
CHR - plugin: DNA Plug-in (Enabled) = C:\Program Files\DNA\plugins\npbtdna.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.3_0\
CHR - Extension: Google Search = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.17_0\
CHR - Extension: Click to call with Skype = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.6.0.8153_0\
CHR - Extension: Gmail = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/03/23 19:10:46 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll File not found
O2 - BHO: (SidebarAutoLaunch Class) - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll (Yahoo! Inc.)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe (Motive Communications, Inc.)
O4 - HKLM..\Run: [CHotkey] C:\WINDOWS\zHotkey.exe ()
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\AOL\1169214453\ee\AOLSoftware.exe (America Online, Inc.)
O4 - HKLM..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe (America Online, Inc.)
O4 - HKLM..\Run: [LogitechQuickCamRibbon] C:\Program Files\Logitech\QuickCam\Quickcam.exe ()
O4 - HKLM..\Run: [Motive SmartBridge] C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe (Motive)
O4 - HKLM..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE ()
O4 - HKLM..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe (SoftThinks)
O4 - HKLM..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe (Alcor Micro, Corp.)
O4 - HKLM..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe (Yahoo! Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme [2009/01/04 02:29:31 | 000,000,000 | ---D | M]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O9 - Extra Button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra Button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Plugin Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4d68-a152-f7252adaa4f2/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1231200248818 (WUWebControl Class)
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} http://www.acclaim.com/cabs/acclaim_v6.cab (GameLauncher Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} http://www.crucial.com/controls/cpcScanner.cab (Crucial cpcScan)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} http://cdn1.acclaimdownloads.com/solidstateion.cab (CSolidBrowserObj Object)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object)
O16 - DPF: Microsoft XML Parser for Java Reg Error: Value error. (Reg Error: Key error.)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\System32\userinit.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/01 00:41:41 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2012/03/23 19:29:17 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\NetworkService\Cookies
[2012/03/23 19:29:16 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\LocalService\Cookies
[2012/03/23 19:13:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/03/23 18:29:05 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/03/23 18:29:05 | 000,000,000 | RHSD | C] -- \cmdcons
[2012/03/19 23:59:10 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/03/19 23:59:10 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/03/19 23:59:10 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/03/19 23:59:10 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/03/19 23:59:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/03/19 23:58:12 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/03/19 23:58:12 | 000,000,000 | ---D | C] -- \Qoobox
[2012/03/18 23:40:46 | 002,617,176 | ---- | C] (VS Revo Group Ltd.) -- C:\revosetup.exe
[2012/03/09 17:41:08 | 000,000,000 | ---D | C] -- C:\aaaaaaREGBACKUP_ERONT
[2012/03/09 17:41:08 | 000,000,000 | ---D | C] -- \aaaaaaREGBACKUP_ERONT
[2012/03/09 17:27:30 | 000,000,000 | ---D | C] -- C:\zzzwinsockfix
[2012/03/09 17:27:30 | 000,000,000 | ---D | C] -- \zzzwinsockfix
[2012/03/08 23:20:00 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2012/03/08 23:20:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2012/03/08 22:13:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[2012/03/08 22:13:19 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2012/03/08 22:03:32 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2012/03/08 22:02:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2012/03/07 20:37:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E
[2012/02/25 11:30:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Finn\lmms
[2012/02/25 11:30:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\LMMS 0.4.13
[2012/02/25 11:29:22 | 000,000,000 | ---D | C] -- C:\Program Files\LMMS
[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/23 19:38:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1214440339-725345543-1003UA.job
[2012/03/23 19:29:16 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/03/23 19:29:15 | 000,012,654 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/03/23 19:29:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/23 19:10:46 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/03/23 18:29:18 | 000,000,420 | RHS- | M] () -- C:\boot.ini
[2012/03/21 01:22:10 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/03/19 20:38:00 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1214440339-725345543-1003Core.job
[2012/03/19 00:32:48 | 002,617,176 | ---- | M] (VS Revo Group Ltd.) -- C:\revosetup.exe
[2012/03/18 21:21:15 | 000,005,536 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/03/16 15:42:45 | 2129,846,272 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2012/03/09 16:09:13 | 000,249,324 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2012/03/09 15:34:13 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2012/03/07 20:24:18 | 000,002,358 | ---- | M] () -- C:\Documents and Settings\Finn\.recently-used.xbel
[2012/03/07 03:39:34 | 000,002,255 | ---- | M] () -- C:\Documents and Settings\Finn\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/03/02 07:40:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/02/25 12:15:13 | 000,000,946 | ---- | M] () -- C:\Documents and Settings\Finn\.lmmsrc.xml
[2012/02/24 18:08:21 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/03/23 18:29:18 | 000,000,304 | ---- | C] () -- C:\Boot.bak
[2012/03/23 18:29:18 | 000,000,304 | ---- | C] () -- \Boot.bak
[2012/03/23 18:29:12 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/03/23 18:29:12 | 000,260,272 | RHS- | C] () -- \cmldr
[2012/03/19 23:59:10 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/03/19 23:59:10 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/03/19 23:59:10 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/03/19 23:59:10 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/03/19 23:59:10 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/03/18 23:40:46 | 002,617,176 | ---- | C] () -- \revosetup.exe
[2012/03/09 17:25:20 | 000,001,599 | ---- | C] () -- C:\Remote Assistance.lnk
[2012/03/09 17:25:20 | 000,001,599 | ---- | C] () -- \Remote Assistance.lnk
[2012/03/07 20:24:18 | 000,002,358 | ---- | C] () -- C:\Documents and Settings\Finn\.recently-used.xbel
[2012/02/25 11:33:54 | 000,000,946 | ---- | C] () -- C:\Documents and Settings\Finn\.lmmsrc.xml
[2012/01/13 00:50:00 | 000,088,992 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/12/04 22:02:18 | 000,001,117 | ---- | C] () -- C:\WINDOWS\unins001.dat
[2011/07/16 19:22:24 | 000,032,256 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2011/07/16 19:18:45 | 000,107,520 | RHS- | C] () -- C:\WINDOWS\System32\TAKDSDecoder.dll
[2011/02/08 23:11:51 | 000,000,286 | ---- | C] () -- C:\WINDOWS\reimage.ini
[2011/02/08 13:15:57 | 001,228,854 | ---- | C] () -- \fsqwr.bmp
[2011/02/02 07:10:58 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Finn\Local Settings\Application Data\PUTTY.RND
[2010/08/01 14:18:37 | 000,000,038 | ---- | C] () -- C:\WINDOWS\camcodec100.ini
[2010/08/01 14:17:49 | 000,695,578 | ---- | C] () -- C:\WINDOWS\System32\unins000.exe
[2010/08/01 14:17:49 | 000,001,074 | ---- | C] () -- C:\WINDOWS\System32\unins000.dat
[2010/05/07 19:52:46 | 000,041,872 | ---- | C] () -- C:\WINDOWS\System32\xfcodec.dll

========== LOP Check ==========

[2011/02/08 23:11:52 | 000,000,224 | ---- | M] () -- C:\WINDOWS\Tasks\Reimage Reminder.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 987 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:hLXU3ApKgF4zH4NFvaKAYv6U
@Alternate Data Stream - 1181 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:N8OiaQpowBd9eS5o7VTnK78bLMX0
@Alternate Data Stream - 1173 bytes -> C:\Documents and Settings\Finn\Local Settings\Application Data\RrfAVfog:xv6Wij3iLukewgJHKJT
@Alternate Data Stream - 1172 bytes -> C:\Program Files\Common Files\Microsoft Shared:AHTRWoYdSQfim69aQCm
@Alternate Data Stream - 1017 bytes -> C:\Documents and Settings\Finn\Local Settings\Application Data\oovlLTQFvMNO:tx1FoL3AopAxvWTLFSg

< End of report >

=========================================================
*EXTRAS.TXT*
=========================================================
OTL Extras logfile created on: 23/03/2012 19:43:06 - Run 1
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\Finn\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: | Country: | Language: | Date Format:

1.98 Gb Total Physical Memory | 1.55 Gb Available Physical Memory | 78.39% Memory free
3.83 Gb Paging File | 3.59 Gb Available in Paging File | 93.76% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 127.99 Gb Total Space | 10.66 Gb Free Space | 8.33% Space Free | Partition Type: NTFS
Drive F: | 61.21 Mb Total Space | 50.62 Mb Free Space | 82.69% Space Free | Partition Type: FAT32

Computer Name: FINN-GE6QC5 | User Name: Finn | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = YBrowser.HTML] -- C:\PROGRA~1\Yahoo!\browser\ybrowser.exe %1
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
https [open] -- C:\PROGRA~1\Yahoo!\browser\ybrowser.exe %1
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Force Uninstall] -- C:\Program Files\Perfect Uninstaller\PU.exe "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\svc]
"AntiVirusDisableNotify" = 1
"AntiVirusOverride" = 1
"FirewallDisableNotify" = 1
"FirewallOverride" = 1
"UpdatesDisableNotify" = 1

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"" = 
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabledxpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabledxpsp2res.dll,-22008
"139:TCP" = 139:TCP:*:Enabledxpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabledxpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabledxpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabledxpsp2res.dll,-22002
"" =

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabledxpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabledxpsp2res.dll,-22008
"9842:TCP" = 9842:TCP:*isabled:SolidNetworkManager
"9842:UDP" = 9842:UDP:*isabled:SolidNetworkManager
"139:TCP" = 139:TCP:LocalSubNet:Enabledxpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabledxpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabledxpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabledxpsp2res.dll,-22002
"57224:TCP" = 57224:TCP:*:Enabledando Media Booster
"57224:UDP" = 57224:UDP:*:Enabledando Media Booster
"3389:TCP" = 3389:TCP:*:Enabledxpsp2res.dll,-22009
"3724:TCP" = 3724:TCP:*:Enabled:Blizzard Downloader: 3724
"" =

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Rosetta Stone\Rosetta Stone V3 DEMO\support\bin\RosettaStoneLtdServices.exe" = C:\Program Files\Rosetta Stone\Rosetta Stone V3 DEMO\support\bin\RosettaStoneLtdServices.exe:*:Enabled:Rosetta Stone Online Component -- ()
"C:\Program Files\Rosetta Stone\Rosetta Stone V3 DEMO\RosettaStoneVersion3.exe" = C:\Program Files\Rosetta Stone\Rosetta Stone V3 DEMO\RosettaStoneVersion3.exe:*:Enabled:Rosetta Stone V3 DEMO Application -- ()
"C:\Program Files\Rosetta Stone\Rosetta Stone TOTALe\support\bin\win\RosettaStoneLtdServices.exe" = C:\Program Files\Rosetta Stone\Rosetta Stone TOTALe\support\bin\win\RosettaStoneLtdServices.exe:*:Enabled:Rosetta Stone Ltd Services
"C:\Program Files\Rosetta Stone\Rosetta Stone TOTALe\RosettaStoneTOTALe.exe" = C:\Program Files\Rosetta Stone\Rosetta Stone TOTALe\RosettaStoneTOTALe.exe:*:Enabled:Rosetta Stone TOTALe Application -- (Rosetta Stone Ltd.)
"%windir%\explorer.exe" = %windir%\explorer.exe -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Lionhead Studios Ltd\Black & White\runblack.exe" = C:\Program Files\Lionhead Studios Ltd\Black & White\runblack.exe:*:Enabled:lh -- (LionHead Studios Ltd.)
"C:\Program Files\Trillian\trillian.exe" = C:\Program Files\Trillian\trillian.exe:*:Enabled:Trillian -- (Cerulean Studios)
"C:\Program Files\VideoLAN\VLC\vlc.exe" = C:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player -- ()
"C:\Program Files\WiFiConnector\NintendoWFCReg.exe" = C:\Program Files\WiFiConnector\NintendoWFCReg.exe:*:Enabled:Nintendo Wi-Fi USB Connector -- ()
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\1169214453\ee\aolsoftware.exe" = C:\Program Files\Common Files\AOL\1169214453\ee\aolsoftware.exe:*:Enabled:AOL Services -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\1169214453\ee\aim6.exe" = C:\Program Files\Common Files\AOL\1169214453\ee\aim6.exe:*:Enabled:AIM -- (America Online, Inc.)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\Yahoo!\Messenger\ypager.exe" = C:\Program Files\Yahoo!\Messenger\ypager.exe:*:Enabled:Yahoo! Messenger -- ()
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- (Yahoo! Inc.)
"C:\Program Files\DNA\btdna.exe" = C:\Program Files\DNA\btdna.exe:*:EnabledNA -- (BitTorrent, Inc.)
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabledando Media Booster -- ()
"C:\Program Files\World of Warcraft\Launcher.exe" = C:\Program Files\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher -- (Blizzard Entertainment)
"C:\Program Files\World of Warcraft\WoW-3.2.0-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.2.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\Azureus\Azureus.exe" = C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus / Vuze -- (Vuze Inc.)
"C:\Documents and Settings\Finn\Desktop\eclipse-java-ganymede-SR1-win32\eclipse\eclipse.exe" = C:\Documents and Settings\Finn\Desktop\eclipse-java-ganymede-SR1-win32\eclipse\eclipse.exe:*:Enabled:eclipse -- ()
"C:\WINDOWS\system32\java.exe" = C:\WINDOWS\system32\java.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Rosetta Stone\Rosetta Stone V3 DEMO\support\bin\RosettaStoneLtdServices.exe" = C:\Program Files\Rosetta Stone\Rosetta Stone V3 DEMO\support\bin\RosettaStoneLtdServices.exe:*:Enabled:Rosetta Stone Online Component -- ()
"C:\Program Files\Rosetta Stone\Rosetta Stone V3 DEMO\RosettaStoneVersion3.exe" = C:\Program Files\Rosetta Stone\Rosetta Stone V3 DEMO\RosettaStoneVersion3.exe:*:Enabled:Rosetta Stone V3 DEMO Application -- ()
"C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe" = C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Ltd Services -- (Rosetta Stone Ltd.)
"C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe" = C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Daemon -- (Rosetta Stone Ltd.)
"C:\Program Files\Rosetta Stone\Rosetta Stone TOTALe\RosettaStoneTOTALe.exe" = C:\Program Files\Rosetta Stone\Rosetta Stone TOTALe\RosettaStoneTOTALe.exe:*:Enabled:Rosetta Stone TOTALe Application -- (Rosetta Stone Ltd.)
"%windir%\explorer.exe" = %windir%\explorer.exe -- (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{09984AEC-6B9F-4ca7-B78D-CB44D4771DA3}" = Destinations
"{0E2B767B-EA6A-489B-BF83-8083FE1DB661}" = Pcsx2 0.9.6
"{0ECB59D5-A3FC-4D61-AD3B-6CE679B3F852}" = Java DB 10.2.2.0
"{11A480B9-887E-48BE-8B8E-7E3DCB4FF5AB}" = Proxem.Antelope
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{1389C6A4-4965-4AEC-9175-08B54A10FA48}" = Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
"{14735B76-8B33-4DB9-A548-9918B7A2C41E}" = Microsoft Windows SDK for Windows Server 2008 Samples (6001.18000.367)
"{15377C3E-9655-400F-B441-E69F0A6BEAFE}" = Recovery Software Suite eMachines
"{15EE79F4-4ED1-4267-9B0F-351009325D7D}" = HP Software Update
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{19AFC1C2-B11B-3FFF-9C9F-05761BC244D9}" = Windows SDK Intellidocs
"{19BFDA5D-1FE2-4F25-97F9-1A79DD04EE20}" = Microsoft XNA Framework Redistributable 3.1
"{1CBE3804-20DF-48DA-B048-895C206E80A5}" = Microsoft SQL Server VSS Writer
"{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}" = Rapport
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{24E34264-D483-477C-A9A0-4E53F69834CF}" = Façade
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
"{2B3737F2-2D17-4D61-ABBC-38287C99ADAE}" = Graphviz
"{2BA00471-0328-3743-93BD-FA813353A783}" = Microsoft .NET Framework 3.0 Service Pack 1
"{2FC099BD-AC9B-33EB-809C-D332E1B27C40}" = Microsoft .NET Framework 3.5
"{30C19FF2-7FBA-4d09-B9DE-1659977F64F6}" = TrayApp
"{315F5FFC-1A5C-4A2A-B8E7-1C5B1174C198}_is1" = AML Free Registry Cleaner 4.20
"{3212AA30-4503-4D30-ADF3-F0DA00C3FDCC}" = Rosetta Stone Ltd Services
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3819891A-030B-4a4e-98ED-B28A649E48AB}" = HP Deskjet 3900 series
"{3A50302D-3AAC-4B5B-918A-5FDA9ABB0F44}" = Microsoft Windows SDK for Windows Server 2008 .NET Documentation (6001.18000.367)
"{4010ADCB-1347-D570-FCF1-3002CABEBD2F}" = Rosetta Stone TOTALe
"{42F6BED9-41DD-40F1-85A8-8E0350493626}" = HPDeskjet3900Series
"{437AB8E0-FB69-4222-B280-A64F3DE22591}" = Microsoft Visual Studio 2005 Professional Edition - ENU
"{44D4AF75-6870-41F5-9181-662EA05507E1}" = Microsoft Document Explorer 2005
"{44D9A2CB-0692-3180-B5E2-26F4E807D067}" = Microsoft Visual C++ Compilers 2008 Standard Edition - enu - x86
"{49672EC2-171B-47B4-8CE7-50D7806360D7}" = Windows Live Sign-in Assistant
"{53735ECE-E461-4FD0-B742-23A352436D3A}" = Logitech Updater
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{56F8AFC3-FA98-4ff1-9673-8A026CBF85BE}" = WebReg
"{571700F0-DB9D-4B3A-B03D-35A14BB5939F}" = Windows Live Messenger
"{58582B88-0260-4C80-9A89-8CA0923AFD26}" = WordNet 2.1
"{5CFED181-0A85-4C62-88E4-ADF1110463DA}" = Developer Express DXCore for Visual Studio .NET
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{5F26311C-B135-4F7F-B11E-8E650F83651E}" = DeviceFunctionQFolder
"{60E2C8C9-6CF3-4B1A-9618-E304946C94E6}" = Python 2.4.4
"{625386A4-B6B6-4911-A6E8-23189C3F2D15}" = Microsoft .NET Compact Framework 2.0
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6753B40C-0FBD-3BED-8A9D-0ACAC2DCD85D}" = Microsoft Document Explorer 2008
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{686BB230-DE5B-44F4-8DB0-4F9BEE7310F7}" = OpenOffice.org 2.0
"{68A35043-C55A-4237-88C9-37EE1C63ED71}" = Microsoft Visual J# 2.0 Redistributable Package
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6C518CC0-5CF1-481B-AB35-9BE5024DC106}" = Microsoft Windows SDK MDAC Headers and Libraries (6001.18000.367)
"{6C531060-84FB-4F96-8F33-29DF020632EB}" = Microsoft .NET Compact Framework 1.0 SP3 Developer
"{6E66ECBD-FCA7-4AE1-A8C5-1CA78BEEB057}" = Multimedia Keyboard Driver
"{6ED32BB5-56B6-4317-A2D1-98A8313C3BAF}" = Microsoft Windows SDK for Windows Server 2008 (6001.18000.367)
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{74602099-9B8D-4799-B349-928B8BDE6E06}" = Microsoft DirectX SDK (December 2006)
"{74E2CD0C-D4A2-11D3-95A6-0000E86CFDE5}" = SSH Secure Shell
"{74EC78BC-B379-4E29-9006-8F161DCAABA6}" = Apple Software Update
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel(R) PRO Network Connections 12.1.12.0
"{78B75C6D-E53C-424C-BF83-4B63BD4A6682}" = Microsoft Device Emulator version 1.0 - ENU
"{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}" = Digital Media Reader
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8E5B3FDE-62E1-4391-BBA0-0E4242AD9577}" = Microsoft Windows SDK Net Fx Interop Headers And Libraries (6001.18000.367)
"{937B232D-9776-471E-92BD-D424E514EF14}" = Logitech QuickCam
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}" = QuickTime
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{9A0ED01E-FD18-457A-AB9C-0835DCDB17BB}" = Microsoft Platform SDK (R2) (3790.2075)
"{9BAED673-5D51-481E-B1E0-FB2E5039260B}" = Microsoft Windows SDK Intellisense and Reference Assemblies (6001.18000.367)
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A431744A-553F-4FC0-AF91-BCA47C7E0949}" = Microsoft Windows SDK for Windows Server 2008 Headers and Libraries (6001.18000.367)
"{A8AF85EB-737C-49B9-90DD-44A5FAF4D04E}" = Maya 7.0 Personal Learning Edition
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype 5.5
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{AEAEEAD6-38EC-4321-92A7-599367E21FF2}" = Rosetta Stone V3 DEMO
"{AF1C9841-C258-4E8D-8C39-D5BE212CAE0F}" = KingsTools
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B46C272F-8B7A-402A-9915-8B0463F035DC}" = Microsoft Windows SDK for Windows Server 2008 Utilities for Win32 Development (6001.18000.367)
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Click to Call with Skype
"{B6EC7388-E277-4A5B-8C8F-71067A41BA64}" = TextPad 5
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B7EC89B3-2B8C-44A9-815C-135F391068B0}" = Microsoft Windows SDK for Windows Server 2008 Common Utilities (6001.18000.367)
"{B93DCF58-AA57-41EC-8D69-B05C66C6312D}_is1" = SUPER © v2011.build.49 (July 1st, 2011) version v2011.build.49
"{B996AE66-10DB-4ac5-B151-E8B4BFBC42FC}" = BufferChm
"{BBCBA2A0-F0E5-4EA8-AAC0-CF1DC592221E}" = Microsoft VC Redist 2008 (6001.18000.367)
"{BF251EAF-8697-4E89-BF09-C998F97BBC40}" = Microsoft SQL Server Native Client
"{BF61D7A1-E894-4E3D-9129-B8D44B51FF94}" = Microsoft Windows SDK for Windows Server 2008 Win32 Documentation (6001.18000.367)
"{C3C9EB3D-24FA-4462-B784-0EC6AAFCD2DD}" = Fable - The Lost Chapters
"{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD590618-36BD-0710-AC86-F3B3C4AF201E}" = Microsoft Windows SDK .NET Framework Tools
"{D0E0D3AC-E9A1-4A74-90B3-4DB12181F2CC}" = Developer Express Refactor! for C++
"{D10EC365-8936-4B40-AE2E-FCDA61C326D3}" = Alias DirectConnect 2.0
"{D56D4A9A-B94D-4055-9FC1-B4E33A26C2B8}" = Rosetta Stone TOTALe
"{E3F90083-80D4-4b5a-87C7-E97E12F5516D}" = HPProductAssistant
"{E51B4CD9-A0A6-4324-B26A-31B3F2DE26CE}" = Black and White
"{EA103B64-C0E4-4C0E-A506-751590E1653D}" = SolutionCenter
"{ECEE0279-785F-4CB3-9F28-E69813234BF8}" = SPORE Creature Creator Trial Edition
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F44DA61E-720D-4E79-871F-F6E628B33242}" = OpenOffice.org 3.0
"{F4C2E5F5-2970-45f4-ABD3-C180C4D961C4}" = Status
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FDB3B167-F4FA-461D-976F-286304A57B2A}" = Adobe AIR
"{FE64AE29-0883-4C70-8388-DC026019C900}" = HP Image Zone Express
"{FF4D08B0-5098-4C4A-B801-42F3B1F9FE07}" = Microsoft Document Explorer 2008 (6001.18000.367)
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"7-Zip" = 7-Zip 4.42
"8461-7759-5462-8226" = Vuze
"acl81-express" = Allegro Common Lisp 8.1 Free Express Edition
"Ad-Aware SE Personal" = Ad-Aware SE Personal
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"aigneslocalwebsitearchive" = Local Website Archive 2.1.1
"Alarm_is1" = Alarm
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"Ask Toolbar_is1" = Vuze Toolbar
"Audacity_is1" = Audacity 1.2.6
"Azureus" = Azureus
"Blender" = Blender (remove only)
"BT Home Hub" = BT Home Hub
"BT Wireless Connection Manager" = BT Wireless Connection Manager
"BT Yahoo! Applications" = BT Yahoo! Applications
"btbb.MCCInstall" = BT Broadband Desktop Help
"CamStudio" = CamStudio
"CamStudio Lossless Codec_is1" = CamStudio Lossless Codec v1.4
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1" = Soft Data Fax Modem with SmartCP
"com.rosettastone.rosettastonetotale.8F5798B43604FA41C65B6F3DA7D3E38B6B065643.1" = Rosetta Stone TOTALe
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2008-01-24
"DivX Setup.divx.com" = DivX Setup
"doxygen_is1" = doxygen 1.3.6
"Driver Cleaner Pro" = DH Driver Cleaner Professional Edition
"FileZilla Client" = FileZilla Client 3.5.3
"FlashDevelop" = FlashDevelop 4.0.0
"Fraps" = Fraps (remove only)
"GCFScape_is1" = GCFScape 1.7.0
"Hamachi" = Hamachi 1.0.3.0
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"HP Imaging Device Functions" = HP Imaging Device Functions 5.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center & Imaging Support Tools 5.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}" = Digital Media Reader
"InstallShield_{C3C9EB3D-24FA-4462-B784-0EC6AAFCD2DD}" = Fable - The Lost Chapters
"JAIELangPack" = Japanese Language Support
"JDiskReport 1.4.0" = JDiskReport 1.4.0
"King Arthur's Gold (Alpha)_is1" = KAG 0.90A
"lmms" = LMMS 0.4.13
"lvdrivers_11.90" = Logitech QuickCam Driver Package
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5" = Microsoft .NET Framework 3.5
"Microsoft DirectX SDK (August 2008)" = Microsoft DirectX SDK (August 2008)
"Microsoft Document Explorer 2005" = Microsoft Document Explorer 2005
"Microsoft Document Explorer 2008" = Microsoft Document Explorer 2008
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Microsoft Visual J# 2.0 Redistributable Package" = Microsoft Visual J# 2.0 Redistributable Package
"Microsoft Visual Studio 2005 Professional Edition - ENU" = Microsoft Visual Studio 2005 Professional Edition - ENU
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"nbi-glassfish-2.1.60.20090114.0" = GlassFish V2.1
"nbi-glassfish-mod-3.0.0.28.20081022" = GlassFish v3 Prelude
"nbi-nb-base-6.5.1.0.200903060201" = NetBeans IDE 6.5.1
"Nero - Burning Rom!UninstallKey" = Nero OEM
"Nero BurnRights!UninstallKey" = Nero BurnRights
"NetBattle_is1" = NetBattle
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"OpenAL" = OpenAL
"Pdf995" = Pdf995
"Perfect Uninstaller_is1" = Perfect Uninstaller v6.3.3.3
"Portal© GT-D for Windows" = Portal© GT-D for Windows
"ppFonter" = ppFonter 2.2
"Proxifier_is1" = Proxifier version 2.7
"Rapport_msi" = Rapport
"Reimage Repair" = Reimage Repair
"Revo Uninstaller" = Revo Uninstaller 1.93
"RivaTuner" = RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
"ROM CHECK FAIL_is1" = ROM CHECK FAIL 1.0
"ScummVM_is1" = ScummVM 0.13.1a
"SDKSetup_6.0.6001.18000" = Microsoft Windows SDK for Windows Server 2008 (6001.18000.367)
"SolidStateIONIE" = Solid State ION Internet Explorer Plugin
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.5.2.20
"SystemRequirementsLab" = System Requirements Lab
"Teamspeak 2 RC2_is1" = TeamSpeak 2 RC2
"Trillian" = Trillian
"Unicode Phonetic Keyboard and Font_is1" = Unicode Phonetic Keyboard 1.02 and SIL Fonts
"Unity" = Unity
"UnityWebPlayer" = Unity Web Player
"VLC media player" = VideoLAN VLC media player 0.8.5
"VulturesEye" = Vulture's Eye
"WiFiConnector" = Nintendo Wi-Fi USB Connector Registration Tool
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WindowsFrotz" = Windows Frotz (remove only)
"WinGimp-2.0_is1" = GIMP 2.6.11
"Wings 3D 0.98.35" = Wings 3D 0.98.35
"WinGTK-2_is1" = GTK+ 2.8.18-1 runtime environment
"WinPcapInst" = WinPcap 4.0.1
"World Machine2Basic" = World Machine 2.2 Basic Edition
"World of Warcraft" = World of Warcraft
"Xbox_360_CC_Driver" = Xbox 360 Controller for Windows
"Xfire" = Xfire (remove only)
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"XviD_is1" = XviD MPEG-4 Video Codec
"Yahoo! Toolbar" = Yahoo! Toolbar

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 23/03/2012 15:29:19 | Computer Name = FINN-GE6QC5 | Source = MSSQL$SQLEXPRESS | ID = 17058
Description = initerrlog: Could not open error log file 'c:\Program Files\Microsoft
SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'. Operating system error = 5(Access is denied.).

Error - 23/03/2012 15:29:19 | Computer Name = FINN-GE6QC5 | Source = MSSQL$SQLEXPRESS | ID = 17058
Description = initerrlog: Could not open error log file 'c:\Program Files\Microsoft
SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'. Operating system error = 5(Access is denied.).

Error - 23/03/2012 15:29:19 | Computer Name = FINN-GE6QC5 | Source = Media Center Extender Services | ID = 36864
Description = ERROR: Device Service Initialization - Unable to create or initialize
Device Table. Error code 0x80004005.

Error - 23/03/2012 15:29:23 | Computer Name = FINN-GE6QC5 | Source = MSSQL$SQLEXPRESS | ID = 17058
Description = initerrlog: Could not open error log file 'c:\Program Files\Microsoft
SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'. Operating system error = 5(Access is denied.).

Error - 23/03/2012 15:29:24 | Computer Name = FINN-GE6QC5 | Source = MSSQL$SQLEXPRESS | ID = 17058
Description = initerrlog: Could not open error log file 'c:\Program Files\Microsoft
SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'. Operating system error = 5(Access is denied.).

Error - 23/03/2012 15:29:24 | Computer Name = FINN-GE6QC5 | Source = MSSQL$SQLEXPRESS | ID = 17058
Description = initerrlog: Could not open error log file 'c:\Program Files\Microsoft
SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'. Operating system error = 5(Access is denied.).

Error - 23/03/2012 15:29:25 | Computer Name = FINN-GE6QC5 | Source = MSSQL$SQLEXPRESS | ID = 17058
Description = initerrlog: Could not open error log file 'c:\Program Files\Microsoft
SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'. Operating system error = 5(Access is denied.).

Error - 23/03/2012 15:29:25 | Computer Name = FINN-GE6QC5 | Source = MSSQL$SQLEXPRESS | ID = 17058
Description = initerrlog: Could not open error log file 'c:\Program Files\Microsoft
SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'. Operating system error = 5(Access is denied.).

Error - 23/03/2012 15:29:25 | Computer Name = FINN-GE6QC5 | Source = MSSQL$SQLEXPRESS | ID = 17058
Description = initerrlog: Could not open error log file 'c:\Program Files\Microsoft
SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'. Operating system error = 5(Access is denied.).

Error - 23/03/2012 15:29:26 | Computer Name = FINN-GE6QC5 | Source = MSSQL$SQLEXPRESS | ID = 17053
Description = UpdateUptimeRegKey: Operating system error 5(Access is denied.) encountered.

[ System Events ]
Error - 23/03/2012 15:22:38 | Computer Name = FINN-GE6QC5 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 23/03/2012 15:22:45 | Computer Name = FINN-GE6QC5 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 23/03/2012 15:23:59 | Computer Name = FINN-GE6QC5 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 23/03/2012 15:24:13 | Computer Name = FINN-GE6QC5 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 23/03/2012 15:24:19 | Computer Name = FINN-GE6QC5 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 23/03/2012 15:27:24 | Computer Name = FINN-GE6QC5 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 23/03/2012 15:29:31 | Computer Name = FINN-GE6QC5 | Source = Service Control Manager | ID = 7000
Description = The Java Quick Starter service failed to start due to the following
error: %%2

Error - 23/03/2012 15:29:31 | Computer Name = FINN-GE6QC5 | Source = Service Control Manager | ID = 7024
Description = The Media Center Extender Service service terminated with service-specific
error 2147500037 (0x80004005).

Error - 23/03/2012 15:29:31 | Computer Name = FINN-GE6QC5 | Source = Service Control Manager | ID = 7024
Description = The SQL Server (SQLEXPRESS) service terminated with service-specific
error 17058 (0x42A2).

Error - 23/03/2012 15:31:22 | Computer Name = FINN-GE6QC5 | Source = Service Control Manager | ID = 7022
Description = The Apache service hung on starting.

< End of report >


----------



## Justletmepost (Mar 11, 2012)

bump.

Also, a couple of things I keep forgetting to mention:
-The minimize/maximize/close buttons on all my windows are in a different style from before - smaller. And my usual startup programs no longer start up - and I think these symptoms appeared at the same time as the broken internet/sound drivers/etc, before I posted this topic.
-When we were still on the Java stuff, I tried plugging the infected computer into the internet again on a whim just in case, and although it mostly behaved a if there was no connection as before, when I turned the computer off it prompted me to install updates to windows, which I'm pretty sure it hadn't been doing before! So I suppose my connection must still be working in some capacity. I've been turning off without installing updates for now - should I install them, or is it possible the rootkit could be using Windows Update to update itself?


----------



## Justletmepost (Mar 11, 2012)

And another thing, that's just come up.
After looking at my logs, a friend suspects I have an "alureaon" rootkit, and recommends I try the tool as this link: http://support.kaspersky.com/downloads/utils/tdsskiller.zip
, run it in safemode, and then run combofix again to see if it comes up clean.
Is there any any reason I shouldn't do this?


----------



## eddie5659 (Mar 19, 2001)

Sorry, away for the weekend and will look at the logs fully tonight.

Yep, run TDSSKiller, but see if you can do this in normal mode first. If not, then safe mode. Also, I have another tool for you to run, as follows:

-----

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan 









On completion of the scan click save log, save it to your desktop and post in your next reply 









--------------------

Download the latest version of TDSSKiller from *here* and save it to your Desktop.


Doubleclick on *TDSSKiller.exe* to run the application, then click on *Change parameters*.










Check the boxes beside *Verify Driver Digital Signature and Detect TDLFS* file system, then click OK.










Click the *Start Scan* button.










If a suspicious object is detected, the default action will be *Skip*, click on *Continue*.










If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure *Cure* is selected, then click *Continue* => *Reboot now* to finish the cleaning process.










Note: *If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.*

A report will be created in your root directory, (usually C:\ folder) in the form of *"TDSSKiller.[Version]_[Date]_[Time]_log.txt"*. Please copy and paste its contents on your next reply


----------



## Justletmepost (Mar 11, 2012)

Both tools detected stuff. In TDSS, all items had Skip, Copy To Quarantine and Delete - no Cure option. Ran it again in safe mode hoping that would make a difference. It didn't. Posting both logs anyway, because why not.

Also, I noticed I'm getting a new popup after windows startup since running combofix: 
"Warning:
Unknown(): Unable to load dynamic library '..\php4\extensions\php_curl.dll' - The specified module could not be found."

Anyway, logs.

===========================================================
*aswmbr log*
===========================================================
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-26 11:30:06
-----------------------------
11:30:06.093 OS Version: Windows 5.1.2600 Service Pack 3
11:30:06.093 Number of processors: 2 586 0x1706
11:30:06.093 ComputerName: FINN-GE6QC5 UserName: Finn
11:30:08.265 Initialize success
11:31:45.343 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
11:31:45.343 Disk 0 Vendor: ST3160815AS 4.AAA Size: 152627MB BusType: 3
11:31:45.359 Disk 0 MBR read successfully
11:31:45.359 Disk 0 MBR scan
11:31:45.359 Disk 0 Windows XP default MBR code
11:31:45.359 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 131061 MB offset 63
11:31:45.375 Disk 0 scanning sectors +268414020
11:31:45.500 Disk 0 scanning C:\WINDOWS\system32\drivers
11:32:01.312 Service scanning
11:32:33.453 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
11:32:38.359 Modules scanning
11:32:43.687 Module: C:\WINDOWS\System32\Drivers\atapi.sys **SUSPICIOUS**
11:32:51.609 Module: C:\WINDOWS\System32\drivers\dxgthk.sys **SUSPICIOUS**
11:32:54.218 Disk 0 trace - called modules:
11:32:54.250 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spux.sys >>UNKNOWN [0x8a824938]<<
11:32:54.250 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a7d4ab8]
11:32:54.250 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\000000a4[0x8a843b88]
11:32:54.265 5 ACPI.sys[b7e67620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a7d8940]
11:32:54.265 Scan finished successfully
11:34:34.890 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Finn\Desktop\MBR.dat"
11:34:34.921 The log file has been saved successfully to "C:\Documents and Settings\Finn\Desktop\aswMBR.txt"

===========================================================
*TDSS log 1, normal mode*
===========================================================
11:36:09.0750 5792 TDSS rootkit removing tool 2.7.22.0 Mar 21 2012 17:40:00
11:36:09.0765 5792 ============================================================
11:36:09.0765 5792 Current date / time: 2012/03/26 11:36:09.0765
11:36:09.0765 5792 SystemInfo:
11:36:09.0765 5792 
11:36:09.0765 5792 OS Version: 5.1.2600 ServicePack: 3.0
11:36:09.0765 5792 Product type: Workstation
11:36:09.0765 5792 ComputerName: FINN-GE6QC5
11:36:09.0765 5792 UserName: Finn
11:36:09.0765 5792 Windows directory: C:\WINDOWS
11:36:09.0765 5792 System windows directory: C:\WINDOWS
11:36:09.0765 5792 Processor architecture: Intel x86
11:36:09.0765 5792 Number of processors: 2
11:36:09.0765 5792 Page size: 0x1000
11:36:09.0765 5792 Boot type: Normal boot
11:36:09.0765 5792 ============================================================
11:36:11.0125 5792 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
11:36:11.0140 5792 \Device\Harddisk0\DR0:
11:36:11.0140 5792 MBR used
11:36:11.0140 5792 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xFFFAC05
11:36:11.0281 5792 Initialize success
11:36:11.0281 5792 ============================================================
11:36:37.0687 5832 ============================================================
11:36:37.0687 5832 Scan started
11:36:37.0687 5832 Mode: Manual; SigCheck; TDLFS; 
11:36:37.0687 5832 ============================================================
11:36:38.0000 5832 Abiosdsk - ok
11:36:38.0234 5832 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
11:36:38.0625 5832 abp480n5 - ok
11:36:38.0968 5832 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
11:36:39.0109 5832 ACPI - ok
11:36:39.0406 5832 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
11:36:39.0500 5832 ACPIEC - ok
11:36:39.0781 5832 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
11:36:39.0875 5832 adpu160m - ok
11:36:40.0156 5832 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
11:36:40.0265 5832 aec - ok
11:36:40.0562 5832 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
11:36:40.0640 5832 AFD - ok
11:36:40.0890 5832 AFGMp50 - ok
11:36:41.0093 5832 AFGSp50 - ok
11:36:41.0343 5832 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
11:36:41.0421 5832 agp440 - ok
11:36:41.0671 5832 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
11:36:41.0750 5832 agpCPQ - ok
11:36:42.0015 5832 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
11:36:42.0062 5832 Aha154x - ok
11:36:42.0328 5832 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
11:36:42.0406 5832 aic78u2 - ok
11:36:42.0656 5832 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
11:36:42.0718 5832 aic78xx - ok
11:36:43.0796 5832 ALCXWDM (92ae420be14b0d97d14dac4aba22a702) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
11:36:45.0671 5832 ALCXWDM - ok
11:36:45.0937 5832 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
11:36:46.0031 5832 Alerter - ok
11:36:46.0296 5832 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
11:36:46.0375 5832 ALG - ok
11:36:46.0609 5832 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
11:36:46.0703 5832 AliIde - ok
11:36:46.0968 5832 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
11:36:47.0046 5832 alim1541 - ok
11:36:47.0296 5832 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
11:36:47.0390 5832 amdagp - ok
11:36:47.0640 5832 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
11:36:47.0687 5832 amsint - ok
11:36:47.0843 5832 Apache (5063a736174225b38c5b5295bde4a160) C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\apache\apache.exe
11:36:47.0859 5832 Apache ( UnsignedFile.Multi.Generic ) - warning
11:36:47.0859 5832 Apache - detected UnsignedFile.Multi.Generic (1)
11:36:48.0156 5832 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
11:36:48.0296 5832 AppMgmt - ok
11:36:48.0562 5832 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
11:36:48.0625 5832 Arp1394 - ok
11:36:48.0890 5832 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
11:36:48.0968 5832 asc - ok
11:36:49.0281 5832 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
11:36:49.0343 5832 asc3350p - ok
11:36:49.0593 5832 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
11:36:49.0671 5832 asc3550 - ok
11:36:49.0906 5832 ASKService (7b44f870fc2da172c5367d9e3f96f553) C:\Program Files\AskBarDis\bar\bin\AskService.exe
11:36:50.0093 5832 ASKService - ok
11:36:50.0171 5832 ASKUpgrade (367621cb272a8d9e7d910388916d5737) C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
11:36:50.0203 5832 ASKUpgrade - ok
11:36:50.0437 5832 aspnet_state (4eabf511b1af176a971c3271e48fa3a8) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
11:36:50.0500 5832 aspnet_state - ok
11:36:50.0812 5832 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
11:36:50.0890 5832 AsyncMac - ok
11:36:51.0156 5832 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
11:36:51.0234 5832 atapi - ok
11:36:51.0453 5832 Atdisk - ok
11:36:51.0703 5832 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
11:36:51.0796 5832 Atmarpc - ok
11:36:52.0093 5832 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
11:36:52.0187 5832 AudioSrv - ok
11:36:52.0453 5832 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
11:36:52.0531 5832 audstub - ok
11:36:52.0765 5832 autvhncu - ok
11:36:53.0000 5832 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
11:36:53.0078 5832 Beep - ok
11:36:53.0140 5832 BGRaSvc - ok
11:36:53.0468 5832 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
11:36:53.0781 5832 BITS - ok
11:36:54.0046 5832 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
11:36:54.0140 5832 Browser - ok
11:36:54.0296 5832 catchme - ok
11:36:54.0562 5832 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
11:36:54.0640 5832 cbidf - ok
11:36:54.0859 5832 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
11:36:54.0921 5832 cbidf2k - ok
11:36:55.0187 5832 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
11:36:55.0265 5832 CCDECODE - ok
11:36:55.0531 5832 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
11:36:55.0578 5832 cd20xrnt - ok
11:36:55.0875 5832 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
11:36:55.0953 5832 Cdaudio - ok
11:36:56.0234 5832 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
11:36:56.0312 5832 Cdfs - ok
11:36:56.0562 5832 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
11:36:56.0640 5832 Cdrom - ok
11:36:56.0875 5832 Changer - ok
11:36:57.0109 5832 cisvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
11:36:57.0203 5832 cisvc - ok
11:36:57.0484 5832 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
11:36:57.0578 5832 ClipSrv - ok
11:36:57.0750 5832 clr_optimization_v2.0.50727_32 (234b1bc2796483e1f5c3f26649fb3388) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
11:36:57.0890 5832 clr_optimization_v2.0.50727_32 - ok
11:36:58.0171 5832 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
11:36:58.0265 5832 CmdIde - ok
11:36:58.0484 5832 COMSysApp - ok
11:36:58.0718 5832 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
11:36:58.0796 5832 Cpqarray - ok
11:36:59.0031 5832 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
11:36:59.0125 5832 CryptSvc - ok
11:36:59.0453 5832 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
11:36:59.0578 5832 dac2w2k - ok
11:36:59.0843 5832 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
11:36:59.0937 5832 dac960nt - ok
11:37:00.0296 5832 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
11:37:00.0500 5832 DcomLaunch - ok
11:37:00.0796 5832 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
11:37:00.0906 5832 Dhcp - ok
11:37:01.0140 5832 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
11:37:01.0203 5832 Disk - ok
11:37:01.0406 5832 dmadmin - ok
11:37:01.0812 5832 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
11:37:02.0265 5832 dmboot - ok
11:37:02.0562 5832 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
11:37:02.0656 5832 dmio - ok
11:37:02.0921 5832 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
11:37:03.0000 5832 dmload - ok
11:37:03.0265 5832 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
11:37:03.0343 5832 dmserver - ok
11:37:03.0625 5832 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
11:37:03.0687 5832 DMusic - ok
11:37:03.0937 5832 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
11:37:04.0031 5832 Dnscache - ok
11:37:04.0312 5832 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
11:37:04.0421 5832 Dot3svc - ok
11:37:04.0671 5832 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
11:37:04.0765 5832 dpti2o - ok
11:37:05.0031 5832 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
11:37:05.0093 5832 drmkaud - ok
11:37:05.0390 5832 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
11:37:05.0484 5832 E100B - ok
11:37:05.0812 5832 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
11:37:05.0875 5832 e1express - ok
11:37:06.0109 5832 EagleNT - ok
11:37:06.0343 5832 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
11:37:06.0437 5832 EapHost - ok
11:37:06.0609 5832 ehRecvr (8301243bde5b6cd316d79c0191d50d9a) C:\WINDOWS\eHome\ehRecvr.exe
11:37:06.0734 5832 ehRecvr - ok
11:37:06.0906 5832 ehSched (a53243709439ac2a4c216b817f8d7411) C:\WINDOWS\eHome\ehSched.exe
11:37:06.0953 5832 ehSched - ok
11:37:07.0203 5832 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
11:37:07.0296 5832 ERSvc - ok
11:37:07.0593 5832 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
11:37:07.0640 5832 Eventlog - ok
11:37:07.0953 5832 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\System32\es.dll
11:37:08.0062 5832 EventSystem - ok
11:37:08.0375 5832 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
11:37:08.0484 5832 Fastfat - ok
11:37:08.0750 5832 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
11:37:08.0812 5832 FastUserSwitchingCompatibility - ok
11:37:09.0078 5832 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
11:37:09.0156 5832 Fdc - ok
11:37:09.0453 5832 FilterService (1edc0df2da14e04504dd3bac21aa32cd) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
11:37:09.0453 5832 FilterService - ok
11:37:09.0687 5832 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
11:37:09.0765 5832 Fips - ok
11:37:10.0109 5832 FLEXnet Licensing Service (8669be94f63944e4f899c3950b520241) C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
11:37:10.0578 5832 FLEXnet Licensing Service - ok
11:37:10.0906 5832 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
11:37:10.0984 5832 Flpydisk - ok
11:37:11.0234 5832 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
11:37:11.0328 5832 FltMgr - ok
11:37:11.0500 5832 FontCache3.0.0.0 (993883524aa9cf1c90e1545411a9ac9c) C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
11:37:11.0562 5832 FontCache3.0.0.0 - ok
11:37:11.0828 5832 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
11:37:11.0906 5832 Fs_Rec - ok
11:37:12.0187 5832 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
11:37:12.0296 5832 Ftdisk - ok
11:37:12.0562 5832 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
11:37:12.0640 5832 Gpc - ok
11:37:12.0796 5832 gupdate (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe
11:37:12.0828 5832 gupdate - ok
11:37:12.0875 5832 gupdatem (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe
11:37:12.0875 5832 gupdatem - ok
11:37:12.0968 5832 gusvc (cc839e8d766cc31a7710c9f38cf3e375) C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
11:37:13.0031 5832 gusvc - ok
11:37:13.0328 5832 hamachi (7929a161f9951d173ca9900fe7067391) C:\WINDOWS\system32\DRIVERS\hamachi.sys
11:37:13.0328 5832 hamachi - ok
11:37:13.0609 5832 hcwPP2 (d169892e959aa82d38e09c9f7517dbf7) C:\WINDOWS\system32\DRIVERS\hcwPP2.sys
11:37:13.0671 5832 hcwPP2 - ok
11:37:13.0953 5832 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
11:37:14.0046 5832 HDAudBus - ok
11:37:14.0234 5832 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
11:37:14.0328 5832 helpsvc - ok
11:37:14.0593 5832 HidIr (bb1a6fb7d35a91e599973fa74a619056) C:\WINDOWS\system32\DRIVERS\hidir.sys
11:37:14.0671 5832 HidIr - ok
11:37:14.0921 5832 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
11:37:15.0000 5832 HidServ - ok
11:37:15.0265 5832 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
11:37:15.0343 5832 HidUsb - ok
11:37:15.0578 5832 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
11:37:15.0687 5832 hkmsvc - ok
11:37:15.0968 5832 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
11:37:16.0046 5832 hpn - ok
11:37:16.0265 5832 hpt3xx - ok
11:37:16.0546 5832 HSFHWBS2 (c02dc9d4358e43d088f2061c2b2bf30e) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
11:37:16.0671 5832 HSFHWBS2 - ok
11:37:17.0187 5832 HSF_DPV (cbf6831420a97e8fbb91e5f52b707ef7) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
11:37:17.0687 5832 HSF_DPV - ok
11:37:18.0000 5832 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
11:37:18.0109 5832 HTTP - ok
11:37:18.0359 5832 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
11:37:18.0437 5832 HTTPFilter - ok
11:37:18.0546 5832 HWiNFO32 (cb457aa4b4f012672058e55096b7a3d9) C:\Documents and Settings\Finn\Desktop\hw32_236\HWiNFO32.SYS
11:37:18.0546 5832 HWiNFO32 - ok
11:37:18.0843 5832 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
11:37:18.0906 5832 i2omgmt - ok
11:37:19.0140 5832 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
11:37:19.0218 5832 i2omp - ok
11:37:19.0562 5832 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
11:37:19.0640 5832 i8042prt - ok
11:37:21.0250 5832 ialm (12c7f8d581c4a9f126f5f8f5683a1c29) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
11:37:24.0046 5832 ialm - ok
11:37:24.0171 5832 IDriverT (6f95324909b502e2651442c1548ab12f) C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
11:37:24.0218 5832 IDriverT ( UnsignedFile.Multi.Generic ) - warning
11:37:24.0218 5832 IDriverT - detected UnsignedFile.Multi.Generic (1)
11:37:24.0718 5832 idsvc (e7cc3aeaed9893a88876744cd439f76c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
11:37:25.0125 5832 idsvc ( UnsignedFile.Multi.Generic ) - warning
11:37:25.0125 5832 idsvc - detected UnsignedFile.Multi.Generic (1)
11:37:25.0421 5832 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
11:37:25.0500 5832 Imapi - ok
11:37:25.0750 5832 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
11:37:25.0843 5832 ImapiService - ok
11:37:26.0140 5832 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
11:37:26.0218 5832 ini910u - ok
11:37:27.0546 5832 IntcAzAudAddService (9f6320e7b0c43e4e5693e1515ba5595c) C:\WINDOWS\system32\drivers\RtkHDAud.sys
11:37:29.0765 5832 IntcAzAudAddService - ok
11:37:30.0062 5832 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
11:37:30.0140 5832 IntelIde - ok
11:37:30.0375 5832 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
11:37:30.0437 5832 intelppm - ok
11:37:30.0687 5832 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
11:37:30.0765 5832 Ip6Fw - ok
11:37:31.0046 5832 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
11:37:31.0125 5832 IpFilterDriver - ok
11:37:31.0390 5832 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
11:37:31.0468 5832 IpInIp - ok
11:37:31.0734 5832 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
11:37:31.0843 5832 IpNat - ok
11:37:32.0109 5832 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
11:37:32.0203 5832 IPSec - ok
11:37:32.0453 5832 IrBus (b43b36b382aea10861f7c7a37f9d4ae2) C:\WINDOWS\system32\DRIVERS\IrBus.sys
11:37:32.0531 5832 IrBus - ok
11:37:32.0781 5832 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
11:37:32.0859 5832 IRENUM - ok
11:37:33.0140 5832 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
11:37:33.0218 5832 isapnp - ok
11:37:33.0359 5832 JavaQuickStarterService - ok
11:37:33.0625 5832 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
11:37:33.0703 5832 Kbdclass - ok
11:37:33.0953 5832 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
11:37:34.0000 5832 kbdhid - ok
11:37:34.0281 5832 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
11:37:34.0406 5832 kmixer - ok
11:37:34.0718 5832 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
11:37:34.0812 5832 KSecDD - ok
11:37:35.0078 5832 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
11:37:35.0156 5832 lanmanserver - ok
11:37:35.0437 5832 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
11:37:35.0500 5832 lanmanworkstation - ok
11:37:35.0703 5832 lbrtfdc - ok
11:37:35.0921 5832 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
11:37:36.0000 5832 LmHosts - ok
11:37:36.0281 5832 LVPr2Mon (f96cfb47903854f228baaf3e2d41a0a3) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
11:37:36.0281 5832 LVPr2Mon - ok
11:37:36.0437 5832 LVPrcSrv (ff23862146a682fcc3dbaa002e22f958) C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
11:37:36.0453 5832 LVPrcSrv - ok
11:37:36.0906 5832 LVRS (e22fd7852e74f04cceb6b8a684a51f3e) C:\WINDOWS\system32\DRIVERS\lvrs.sys
11:37:37.0234 5832 LVRS - ok
11:37:37.0500 5832 LVUSBSta (5f987fc1aad215ec2c60cf07719b1cce) C:\WINDOWS\system32\DRIVERS\LVUSBSta.sys
11:37:37.0500 5832 LVUSBSta - ok
11:37:39.0375 5832 LVUVC (e89df2b88ee659954de79827ddf46dc9) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
11:37:42.0484 5832 LVUVC - ok
11:37:42.0625 5832 McrdSvc (df0a511f38f16016bf658fca0090cb87) C:\WINDOWS\ehome\mcrdsvc.exe
11:37:42.0687 5832 McrdSvc - ok
11:37:42.0968 5832 mdmxsdk (195741aee20369980796b557358cd774) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
11:37:43.0046 5832 mdmxsdk - ok
11:37:43.0312 5832 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
11:37:43.0390 5832 Messenger - ok
11:37:43.0671 5832 MHN (b7521f69c0a9b29d356157229376fb21) C:\WINDOWS\System32\mhn.dll
11:37:43.0718 5832 MHN ( UnsignedFile.Multi.Generic ) - warning
11:37:43.0718 5832 MHN - detected UnsignedFile.Multi.Generic (1)
11:37:43.0968 5832 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
11:37:43.0984 5832 MHNDRV ( UnsignedFile.Multi.Generic ) - warning
11:37:43.0984 5832 MHNDRV - detected UnsignedFile.Multi.Generic (1)
11:37:44.0250 5832 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
11:37:44.0328 5832 mnmdd - ok
11:37:44.0562 5832 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\System32\mnmsrvc.exe
11:37:44.0640 5832 mnmsrvc - ok
11:37:44.0968 5832 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
11:37:45.0062 5832 Modem - ok
11:37:45.0328 5832 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
11:37:45.0406 5832 Mouclass - ok
11:37:45.0656 5832 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
11:37:45.0750 5832 mouhid - ok
11:37:46.0046 5832 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
11:37:46.0140 5832 MountMgr - ok
11:37:46.0265 5832 mple7docserver (c049ef30ace3e2beebc41e37fe4bb2a1) C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe
11:37:46.0296 5832 mple7docserver ( UnsignedFile.Multi.Generic ) - warning
11:37:46.0296 5832 mple7docserver - detected UnsignedFile.Multi.Generic (1)
11:37:46.0578 5832 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
11:37:46.0656 5832 mraid35x - ok
11:37:46.0765 5832 MRENDIS5 (594b9d8194e3f4ecbf0325bd10bbeb05) C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
11:37:46.0796 5832 MRENDIS5 ( UnsignedFile.Multi.Generic ) - warning
11:37:46.0796 5832 MRENDIS5 - detected UnsignedFile.Multi.Generic (1)
11:37:47.0125 5832 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
11:37:47.0234 5832 MRxDAV - ok
11:37:47.0609 5832 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
11:37:47.0812 5832 MRxSmb - ok
11:37:48.0062 5832 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\System32\msdtc.exe
11:37:48.0140 5832 MSDTC - ok
11:37:48.0421 5832 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
11:37:48.0484 5832 Msfs - ok
11:37:48.0687 5832 MSIServer - ok
11:37:48.0906 5832 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
11:37:48.0968 5832 MSKSSRV - ok
11:37:49.0171 5832 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
11:37:49.0234 5832 MSPCLOCK - ok
11:37:49.0484 5832 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
11:37:49.0562 5832 MSPQM - ok
11:37:49.0828 5832 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
11:37:49.0890 5832 mssmbios - ok
11:37:50.0000 5832 MSSQL$SQLEXPRESS - ok
11:37:50.0046 5832 MSSQLServerADHelper (adaf062116b4e6d96e44d26486a87af6) c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe
11:37:50.0062 5832 MSSQLServerADHelper - ok
11:37:50.0359 5832 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
11:37:50.0437 5832 MSTEE - ok
11:37:51.0281 5832 msvsmon80 (73fa09b84b23a1897809a84f976d5d99) C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe
11:37:52.0703 5832 msvsmon80 - ok
11:37:53.0000 5832 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
11:37:53.0062 5832 Mup - ok
11:37:53.0359 5832 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
11:37:53.0437 5832 NABTSFEC - ok
11:37:53.0703 5832 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
11:37:53.0843 5832 napagent - ok
11:37:54.0125 5832 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
11:37:54.0265 5832 NDIS - ok
11:37:54.0640 5832 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
11:37:54.0718 5832 NdisIP - ok
11:37:55.0000 5832 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
11:37:55.0046 5832 NdisTapi - ok
11:37:55.0296 5832 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
11:37:55.0375 5832 Ndisuio - ok
11:37:55.0671 5832 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
11:37:55.0750 5832 NdisWan - ok
11:37:56.0062 5832 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
11:37:56.0109 5832 NDProxy - ok
11:37:56.0375 5832 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
11:37:56.0453 5832 NetBIOS - ok
11:37:56.0718 5832 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
11:37:56.0828 5832 NetBT - ok
11:37:57.0109 5832 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
11:37:57.0218 5832 NetDDE - ok
11:37:57.0250 5832 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
11:37:57.0312 5832 NetDDEdsdm - ok
11:37:57.0578 5832 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:37:57.0656 5832 Netlogon - ok
11:37:57.0937 5832 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
11:37:58.0078 5832 Netman - ok
11:37:58.0312 5832 NetTcpPortSharing (f9102685f97f9ba85f4a70afcf722cfe) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
11:37:58.0359 5832 NetTcpPortSharing ( UnsignedFile.Multi.Generic ) - warning
11:37:58.0359 5832 NetTcpPortSharing - detected UnsignedFile.Multi.Generic (1)
11:37:58.0687 5832 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
11:37:58.0765 5832 NIC1394 - ok
11:37:59.0062 5832 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
11:37:59.0109 5832 Nla - ok
11:37:59.0359 5832 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
11:37:59.0421 5832 nm - ok
11:37:59.0703 5832 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
11:37:59.0765 5832 Npfs - ok
11:38:00.0328 5832 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
11:38:00.0609 5832 Ntfs - ok
11:38:00.0875 5832 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\System32\lsass.exe
11:38:00.0937 5832 NtLmSsp - ok
11:38:01.0281 5832 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
11:38:01.0531 5832 NtmsSvc - ok
11:38:01.0781 5832 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
11:38:01.0843 5832 Null - ok
11:38:03.0890 5832 nv (4f15e1e56703f59c0ac00022162e5308) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
11:38:07.0859 5832 nv - ok
11:38:08.0187 5832 nvsvc (383aa018830eb16965181c39cb0f3b73) C:\WINDOWS\system32\nvsvc32.exe
11:38:08.0218 5832 nvsvc ( UnsignedFile.Multi.Generic ) - warning
11:38:08.0218 5832 nvsvc - detected UnsignedFile.Multi.Generic (1)
11:38:08.0484 5832 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
11:38:08.0578 5832 NwlnkFlt - ok
11:38:08.0812 5832 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
11:38:08.0890 5832 NwlnkFwd - ok
11:38:09.0140 5832 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
11:38:09.0218 5832 ohci1394 - ok
11:38:09.0515 5832 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
11:38:09.0578 5832 Parport - ok
11:38:09.0875 5832 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
11:38:09.0968 5832 PartMgr - ok
11:38:10.0218 5832 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
11:38:10.0281 5832 ParVdm - ok
11:38:10.0546 5832 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
11:38:10.0625 5832 PCI - ok
11:38:10.0859 5832 PCIDump - ok
11:38:11.0078 5832 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
11:38:11.0156 5832 PCIIde - ok
11:38:11.0484 5832 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
11:38:11.0578 5832 Pcmcia - ok
11:38:11.0796 5832 PDCOMP - ok
11:38:12.0015 5832 PDFRAME - ok
11:38:12.0203 5832 PDRELI - ok
11:38:12.0437 5832 PDRFRAME - ok
11:38:12.0687 5832 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
11:38:12.0765 5832 perc2 - ok
11:38:13.0000 5832 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
11:38:13.0062 5832 perc2hib - ok
11:38:13.0328 5832 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
11:38:13.0328 5832 PlugPlay - ok
11:38:13.0531 5832 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:38:13.0593 5832 PolicyAgent - ok
11:38:13.0859 5832 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
11:38:13.0921 5832 PptpMiniport - ok
11:38:14.0062 5832 PrismXL (33d7285f12d934268a34206dfc4ad1b3) C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
11:38:14.0109 5832 PrismXL ( UnsignedFile.Multi.Generic ) - warning
11:38:14.0109 5832 PrismXL - detected UnsignedFile.Multi.Generic (1)
11:38:14.0421 5832 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
11:38:14.0500 5832 Processor - ok
11:38:14.0750 5832 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:38:14.0812 5832 ProtectedStorage - ok
11:38:15.0093 5832 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
11:38:15.0203 5832 PSched - ok
11:38:15.0468 5832 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
11:38:15.0546 5832 Ptilink - ok
11:38:15.0812 5832 PxHelp20 (617accada2e0a0f43ec6030bbac49513) C:\WINDOWS\system32\Drivers\PxHelp20.sys
11:38:15.0843 5832 PxHelp20 - ok
11:38:16.0109 5832 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
11:38:16.0187 5832 ql1080 - ok
11:38:16.0468 5832 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
11:38:16.0531 5832 Ql10wnt - ok
11:38:16.0781 5832 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
11:38:16.0859 5832 ql12160 - ok
11:38:17.0125 5832 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
11:38:17.0203 5832 ql1240 - ok
11:38:17.0468 5832 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
11:38:17.0546 5832 ql1280 - ok
11:38:17.0734 5832 RapportCerberus_34302 (6b6f0a77365667912360ff1d5e984f25) C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys
11:38:17.0796 5832 RapportCerberus_34302 - ok
11:38:17.0906 5832 RapportEI (34992b59780a8a227a9eb54c97dc4608) C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys
11:38:17.0937 5832 RapportEI - ok
11:38:18.0046 5832 RapportIaso (dd3e4610de9252a957c5bd19bdf47ac4) c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\28896\rapportiaso.sys
11:38:18.0062 5832 RapportIaso - ok
11:38:18.0421 5832 RapportKELL (a231b5552148ade82ed3dfba25919b75) C:\WINDOWS\system32\Drivers\RapportKELL.sys
11:38:18.0421 5832 RapportKELL - ok
11:38:18.0734 5832 RapportMgmtService (5bd5895f002438f4e1c50c09bf6f1ce2) C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
11:38:18.0968 5832 RapportMgmtService - ok
11:38:19.0078 5832 RapportPG (060f8e34707d68178a564935ce4546eb) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
11:38:19.0125 5832 RapportPG - ok
11:38:19.0406 5832 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
11:38:19.0468 5832 RasAcd - ok
11:38:19.0703 5832 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
11:38:19.0812 5832 RasAuto - ok
11:38:20.0109 5832 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
11:38:20.0187 5832 Rasl2tp - ok
11:38:20.0468 5832 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
11:38:20.0593 5832 RasMan - ok
11:38:20.0875 5832 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
11:38:20.0953 5832 RasPppoe - ok
11:38:21.0218 5832 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
11:38:21.0296 5832 Raspti - ok
11:38:21.0593 5832 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
11:38:21.0703 5832 Rdbss - ok
11:38:21.0968 5832 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
11:38:22.0031 5832 RDPCDD - ok
11:38:22.0343 5832 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
11:38:22.0468 5832 rdpdr - ok
11:38:22.0765 5832 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
11:38:22.0859 5832 RDPWD - ok
11:38:23.0156 5832 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
11:38:23.0265 5832 RDSessMgr - ok
11:38:23.0531 5832 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
11:38:23.0640 5832 redbook - ok
11:38:23.0875 5832 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
11:38:23.0968 5832 RemoteAccess - ok
11:38:24.0218 5832 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
11:38:24.0312 5832 RemoteRegistry - ok
11:38:24.0437 5832 RivaTuner32 (c0c8909be3ecc9df8089112bf9be954e) C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner32.sys
11:38:24.0468 5832 RivaTuner32 ( UnsignedFile.Multi.Generic ) - warning
11:38:24.0468 5832 RivaTuner32 - detected UnsignedFile.Multi.Generic (1)
11:38:24.0906 5832 RosettaStoneDaemon (7f7ca7deeb68e68fd67870e9a5ec33e2) C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe
11:38:25.0656 5832 RosettaStoneDaemon - ok
11:38:25.0968 5832 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\System32\locator.exe
11:38:26.0046 5832 RpcLocator - ok
11:38:26.0375 5832 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
11:38:26.0453 5832 RpcSs - ok
11:38:26.0734 5832 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\System32\rsvp.exe
11:38:26.0828 5832 RSVP - ok
11:38:27.0109 5832 RT25USBAP (05691b0b52575c057e5ac35242e5d231) C:\WINDOWS\system32\DRIVERS\rt25usbap.sys
11:38:27.0125 5832 RT25USBAP ( UnsignedFile.Multi.Generic ) - warning
11:38:27.0125 5832 RT25USBAP - detected UnsignedFile.Multi.Generic (1)
11:38:27.0375 5832 RTL8023xp (e9877aa069dc11b03dbd1d33b8b2a3ca) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
11:38:27.0421 5832 RTL8023xp - ok
11:38:27.0687 5832 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:38:27.0750 5832 SamSs - ok
11:38:28.0000 5832 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
11:38:28.0109 5832 SCardSvr - ok
11:38:28.0437 5832 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
11:38:28.0578 5832 Schedule - ok
11:38:28.0843 5832 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
11:38:28.0921 5832 Secdrv - ok
11:38:29.0171 5832 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
11:38:29.0265 5832 seclogon - ok
11:38:29.0453 5832 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
11:38:29.0531 5832 SENS - ok
11:38:29.0796 5832 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
11:38:29.0875 5832 serenum - ok
11:38:30.0156 5832 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
11:38:30.0234 5832 Serial - ok
11:38:30.0515 5832 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
11:38:30.0593 5832 Sfloppy - ok
11:38:30.0906 5832 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
11:38:31.0125 5832 SharedAccess - ok
11:38:31.0421 5832 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
11:38:31.0453 5832 ShellHWDetection - ok
11:38:31.0750 5832 Simbad - ok
11:38:32.0000 5832 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
11:38:32.0062 5832 sisagp - ok
11:38:32.0296 5832 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
11:38:32.0375 5832 SLIP - ok
11:38:32.0656 5832 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
11:38:32.0718 5832 Sparrow - ok
11:38:32.0984 5832 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
11:38:33.0062 5832 splitter - ok
11:38:33.0328 5832 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
11:38:33.0390 5832 Spooler - ok
11:38:33.0796 5832 sptd (71e276f6d189413266ea22171806597b) C:\WINDOWS\system32\Drivers\sptd.sys
11:38:33.0796 5832 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: 71e276f6d189413266ea22171806597b
11:38:33.0796 5832 sptd ( LockedFile.Multi.Generic ) - warning
11:38:33.0796 5832 sptd - detected LockedFile.Multi.Generic (1)
11:38:33.0953 5832 SQLBrowser (3612108d36ea74f6f9fc5005e88e353b) c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
11:38:34.0015 5832 SQLBrowser - ok
11:38:34.0046 5832 SQLWriter (d37b8ce340b71d9e0ab2440addb2fdbf) c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
11:38:34.0078 5832 SQLWriter - ok
11:38:34.0375 5832 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
11:38:34.0453 5832 sr - ok
11:38:34.0734 5832 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
11:38:34.0828 5832 srservice - ok
11:38:35.0171 5832 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
11:38:35.0359 5832 Srv - ok
11:38:35.0625 5832 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
11:38:35.0718 5832 SSDPSRV - ok
11:38:35.0875 5832 StarWindService (ab2b9349ada4ac5ec74b622b8303fe23) C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
11:38:35.0937 5832 StarWindService ( UnsignedFile.Multi.Generic ) - warning
11:38:35.0937 5832 StarWindService - detected UnsignedFile.Multi.Generic (1)
11:38:36.0296 5832 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
11:38:36.0515 5832 stisvc - ok
11:38:36.0812 5832 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
11:38:36.0890 5832 streamip - ok
11:38:37.0171 5832 SunkFilt (86ca1a5c15a5a98d5533945fb1120b05) C:\WINDOWS\System32\Drivers\sunkfilt.sys
11:38:37.0171 5832 SunkFilt ( UnsignedFile.Multi.Generic ) - warning
11:38:37.0171 5832 SunkFilt - detected UnsignedFile.Multi.Generic (1)
11:38:37.0421 5832 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
11:38:37.0500 5832 swenum - ok
11:38:37.0750 5832 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
11:38:37.0812 5832 swmidi - ok
11:38:38.0031 5832 SwPrv - ok
11:38:38.0296 5832 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
11:38:38.0359 5832 symc810 - ok
11:38:38.0593 5832 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
11:38:38.0671 5832 symc8xx - ok
11:38:38.0937 5832 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
11:38:39.0015 5832 sym_hi - ok
11:38:39.0265 5832 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
11:38:39.0328 5832 sym_u3 - ok
11:38:39.0609 5832 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
11:38:39.0703 5832 sysaudio - ok
11:38:39.0984 5832 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
11:38:40.0062 5832 SysmonLog - ok
11:38:40.0437 5832 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
11:38:40.0578 5832 TapiSrv - ok
11:38:40.0921 5832 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
11:38:41.0078 5832 Tcpip - ok
11:38:41.0328 5832 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
11:38:41.0406 5832 TDPIPE - ok
11:38:41.0656 5832 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
11:38:41.0718 5832 TDTCP - ok
11:38:42.0000 5832 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
11:38:42.0078 5832 TermDD - ok
11:38:42.0390 5832 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
11:38:42.0562 5832 TermService - ok
11:38:42.0828 5832 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
11:38:42.0843 5832 Themes - ok
11:38:43.0078 5832 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\System32\tlntsvr.exe
11:38:43.0203 5832 TlntSvr - ok
11:38:43.0484 5832 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
11:38:43.0562 5832 TosIde - ok
11:38:43.0812 5832 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
11:38:43.0906 5832 TrkWks - ok
11:38:44.0171 5832 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
11:38:44.0281 5832 Udfs - ok
11:38:44.0562 5832 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
11:38:44.0609 5832 ultra - ok
11:38:44.0859 5832 UMWdf (9651e5d850b6f6bd7c77c70aa06f02bf) C:\WINDOWS\system32\wdfmgr.exe
11:38:45.0015 5832 UMWdf - ok
11:38:45.0390 5832 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
11:38:45.0609 5832 Update - ok
11:38:45.0875 5832 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
11:38:46.0000 5832 upnphost - ok
11:38:46.0265 5832 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
11:38:46.0343 5832 UPS - ok
11:38:46.0625 5832 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
11:38:46.0687 5832 usbaudio - ok
11:38:46.0953 5832 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
11:38:47.0031 5832 usbccgp - ok
11:38:47.0328 5832 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
11:38:47.0406 5832 usbehci - ok
11:38:47.0656 5832 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
11:38:47.0750 5832 usbhub - ok
11:38:48.0000 5832 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
11:38:48.0078 5832 usbohci - ok
11:38:48.0343 5832 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
11:38:48.0421 5832 usbprint - ok
11:38:48.0656 5832 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
11:38:48.0718 5832 USBSTOR - ok
11:38:49.0015 5832 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
11:38:49.0093 5832 usbuhci - ok
11:38:49.0406 5832 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
11:38:49.0500 5832 usbvideo - ok
11:38:49.0750 5832 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
11:38:49.0828 5832 VgaSave - ok
11:38:50.0125 5832 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
11:38:50.0203 5832 viaagp - ok
11:38:50.0546 5832 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
11:38:50.0640 5832 ViaIde - ok
11:38:50.0875 5832 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
11:38:50.0953 5832 VolSnap - ok
11:38:51.0281 5832 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
11:38:51.0406 5832 VSS - ok
11:38:51.0656 5832 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
11:38:51.0765 5832 W32Time - ok
11:38:52.0062 5832 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
11:38:52.0140 5832 Wanarp - ok
11:38:52.0406 5832 WDICA - ok
11:38:52.0671 5832 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
11:38:52.0765 5832 wdmaud - ok
11:38:53.0015 5832 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
11:38:53.0140 5832 WebClient - ok
11:38:53.0562 5832 winachsf (59d043485a6eda2ed2685c81489ae5bd) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
11:38:53.0921 5832 winachsf - ok
11:38:54.0265 5832 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
11:38:54.0359 5832 winmgmt - ok
11:38:54.0609 5832 WmdmPmSN (b9715b9c18bc6c8f4b66733d208cc9f7) C:\WINDOWS\System32\mspmsnsv.dll
11:38:54.0640 5832 WmdmPmSN - ok
11:38:55.0015 5832 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
11:38:55.0343 5832 Wmi - ok
11:38:55.0625 5832 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\System32\wbem\wmiapsrv.exe
11:38:55.0734 5832 WmiApSrv - ok
11:38:55.0968 5832 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
11:38:56.0046 5832 WS2IFSL - ok
11:38:56.0281 5832 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
11:38:56.0375 5832 wscsvc - ok
11:38:56.0625 5832 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
11:38:56.0687 5832 WSTCODEC - ok
11:38:56.0953 5832 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
11:38:57.0078 5832 wuauserv - ok
11:38:57.0437 5832 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
11:38:57.0718 5832 WZCSVC - ok
11:38:58.0015 5832 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
11:38:58.0218 5832 xmlprov - ok
11:38:58.0593 5832 xnacc (7a35352bcdff34d0a6e59d8267b3fcb7) C:\WINDOWS\system32\DRIVERS\xnacc.sys
11:38:58.0843 5832 xnacc - ok
11:38:59.0109 5832 YPCService (d46403ef02c003de80b4be8a31549fb4) C:\WINDOWS\system32\YPCSER~1.EXE
11:38:59.0140 5832 YPCService ( UnsignedFile.Multi.Generic ) - warning
11:38:59.0140 5832 YPCService - detected UnsignedFile.Multi.Generic (1)
11:38:59.0171 5832 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
11:38:59.0421 5832 \Device\Harddisk0\DR0 - ok
11:38:59.0421 5832 Boot (0x1200) (61e13328024e6a851af33dbfe2680239) \Device\Harddisk0\DR0\Partition0
11:38:59.0421 5832 \Device\Harddisk0\DR0\Partition0 - ok
11:38:59.0421 5832 ============================================================
11:38:59.0421 5832 Scan finished
11:38:59.0421 5832 ============================================================
11:38:59.0437 5824 Detected object count: 16
11:38:59.0437 5824 Actual detected object count: 16
11:39:42.0609 5824 Apache ( UnsignedFile.Multi.Generic ) - skipped by user
11:39:42.0609 5824 Apache ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:39:42.0609 5824 IDriverT ( UnsignedFile.Multi.Generic ) - skipped by user
11:39:42.0609 5824 IDriverT ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:39:42.0609 5824 idsvc ( UnsignedFile.Multi.Generic ) - skipped by user
11:39:42.0609 5824 idsvc ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:39:42.0609 5824 MHN ( UnsignedFile.Multi.Generic ) - skipped by user
11:39:42.0609 5824 MHN ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:39:42.0609 5824 MHNDRV ( UnsignedFile.Multi.Generic ) - skipped by user
11:39:42.0609 5824 MHNDRV ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:39:42.0609 5824 mple7docserver ( UnsignedFile.Multi.Generic ) - skipped by user
11:39:42.0609 5824 mple7docserver ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:39:42.0609 5824 MRENDIS5 ( UnsignedFile.Multi.Generic ) - skipped by user
11:39:42.0609 5824 MRENDIS5 ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:39:42.0609 5824 NetTcpPortSharing ( UnsignedFile.Multi.Generic ) - skipped by user
11:39:42.0609 5824 NetTcpPortSharing ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:39:42.0609 5824 nvsvc ( UnsignedFile.Multi.Generic ) - skipped by user
11:39:42.0609 5824 nvsvc ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:39:42.0609 5824 PrismXL ( UnsignedFile.Multi.Generic ) - skipped by user
11:39:42.0609 5824 PrismXL ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:39:42.0609 5824 RivaTuner32 ( UnsignedFile.Multi.Generic ) - skipped by user
11:39:42.0609 5824 RivaTuner32 ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:39:42.0609 5824 RT25USBAP ( UnsignedFile.Multi.Generic ) - skipped by user
11:39:42.0609 5824 RT25USBAP ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:39:42.0625 5824 sptd ( LockedFile.Multi.Generic ) - skipped by user
11:39:42.0625 5824 sptd ( LockedFile.Multi.Generic ) - User select action: Skip 
11:39:42.0625 5824 StarWindService ( UnsignedFile.Multi.Generic ) - skipped by user
11:39:42.0625 5824 StarWindService ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:39:42.0625 5824 SunkFilt ( UnsignedFile.Multi.Generic ) - skipped by user
11:39:42.0625 5824 SunkFilt ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:39:42.0625 5824 YPCService ( UnsignedFile.Multi.Generic ) - skipped by user
11:39:42.0625 5824 YPCService ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:42:22.0140 0708 ============================================================
11:42:22.0140 0708 Scan started
11:42:22.0140 0708 Mode: Manual; SigCheck; TDLFS; 
11:42:22.0140 0708 ============================================================
11:42:22.0468 0708 Abiosdsk - ok
11:42:22.0718 0708 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
11:42:23.0078 0708 abp480n5 - ok
11:42:23.0421 0708 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
11:42:23.0531 0708 ACPI - ok
11:42:23.0781 0708 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
11:42:23.0875 0708 ACPIEC - ok
11:42:24.0156 0708 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
11:42:24.0234 0708 adpu160m - ok
11:42:24.0546 0708 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
11:42:24.0656 0708 aec - ok
11:42:24.0968 0708 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
11:42:25.0000 0708 AFD - ok
11:42:25.0218 0708 AFGMp50 - ok
11:42:25.0421 0708 AFGSp50 - ok
11:42:25.0656 0708 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
11:42:25.0718 0708 agp440 - ok
11:42:25.0953 0708 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
11:42:26.0031 0708 agpCPQ - ok
11:42:26.0296 0708 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
11:42:26.0359 0708 Aha154x - ok
11:42:26.0593 0708 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
11:42:26.0671 0708 aic78u2 - ok
11:42:26.0953 0708 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
11:42:27.0015 0708 aic78xx - ok
11:42:28.0125 0708 ALCXWDM (92ae420be14b0d97d14dac4aba22a702) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
11:42:29.0000 0708 ALCXWDM - ok
11:42:29.0265 0708 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
11:42:29.0343 0708 Alerter - ok
11:42:29.0562 0708 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
11:42:29.0625 0708 ALG - ok
11:42:29.0875 0708 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
11:42:29.0953 0708 AliIde - ok
11:42:30.0250 0708 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
11:42:30.0328 0708 alim1541 - ok
11:42:30.0562 0708 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
11:42:30.0656 0708 amdagp - ok
11:42:30.0906 0708 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
11:42:30.0968 0708 amsint - ok
11:42:31.0125 0708 Apache (5063a736174225b38c5b5295bde4a160) C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\apache\apache.exe
11:42:31.0156 0708 Apache ( UnsignedFile.Multi.Generic ) - warning
11:42:31.0156 0708 Apache - detected UnsignedFile.Multi.Generic (1)
11:42:31.0453 0708 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
11:42:31.0546 0708 AppMgmt - ok
11:42:31.0812 0708 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
11:42:31.0906 0708 Arp1394 - ok
11:42:32.0156 0708 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
11:42:32.0265 0708 asc - ok
11:42:32.0515 0708 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
11:42:32.0578 0708 asc3350p - ok
11:42:32.0796 0708 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
11:42:32.0875 0708 asc3550 - ok
11:42:33.0093 0708 ASKService (7b44f870fc2da172c5367d9e3f96f553) C:\Program Files\AskBarDis\bar\bin\AskService.exe
11:42:33.0171 0708 ASKService - ok
11:42:33.0250 0708 ASKUpgrade (367621cb272a8d9e7d910388916d5737) C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
11:42:33.0250 0708 ASKUpgrade - ok
11:42:33.0484 0708 aspnet_state (4eabf511b1af176a971c3271e48fa3a8) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
11:42:33.0484 0708 aspnet_state - ok
11:42:33.0750 0708 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
11:42:33.0828 0708 AsyncMac - ok
11:42:34.0171 0708 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
11:42:34.0234 0708 atapi - ok
11:42:34.0453 0708 Atdisk - ok
11:42:34.0687 0708 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
11:42:34.0781 0708 Atmarpc - ok
11:42:35.0046 0708 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
11:42:35.0125 0708 AudioSrv - ok
11:42:35.0390 0708 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
11:42:35.0468 0708 audstub - ok
11:42:35.0687 0708 autvhncu - ok
11:42:35.0937 0708 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
11:42:36.0000 0708 Beep - ok
11:42:36.0046 0708 BGRaSvc - ok
11:42:36.0390 0708 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
11:42:36.0531 0708 BITS - ok
11:42:36.0765 0708 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
11:42:36.0828 0708 Browser - ok
11:42:36.0953 0708 catchme - ok
11:42:37.0234 0708 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
11:42:37.0328 0708 cbidf - ok
11:42:37.0562 0708 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
11:42:37.0625 0708 cbidf2k - ok
11:42:37.0875 0708 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
11:42:37.0953 0708 CCDECODE - ok
11:42:38.0218 0708 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
11:42:38.0265 0708 cd20xrnt - ok
11:42:38.0500 0708 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
11:42:38.0578 0708 Cdaudio - ok
11:42:38.0859 0708 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
11:42:38.0937 0708 Cdfs - ok
11:42:39.0234 0708 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
11:42:39.0328 0708 Cdrom - ok
11:42:39.0562 0708 Changer - ok
11:42:39.0781 0708 cisvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
11:42:39.0859 0708 cisvc - ok
11:42:40.0109 0708 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
11:42:40.0187 0708 ClipSrv - ok
11:42:40.0437 0708 clr_optimization_v2.0.50727_32 (234b1bc2796483e1f5c3f26649fb3388) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
11:42:40.0453 0708 clr_optimization_v2.0.50727_32 - ok
11:42:40.0765 0708 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
11:42:40.0843 0708 CmdIde - ok
11:42:41.0046 0708 COMSysApp - ok
11:42:41.0281 0708 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
11:42:41.0375 0708 Cpqarray - ok
11:42:41.0640 0708 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
11:42:41.0734 0708 CryptSvc - ok
11:42:42.0046 0708 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
11:42:42.0125 0708 dac2w2k - ok
11:42:42.0453 0708 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
11:42:42.0515 0708 dac960nt - ok
11:42:42.0875 0708 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
11:42:42.0937 0708 DcomLaunch - ok
11:42:43.0218 0708 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
11:42:43.0312 0708 Dhcp - ok
11:42:43.0593 0708 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
11:42:43.0656 0708 Disk - ok
11:42:43.0828 0708 dmadmin - ok
11:42:44.0250 0708 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
11:42:44.0468 0708 dmboot - ok
11:42:44.0812 0708 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
11:42:44.0890 0708 dmio - ok
11:42:45.0171 0708 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
11:42:45.0250 0708 dmload - ok
11:42:45.0500 0708 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
11:42:45.0578 0708 dmserver - ok
11:42:45.0828 0708 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
11:42:45.0890 0708 DMusic - ok
11:42:46.0140 0708 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
11:42:46.0171 0708 Dnscache - ok
11:42:46.0421 0708 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
11:42:46.0515 0708 Dot3svc - ok
11:42:46.0781 0708 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
11:42:46.0859 0708 dpti2o - ok
11:42:47.0140 0708 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
11:42:47.0203 0708 drmkaud - ok
11:42:47.0484 0708 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
11:42:47.0562 0708 E100B - ok
11:42:47.0906 0708 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
11:42:47.0906 0708 e1express - ok
11:42:48.0109 0708 EagleNT - ok
11:42:48.0343 0708 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
11:42:48.0421 0708 EapHost - ok
11:42:48.0593 0708 ehRecvr (8301243bde5b6cd316d79c0191d50d9a) C:\WINDOWS\eHome\ehRecvr.exe
11:42:48.0609 0708 ehRecvr - ok
11:42:48.0703 0708 ehSched (a53243709439ac2a4c216b817f8d7411) C:\WINDOWS\eHome\ehSched.exe
11:42:48.0750 0708 ehSched - ok
11:42:49.0000 0708 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
11:42:49.0078 0708 ERSvc - ok
11:42:49.0343 0708 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
11:42:49.0390 0708 Eventlog - ok
11:42:49.0671 0708 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\System32\es.dll
11:42:49.0703 0708 EventSystem - ok
11:42:49.0984 0708 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
11:42:50.0078 0708 Fastfat - ok
11:42:50.0343 0708 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
11:42:50.0390 0708 FastUserSwitchingCompatibility - ok
11:42:50.0656 0708 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
11:42:50.0734 0708 Fdc - ok
11:42:50.0984 0708 FilterService (1edc0df2da14e04504dd3bac21aa32cd) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
11:42:51.0000 0708 FilterService - ok
11:42:51.0250 0708 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
11:42:51.0328 0708 Fips - ok
11:42:51.0671 0708 FLEXnet Licensing Service (8669be94f63944e4f899c3950b520241) C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
11:42:51.0875 0708 FLEXnet Licensing Service - ok
11:42:52.0187 0708 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
11:42:52.0281 0708 Flpydisk - ok
11:42:52.0562 0708 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
11:42:52.0671 0708 FltMgr - ok
11:42:52.0843 0708 FontCache3.0.0.0 (993883524aa9cf1c90e1545411a9ac9c) C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
11:42:52.0875 0708 FontCache3.0.0.0 - ok
11:42:53.0125 0708 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
11:42:53.0203 0708 Fs_Rec - ok
11:42:53.0500 0708 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
11:42:53.0593 0708 Ftdisk - ok
11:42:53.0875 0708 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
11:42:53.0953 0708 Gpc - ok
11:42:54.0093 0708 gupdate (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe
11:42:54.0109 0708 gupdate - ok
11:42:54.0140 0708 gupdatem (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe
11:42:54.0140 0708 gupdatem - ok
11:42:54.0234 0708 gusvc (cc839e8d766cc31a7710c9f38cf3e375) C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
11:42:54.0250 0708 gusvc - ok
11:42:54.0546 0708 hamachi (7929a161f9951d173ca9900fe7067391) C:\WINDOWS\system32\DRIVERS\hamachi.sys
11:42:54.0562 0708 hamachi - ok
11:42:54.0828 0708 hcwPP2 (d169892e959aa82d38e09c9f7517dbf7) C:\WINDOWS\system32\DRIVERS\hcwPP2.sys
11:42:54.0859 0708 hcwPP2 - ok
11:42:55.0109 0708 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
11:42:55.0187 0708 HDAudBus - ok
11:42:55.0328 0708 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
11:42:55.0406 0708 helpsvc - ok
11:42:55.0687 0708 HidIr (bb1a6fb7d35a91e599973fa74a619056) C:\WINDOWS\system32\DRIVERS\hidir.sys
11:42:55.0750 0708 HidIr - ok
11:42:56.0015 0708 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
11:42:56.0093 0708 HidServ - ok
11:42:56.0343 0708 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
11:42:56.0406 0708 HidUsb - ok
11:42:56.0640 0708 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
11:42:56.0718 0708 hkmsvc - ok
11:42:56.0984 0708 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
11:42:57.0046 0708 hpn - ok
11:42:57.0265 0708 hpt3xx - ok
11:42:57.0578 0708 HSFHWBS2 (c02dc9d4358e43d088f2061c2b2bf30e) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
11:42:57.0625 0708 HSFHWBS2 - ok
11:42:58.0093 0708 HSF_DPV (cbf6831420a97e8fbb91e5f52b707ef7) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
11:42:58.0312 0708 HSF_DPV - ok
11:42:58.0625 0708 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
11:42:58.0625 0708 HTTP - ok
11:42:58.0859 0708 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
11:42:58.0953 0708 HTTPFilter - ok
11:42:59.0062 0708 HWiNFO32 (cb457aa4b4f012672058e55096b7a3d9) C:\Documents and Settings\Finn\Desktop\hw32_236\HWiNFO32.SYS
11:42:59.0062 0708 HWiNFO32 - ok
11:42:59.0359 0708 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
11:42:59.0421 0708 i2omgmt - ok
11:42:59.0656 0708 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
11:42:59.0718 0708 i2omp - ok
11:43:00.0000 0708 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
11:43:00.0062 0708 i8042prt - ok
11:43:01.0703 0708 ialm (12c7f8d581c4a9f126f5f8f5683a1c29) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
11:43:03.0125 0708 ialm - ok
11:43:03.0250 0708 IDriverT (6f95324909b502e2651442c1548ab12f) C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
11:43:03.0265 0708 IDriverT ( UnsignedFile.Multi.Generic ) - warning
11:43:03.0265 0708 IDriverT - detected UnsignedFile.Multi.Generic (1)
11:43:03.0812 0708 idsvc (e7cc3aeaed9893a88876744cd439f76c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
11:43:04.0000 0708 idsvc ( UnsignedFile.Multi.Generic ) - warning
11:43:04.0000 0708 idsvc - detected UnsignedFile.Multi.Generic (1)
11:43:04.0312 0708 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
11:43:04.0390 0708 Imapi - ok
11:43:04.0656 0708 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
11:43:04.0734 0708 ImapiService - ok
11:43:05.0031 0708 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
11:43:05.0093 0708 ini910u - ok
11:43:06.0375 0708 IntcAzAudAddService (9f6320e7b0c43e4e5693e1515ba5595c) C:\WINDOWS\system32\drivers\RtkHDAud.sys
11:43:07.0468 0708 IntcAzAudAddService - ok
11:43:07.0812 0708 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
11:43:07.0875 0708 IntelIde - ok
11:43:08.0093 0708 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
11:43:08.0156 0708 intelppm - ok
11:43:08.0421 0708 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
11:43:08.0500 0708 Ip6Fw - ok
11:43:08.0750 0708 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
11:43:08.0828 0708 IpFilterDriver - ok
11:43:09.0093 0708 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
11:43:09.0156 0708 IpInIp - ok
11:43:09.0406 0708 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
11:43:09.0515 0708 IpNat - ok
11:43:09.0796 0708 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
11:43:09.0875 0708 IPSec - ok
11:43:10.0125 0708 IrBus (b43b36b382aea10861f7c7a37f9d4ae2) C:\WINDOWS\system32\DRIVERS\IrBus.sys
11:43:10.0203 0708 IrBus - ok
11:43:10.0468 0708 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
11:43:10.0546 0708 IRENUM - ok
11:43:10.0812 0708 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
11:43:10.0890 0708 isapnp - ok
11:43:11.0015 0708 JavaQuickStarterService - ok
11:43:11.0296 0708 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
11:43:11.0375 0708 Kbdclass - ok
11:43:11.0609 0708 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
11:43:11.0671 0708 kbdhid - ok
11:43:11.0937 0708  kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
11:43:12.0000 0708 kmixer - ok
11:43:12.0265 0708 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
11:43:12.0328 0708 KSecDD - ok
11:43:12.0578 0708 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
11:43:12.0609 0708 lanmanserver - ok
11:43:12.0906 0708 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
11:43:12.0953 0708 lanmanworkstation - ok
11:43:13.0203 0708 lbrtfdc - ok
11:43:13.0421 0708 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
11:43:13.0500 0708 LmHosts - ok
11:43:13.0781 0708 LVPr2Mon (f96cfb47903854f228baaf3e2d41a0a3) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
11:43:13.0796 0708 LVPr2Mon - ok
11:43:13.0906 0708 LVPrcSrv (ff23862146a682fcc3dbaa002e22f958) C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
11:43:13.0921 0708 LVPrcSrv - ok
11:43:14.0375 0708 LVRS (e22fd7852e74f04cceb6b8a684a51f3e) C:\WINDOWS\system32\DRIVERS\lvrs.sys
11:43:14.0515 0708 LVRS - ok
11:43:14.0750 0708 LVUSBSta (5f987fc1aad215ec2c60cf07719b1cce) C:\WINDOWS\system32\DRIVERS\LVUSBSta.sys
11:43:14.0750 0708 LVUSBSta - ok
11:43:16.0453 0708 LVUVC (e89df2b88ee659954de79827ddf46dc9) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
11:43:18.0031 0708 LVUVC - ok
11:43:18.0203 0708 McrdSvc (df0a511f38f16016bf658fca0090cb87) C:\WINDOWS\ehome\mcrdsvc.exe
11:43:18.0265 0708 McrdSvc - ok
11:43:18.0546 0708 mdmxsdk (195741aee20369980796b557358cd774) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
11:43:18.0609 0708 mdmxsdk - ok
11:43:18.0843 0708 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
11:43:18.0921 0708 Messenger - ok
11:43:19.0171 0708 MHN (b7521f69c0a9b29d356157229376fb21) C:\WINDOWS\System32\mhn.dll
11:43:19.0187 0708 MHN ( UnsignedFile.Multi.Generic ) - warning
11:43:19.0187 0708 MHN - detected UnsignedFile.Multi.Generic (1)
11:43:19.0468 0708 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
11:43:19.0484 0708 MHNDRV ( UnsignedFile.Multi.Generic ) - warning
11:43:19.0484 0708 MHNDRV - detected UnsignedFile.Multi.Generic (1)
11:43:19.0750 0708 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
11:43:19.0828 0708 mnmdd - ok
11:43:20.0046 0708 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\System32\mnmsrvc.exe
11:43:20.0140 0708 mnmsrvc - ok
11:43:20.0421 0708 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
11:43:20.0484 0708 Modem - ok
11:43:20.0750 0708 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
11:43:20.0828 0708 Mouclass - ok
11:43:21.0078 0708 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
11:43:21.0156 0708 mouhid - ok
11:43:21.0437 0708 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
11:43:21.0515 0708 MountMgr - ok
11:43:21.0656 0708 mple7docserver (c049ef30ace3e2beebc41e37fe4bb2a1) C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe
11:43:21.0671 0708 mple7docserver ( UnsignedFile.Multi.Generic ) - warning
11:43:21.0671 0708 mple7docserver - detected UnsignedFile.Multi.Generic (1)
11:43:21.0984 0708 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
11:43:22.0062 0708 mraid35x - ok
11:43:22.0171 0708 MRENDIS5 (594b9d8194e3f4ecbf0325bd10bbeb05) C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
11:43:22.0171 0708 MRENDIS5 ( UnsignedFile.Multi.Generic ) - warning
11:43:22.0171 0708 MRENDIS5 - detected UnsignedFile.Multi.Generic (1)
11:43:22.0484 0708 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
11:43:22.0593 0708 MRxDAV - ok
11:43:22.0984 0708 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
11:43:23.0062 0708 MRxSmb - ok
11:43:23.0312 0708 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\System32\msdtc.exe
11:43:23.0390 0708 MSDTC - ok
11:43:23.0671 0708 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
11:43:23.0734 0708 Msfs - ok
11:43:23.0937 0708 MSIServer - ok
11:43:24.0156 0708 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
11:43:24.0218 0708 MSKSSRV - ok
11:43:24.0453 0708 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
11:43:24.0531 0708 MSPCLOCK - ok
11:43:24.0812 0708 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
11:43:24.0890 0708 MSPQM - ok
11:43:25.0156 0708 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
11:43:25.0234 0708 mssmbios - ok
11:43:25.0312 0708 MSSQL$SQLEXPRESS - ok
11:43:25.0375 0708 MSSQLServerADHelper (adaf062116b4e6d96e44d26486a87af6) c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe
11:43:25.0375 0708 MSSQLServerADHelper - ok
11:43:25.0671 0708 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
11:43:25.0750 0708 MSTEE - ok
11:43:26.0578 0708 msvsmon80 (73fa09b84b23a1897809a84f976d5d99) C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe
11:43:27.0234 0708 msvsmon80 - ok
11:43:27.0546 0708 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
11:43:27.0546 0708 Mup - ok
11:43:27.0828 0708 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
11:43:27.0921 0708 NABTSFEC - ok
11:43:28.0218 0708 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
11:43:28.0296 0708 napagent - ok
11:43:28.0609 0708 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
11:43:28.0671 0708 NDIS - ok
11:43:28.0906 0708 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
11:43:28.0984 0708 NdisIP - ok
11:43:29.0234 0708 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
11:43:29.0265 0708 NdisTapi - ok
11:43:29.0531 0708 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
11:43:29.0609 0708 Ndisuio - ok
11:43:29.0890 0708 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
11:43:29.0968 0708 NdisWan - ok
11:43:30.0234 0708 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
11:43:30.0234 0708 NDProxy - ok
11:43:30.0515 0708 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
11:43:30.0609 0708 NetBIOS - ok
11:43:30.0906 0708 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
11:43:30.0984 0708 NetBT - ok
11:43:31.0265 0708 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
11:43:31.0375 0708 NetDDE - ok
11:43:31.0390 0708 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
11:43:31.0453 0708 NetDDEdsdm - ok
11:43:31.0718 0708 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:43:31.0796 0708 Netlogon - ok
11:43:32.0062 0708 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
11:43:32.0125 0708 Netman - ok
11:43:32.0375 0708 NetTcpPortSharing (f9102685f97f9ba85f4a70afcf722cfe) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
11:43:32.0406 0708 NetTcpPortSharing ( UnsignedFile.Multi.Generic ) - warning
11:43:32.0406 0708 NetTcpPortSharing - detected UnsignedFile.Multi.Generic (1)
11:43:32.0718 0708 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
11:43:32.0812 0708 NIC1394 - ok
11:43:33.0125 0708 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
11:43:33.0171 0708 Nla - ok
11:43:33.0453 0708 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
11:43:33.0531 0708 nm - ok
11:43:33.0765 0708 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
11:43:33.0828 0708 Npfs - ok
11:43:34.0218 0708 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
11:43:34.0359 0708 Ntfs - ok
11:43:34.0656 0708 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\System32\lsass.exe
11:43:34.0718 0708 NtLmSsp - ok
11:43:35.0031 0708 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
11:43:35.0171 0708 NtmsSvc - ok
11:43:35.0468 0708 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
11:43:35.0531 0708 Null - ok
11:43:37.0578 0708 nv (4f15e1e56703f59c0ac00022162e5308) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
11:43:39.0468 0708 nv - ok
11:43:39.0781 0708 nvsvc (383aa018830eb16965181c39cb0f3b73) C:\WINDOWS\system32\nvsvc32.exe
11:43:39.0812 0708 nvsvc ( UnsignedFile.Multi.Generic ) - warning
11:43:39.0812 0708 nvsvc - detected UnsignedFile.Multi.Generic (1)
11:43:40.0078 0708 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
11:43:40.0156 0708 NwlnkFlt - ok
11:43:40.0437 0708 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
11:43:40.0531 0708 NwlnkFwd - ok
11:43:40.0812 0708 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
11:43:40.0921 0708 ohci1394 - ok
11:43:41.0171 0708 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
11:43:41.0234 0708 Parport - ok
11:43:41.0453 0708 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
11:43:41.0515 0708 PartMgr - ok
11:43:41.0765 0708 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
11:43:41.0843 0708 ParVdm - ok
11:43:42.0125 0708 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
11:43:42.0203 0708 PCI - ok
11:43:42.0453 0708 PCIDump - ok
11:43:42.0687 0708 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
11:43:42.0765 0708 PCIIde - ok
11:43:43.0046 0708 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
11:43:43.0140 0708 Pcmcia - ok
11:43:43.0406 0708 PDCOMP - ok
11:43:43.0609 0708 PDFRAME - ok
11:43:43.0812 0708 PDRELI - ok
11:43:44.0015 0708 PDRFRAME - ok
11:43:44.0265 0708 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
11:43:44.0343 0708 perc2 - ok
11:43:44.0593 0708 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
11:43:44.0671 0708 perc2hib - ok
11:43:44.0968 0708 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
11:43:44.0968 0708 PlugPlay - ok
11:43:45.0171 0708 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:43:45.0234 0708 PolicyAgent - ok
11:43:45.0515 0708 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
11:43:45.0578 0708 PptpMiniport - ok
11:43:45.0718 0708 PrismXL (33d7285f12d934268a34206dfc4ad1b3) C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
11:43:45.0734 0708 PrismXL ( UnsignedFile.Multi.Generic ) - warning
11:43:45.0734 0708 PrismXL - detected UnsignedFile.Multi.Generic (1)
11:43:46.0062 0708 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
11:43:46.0125 0708 Processor - ok
11:43:46.0343 0708 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:43:46.0406 0708 ProtectedStorage - ok
11:43:46.0671 0708 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
11:43:46.0750 0708 PSched - ok
11:43:47.0000 0708 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
11:43:47.0078 0708 Ptilink - ok
11:43:47.0359 0708 PxHelp20 (617accada2e0a0f43ec6030bbac49513) C:\WINDOWS\system32\Drivers\PxHelp20.sys
11:43:47.0390 0708 PxHelp20 - ok
11:43:47.0640 0708 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
11:43:47.0703 0708 ql1080 - ok
11:43:48.0015 0708 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
11:43:48.0093 0708 Ql10wnt - ok
11:43:48.0343 0708 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
11:43:48.0421 0708 ql12160 - ok
11:43:48.0687 0708 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
11:43:48.0765 0708 ql1240 - ok
11:43:49.0046 0708 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
11:43:49.0109 0708 ql1280 - ok
11:43:49.0312 0708 RapportCerberus_34302 (6b6f0a77365667912360ff1d5e984f25) C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys
11:43:49.0312 0708 RapportCerberus_34302 - ok
11:43:49.0437 0708 RapportEI (34992b59780a8a227a9eb54c97dc4608) C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys
11:43:49.0437 0708 RapportEI - ok
11:43:49.0562 0708 RapportIaso (dd3e4610de9252a957c5bd19bdf47ac4) c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\28896\rapportiaso.sys
11:43:49.0562 0708 RapportIaso - ok
11:43:49.0859 0708 RapportKELL (a231b5552148ade82ed3dfba25919b75) C:\WINDOWS\system32\Drivers\RapportKELL.sys
11:43:49.0875 0708 RapportKELL - ok
11:43:50.0187 0708 RapportMgmtService (5bd5895f002438f4e1c50c09bf6f1ce2) C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
11:43:50.0375 0708 RapportMgmtService - ok
11:43:50.0468 0708 RapportPG (060f8e34707d68178a564935ce4546eb) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
11:43:50.0468 0708 RapportPG - ok
11:43:50.0781 0708 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
11:43:50.0843 0708 RasAcd - ok
11:43:51.0109 0708 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
11:43:51.0187 0708 RasAuto - ok
11:43:51.0484 0708 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
11:43:51.0562 0708 Rasl2tp - ok
11:43:51.0828 0708 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
11:43:51.0890 0708 RasMan - ok
11:43:52.0156 0708 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
11:43:52.0234 0708 RasPppoe - ok
11:43:52.0500 0708 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
11:43:52.0593 0708 Raspti - ok
11:43:52.0875 0708 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
11:43:52.0968 0708 Rdbss - ok
11:43:53.0234 0708 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
11:43:53.0312 0708 RDPCDD - ok
11:43:53.0609 0708 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
11:43:53.0671 0708 rdpdr - ok
11:43:53.0953 0708 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
11:43:53.0953 0708 RDPWD - ok
11:43:54.0234 0708 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
11:43:54.0328 0708 RDSessMgr - ok
11:43:54.0593 0708 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
11:43:54.0687 0708 redbook - ok
11:43:54.0937 0708 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
11:43:55.0015 0708 RemoteAccess - ok
11:43:55.0296 0708 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
11:43:55.0375 0708 RemoteRegistry - ok
11:43:55.0484 0708 RivaTuner32 (c0c8909be3ecc9df8089112bf9be954e) C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner32.sys
11:43:55.0500 0708 RivaTuner32 ( UnsignedFile.Multi.Generic ) - warning
11:43:55.0500 0708 RivaTuner32 - detected UnsignedFile.Multi.Generic (1)
11:43:55.0921 0708 RosettaStoneDaemon (7f7ca7deeb68e68fd67870e9a5ec33e2) C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe
11:43:56.0250 0708 RosettaStoneDaemon - ok
11:43:56.0546 0708 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\System32\locator.exe
11:43:56.0609 0708 RpcLocator - ok
11:43:56.0906 0708 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
11:43:56.0984 0708 RpcSs - ok
11:43:57.0218 0708 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\System32\rsvp.exe
11:43:57.0296 0708 RSVP - ok
11:43:57.0578 0708 RT25USBAP (05691b0b52575c057e5ac35242e5d231) C:\WINDOWS\system32\DRIVERS\rt25usbap.sys
11:43:57.0578 0708 RT25USBAP ( UnsignedFile.Multi.Generic ) - warning
11:43:57.0578 0708 RT25USBAP - detected UnsignedFile.Multi.Generic (1)
11:43:57.0828 0708 RTL8023xp (e9877aa069dc11b03dbd1d33b8b2a3ca) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
11:43:57.0843 0708 RTL8023xp - ok
11:43:58.0093 0708 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:43:58.0156 0708 SamSs - ok
11:43:58.0437 0708 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
11:43:58.0531 0708 SCardSvr - ok
11:43:58.0812 0708 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
11:43:58.0890 0708 Schedule - ok
11:43:59.0140 0708 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
11:43:59.0218 0708 Secdrv - ok
11:43:59.0484 0708 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
11:43:59.0562 0708 seclogon - ok
11:43:59.0765 0708 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
11:43:59.0828 0708 SENS - ok
11:44:00.0062 0708 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
11:44:00.0140 0708 serenum - ok
11:44:00.0421 0708 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
11:44:00.0500 0708 Serial - ok
11:44:00.0750 0708 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
11:44:00.0828 0708 Sfloppy - ok
11:44:01.0140 0708 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
11:44:01.0281 0708 SharedAccess - ok
11:44:01.0546 0708 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
11:44:01.0562 0708 ShellHWDetection - ok
11:44:01.0781 0708 Simbad - ok
11:44:02.0046 0708 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
11:44:02.0109 0708 sisagp - ok
11:44:02.0359 0708 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
11:44:02.0406 0708 SLIP - ok
11:44:02.0671 0708 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
11:44:02.0718 0708 Sparrow - ok
11:44:02.0968 0708 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
11:44:03.0046 0708 splitter - ok
11:44:03.0312 0708 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
11:44:03.0328 0708 Spooler - ok
11:44:03.0750 0708 sptd (71e276f6d189413266ea22171806597b) C:\WINDOWS\system32\Drivers\sptd.sys
11:44:03.0750 0708 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: 71e276f6d189413266ea22171806597b
11:44:03.0750 0708 sptd ( LockedFile.Multi.Generic ) - warning
11:44:03.0750 0708 sptd - detected LockedFile.Multi.Generic (1)
11:44:03.0906 0708 SQLBrowser (3612108d36ea74f6f9fc5005e88e353b) c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
11:44:03.0921 0708 SQLBrowser - ok
11:44:03.0968 0708 SQLWriter (d37b8ce340b71d9e0ab2440addb2fdbf) c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
11:44:03.0968 0708 SQLWriter - ok
11:44:04.0281 0708 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
11:44:04.0375 0708 sr - ok
11:44:04.0671 0708 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
11:44:04.0734 0708 srservice - ok
11:44:05.0062 0708 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
11:44:05.0125 0708 Srv - ok
11:44:05.0359 0708 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
11:44:05.0421 0708 SSDPSRV - ok
11:44:05.0546 0708 StarWindService (ab2b9349ada4ac5ec74b622b8303fe23) C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
11:44:05.0578 0708 StarWindService ( UnsignedFile.Multi.Generic ) - warning
11:44:05.0578 0708 StarWindService - detected UnsignedFile.Multi.Generic (1)
11:44:05.0921 0708 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
11:44:06.0062 0708 stisvc - ok
11:44:06.0359 0708 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
11:44:06.0453 0708 streamip - ok
11:44:06.0703 0708 SunkFilt (86ca1a5c15a5a98d5533945fb1120b05) C:\WINDOWS\System32\Drivers\sunkfilt.sys
11:44:06.0718 0708 SunkFilt ( UnsignedFile.Multi.Generic ) - warning
11:44:06.0718 0708 SunkFilt - detected UnsignedFile.Multi.Generic (1)
11:44:06.0937 0708 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
11:44:07.0015 0708 swenum - ok
11:44:07.0312 0708 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
11:44:07.0375 0708 swmidi - ok
11:44:07.0625 0708 SwPrv - ok
11:44:07.0859 0708 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
11:44:07.0921 0708 symc810 - ok
11:44:08.0171 0708 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
11:44:08.0265 0708 symc8xx - ok
11:44:08.0546 0708 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
11:44:08.0625 0708 sym_hi - ok
11:44:08.0875 0708 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
11:44:08.0937 0708 sym_u3 - ok
11:44:09.0187 0708 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
11:44:09.0281 0708 sysaudio - ok
11:44:09.0546 0708 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
11:44:09.0609 0708 SysmonLog - ok
11:44:09.0875 0708 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
11:44:09.0953 0708 TapiSrv - ok
11:44:10.0296 0708 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
11:44:10.0359 0708 Tcpip - ok
11:44:10.0625 0708 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
11:44:10.0718 0708 TDPIPE - ok
11:44:10.0953 0708 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
11:44:11.0015 0708 TDTCP - ok
11:44:11.0296 0708 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
11:44:11.0375 0708 TermDD - ok
11:44:11.0687 0708 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
11:44:11.0765 0708 TermService - ok
11:44:12.0062 0708 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
11:44:12.0062 0708 Themes - ok
11:44:12.0312 0708 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\System32\tlntsvr.exe
11:44:12.0406 0708 TlntSvr - ok
11:44:12.0671 0708 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
11:44:12.0750 0708 TosIde - ok
11:44:13.0015 0708 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
11:44:13.0093 0708 TrkWks - ok
11:44:13.0406 0708 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
11:44:13.0468 0708 Udfs - ok
11:44:13.0765 0708 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
11:44:13.0812 0708 ultra - ok
11:44:14.0078 0708 UMWdf (9651e5d850b6f6bd7c77c70aa06f02bf) C:\WINDOWS\system32\wdfmgr.exe
11:44:14.0093 0708 UMWdf - ok
11:44:14.0453 0708 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
11:44:14.0593 0708 Update - ok
11:44:14.0859 0708 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
11:44:14.0953 0708 upnphost - ok
11:44:15.0156 0708 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
11:44:15.0234 0708 UPS - ok
11:44:15.0500 0708 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
11:44:15.0562 0708 usbaudio - ok
11:44:15.0828 0708 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
11:44:15.0906 0708 usbccgp - ok
11:44:16.0203 0708 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
11:44:16.0281 0708 usbehci - ok
11:44:16.0562 0708 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
11:44:16.0656 0708 usbhub - ok
11:44:16.0906 0708 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
11:44:16.0984 0708 usbohci - ok
11:44:17.0265 0708 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
11:44:17.0359 0708 usbprint - ok
11:44:17.0593 0708 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
11:44:17.0671 0708 USBSTOR - ok
11:44:17.0937 0708 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
11:44:18.0031 0708 usbuhci - ok
11:44:18.0328 0708 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
11:44:18.0406 0708 usbvideo - ok
11:44:18.0671 0708 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
11:44:18.0750 0708 VgaSave - ok
11:44:19.0031 0708 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
11:44:19.0093 0708 viaagp - ok
11:44:19.0375 0708 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
11:44:19.0453 0708 ViaIde - ok
11:44:19.0703 0708 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
11:44:19.0781 0708 VolSnap - ok
11:44:20.0078 0708 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
11:44:20.0156 0708 VSS - ok
11:44:20.0390 0708 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
11:44:20.0500 0708 W32Time - ok
11:44:20.0750 0708 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
11:44:20.0843 0708 Wanarp - ok
11:44:21.0046 0708 WDICA - ok
11:44:21.0281 0708 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
11:44:21.0375 0708 wdmaud - ok
11:44:21.0640 0708 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
11:44:21.0718 0708 WebClient - ok
11:44:22.0125 0708 winachsf (59d043485a6eda2ed2685c81489ae5bd) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
11:44:22.0296 0708 winachsf - ok
11:44:22.0593 0708 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
11:44:22.0656 0708 winmgmt - ok
11:44:22.0890 0708 WmdmPmSN (b9715b9c18bc6c8f4b66733d208cc9f7) C:\WINDOWS\System32\mspmsnsv.dll
11:44:22.0921 0708 WmdmPmSN - ok
11:44:23.0296 0708 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
11:44:23.0484 0708 Wmi - ok
11:44:23.0765 0708 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\System32\wbem\wmiapsrv.exe
11:44:23.0875 0708 WmiApSrv - ok
11:44:24.0140 0708 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
11:44:24.0218 0708 WS2IFSL - ok
11:44:24.0484 0708 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
11:44:24.0562 0708 wscsvc - ok
11:44:24.0843 0708 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
11:44:24.0921 0708 WSTCODEC - ok
11:44:25.0171 0708 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
11:44:25.0265 0708 wuauserv - ok
11:44:25.0609 0708 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
11:44:25.0765 0708 WZCSVC - ok
11:44:26.0031 0708 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
11:44:26.0093 0708 xmlprov - ok
11:44:26.0453 0708 xnacc (7a35352bcdff34d0a6e59d8267b3fcb7) C:\WINDOWS\system32\DRIVERS\xnacc.sys
11:44:26.0531 0708 xnacc - ok
11:44:26.0796 0708 YPCService (d46403ef02c003de80b4be8a31549fb4) C:\WINDOWS\system32\YPCSER~1.EXE
11:44:26.0812 0708 YPCService ( UnsignedFile.Multi.Generic ) - warning
11:44:26.0812 0708 YPCService - detected UnsignedFile.Multi.Generic (1)
11:44:26.0843 0708 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
11:44:27.0093 0708 \Device\Harddisk0\DR0 - ok
11:44:27.0109 0708 Boot (0x1200) (61e13328024e6a851af33dbfe2680239) \Device\Harddisk0\DR0\Partition0
11:44:27.0109 0708 \Device\Harddisk0\DR0\Partition0 - ok
11:44:27.0109 0708 ============================================================
11:44:27.0109 0708 Scan finished
11:44:27.0109 0708 ============================================================
11:44:27.0109 2828 Detected object count: 16
11:44:27.0109 2828 Actual detected object count: 16
11:47:57.0187 2828 Apache ( UnsignedFile.Multi.Generic ) - skipped by user
11:47:57.0187 2828 Apache ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:47:57.0187 2828 IDriverT ( UnsignedFile.Multi.Generic ) - skipped by user
11:47:57.0187 2828 IDriverT ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:47:57.0187 2828 idsvc ( UnsignedFile.Multi.Generic ) - skipped by user
11:47:57.0187 2828 idsvc ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:47:57.0187 2828 MHN ( UnsignedFile.Multi.Generic ) - skipped by user
11:47:57.0187 2828 MHN ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:47:57.0187 2828 MHNDRV ( UnsignedFile.Multi.Generic ) - skipped by user
11:47:57.0187 2828 MHNDRV ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:47:57.0187 2828 mple7docserver ( UnsignedFile.Multi.Generic ) - skipped by user
11:47:57.0187 2828 mple7docserver ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:47:57.0187 2828 MRENDIS5 ( UnsignedFile.Multi.Generic ) - skipped by user
11:47:57.0187 2828 MRENDIS5 ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:47:57.0187 2828 NetTcpPortSharing ( UnsignedFile.Multi.Generic ) - skipped by user
11:47:57.0187 2828 NetTcpPortSharing ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:47:57.0187 2828 nvsvc ( UnsignedFile.Multi.Generic ) - skipped by user
11:47:57.0187 2828 nvsvc ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:47:57.0187 2828 PrismXL ( UnsignedFile.Multi.Generic ) - skipped by user
11:47:57.0187 2828 PrismXL ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:47:57.0187 2828 RivaTuner32 ( UnsignedFile.Multi.Generic ) - skipped by user
11:47:57.0187 2828 RivaTuner32 ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:47:57.0187 2828 RT25USBAP ( UnsignedFile.Multi.Generic ) - skipped by user
11:47:57.0187 2828 RT25USBAP ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:47:57.0187 2828 sptd ( LockedFile.Multi.Generic ) - skipped by user
11:47:57.0187 2828 sptd ( LockedFile.Multi.Generic ) - User select action: Skip 
11:47:57.0187 2828 StarWindService ( UnsignedFile.Multi.Generic ) - skipped by user
11:47:57.0187 2828 StarWindService ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:47:57.0187 2828 SunkFilt ( UnsignedFile.Multi.Generic ) - skipped by user
11:47:57.0187 2828 SunkFilt ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:47:57.0187 2828 YPCService ( UnsignedFile.Multi.Generic ) - skipped by user
11:47:57.0187 2828 YPCService ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:49:55.0437 5780 Deinitialize success

===========================================================
*TDSS log 2, safe mode*
===========================================================
11:53:41.0750 1068 TDSS rootkit removing tool 2.7.22.0 Mar 21 2012 17:40:00
11:53:41.0828 1068 ============================================================
11:53:41.0828 1068 Current date / time: 2012/03/26 11:53:41.0828
11:53:41.0828 1068 SystemInfo:
11:53:41.0828 1068 
11:53:41.0828 1068 OS Version: 5.1.2600 ServicePack: 3.0
11:53:41.0828 1068 Product type: Workstation
11:53:41.0828 1068 ComputerName: FINN-GE6QC5
11:53:41.0828 1068 UserName: Administrator
11:53:41.0828 1068 Windows directory: C:\WINDOWS
11:53:41.0828 1068 System windows directory: C:\WINDOWS
11:53:41.0828 1068 Processor architecture: Intel x86
11:53:41.0828 1068 Number of processors: 2
11:53:41.0828 1068 Page size: 0x1000
11:53:41.0828 1068 Boot type: Safe boot
11:53:41.0828 1068 ============================================================
11:53:44.0921 1068 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
11:53:44.0921 1068 \Device\Harddisk0\DR0:
11:53:44.0921 1068 MBR used
11:53:44.0921 1068 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xFFFAC05
11:53:45.0265 1068 Initialize success
11:53:45.0265 1068 ============================================================
11:54:15.0984 1100 ============================================================
11:54:15.0984 1100 Scan started
11:54:15.0984 1100 Mode: Manual; SigCheck; TDLFS; 
11:54:15.0984 1100 ============================================================
11:54:17.0296 1100 Abiosdsk - ok
11:54:17.0562 1100 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
11:54:21.0937 1100 abp480n5 - ok
11:54:22.0281 1100 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
11:54:22.0515 1100 ACPI - ok
11:54:22.0796 1100 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
11:54:22.0875 1100 ACPIEC - ok
11:54:23.0125 1100 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
11:54:23.0234 1100 adpu160m - ok
11:54:23.0546 1100 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
11:54:23.0640 1100 aec - ok
11:54:23.0984 1100 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
11:54:24.0093 1100 AFD - ok
11:54:24.0343 1100 AFGMp50 - ok
11:54:24.0578 1100 AFGSp50 - ok
11:54:24.0843 1100 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
11:54:24.0921 1100 agp440 - ok
11:54:25.0171 1100 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
11:54:25.0265 1100 agpCPQ - ok
11:54:25.0515 1100 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
11:54:25.0578 1100 Aha154x - ok
11:54:25.0843 1100 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
11:54:25.0937 1100 aic78u2 - ok
11:54:26.0203 1100 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
11:54:26.0281 1100 aic78xx - ok
11:54:27.0343 1100 ALCXWDM (92ae420be14b0d97d14dac4aba22a702) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
11:54:29.0125 1100 ALCXWDM - ok
11:54:29.0390 1100 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
11:54:29.0484 1100 Alerter - ok
11:54:29.0765 1100 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
11:54:29.0843 1100 ALG - ok
11:54:30.0093 1100 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
11:54:30.0171 1100 AliIde - ok
11:54:30.0421 1100 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
11:54:30.0515 1100 alim1541 - ok
11:54:30.0781 1100 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
11:54:30.0890 1100 amdagp - ok
11:54:31.0140 1100 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
11:54:31.0203 1100 amsint - ok
11:54:31.0375 1100 Apache (5063a736174225b38c5b5295bde4a160) C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\apache\apache.exe
11:54:31.0406 1100 Apache ( UnsignedFile.Multi.Generic ) - warning
11:54:31.0406 1100 Apache - detected UnsignedFile.Multi.Generic (1)
11:54:31.0703 1100 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
11:54:31.0828 1100 AppMgmt - ok
11:54:32.0109 1100 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
11:54:32.0187 1100 Arp1394 - ok
11:54:32.0437 1100 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
11:54:32.0515 1100 asc - ok
11:54:32.0781 1100 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
11:54:32.0843 1100 asc3350p - ok
11:54:33.0093 1100 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
11:54:33.0171 1100 asc3550 - ok
11:54:33.0406 1100 ASKService (7b44f870fc2da172c5367d9e3f96f553) C:\Program Files\AskBarDis\bar\bin\AskService.exe
11:54:33.0640 1100 ASKService - ok
11:54:33.0734 1100 ASKUpgrade (367621cb272a8d9e7d910388916d5737) C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
11:54:33.0796 1100 ASKUpgrade - ok
11:54:34.0046 1100 aspnet_state (4eabf511b1af176a971c3271e48fa3a8) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
11:54:34.0109 1100 aspnet_state - ok
11:54:34.0406 1100 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
11:54:34.0484 1100 AsyncMac - ok
11:54:34.0765 1100 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
11:54:34.0828 1100 atapi - ok
11:54:35.0078 1100 Atdisk - ok
11:54:35.0343 1100 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
11:54:35.0437 1100 Atmarpc - ok
11:54:35.0687 1100 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
11:54:35.0765 1100 AudioSrv - ok
11:54:36.0031 1100 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
11:54:36.0109 1100 audstub - ok
11:54:36.0359 1100 autvhncu - ok
11:54:36.0625 1100 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
11:54:36.0703 1100 Beep - ok
11:54:36.0750 1100 BGRaSvc - ok
11:54:37.0140 1100 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
11:54:37.0531 1100 BITS - ok
11:54:37.0812 1100 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
11:54:37.0890 1100 Browser - ok
11:54:38.0031 1100 catchme - ok
11:54:38.0296 1100 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
11:54:38.0375 1100 cbidf - ok
11:54:38.0640 1100 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
11:54:38.0718 1100 cbidf2k - ok
11:54:38.0968 1100 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
11:54:39.0046 1100 CCDECODE - ok
11:54:39.0312 1100 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
11:54:39.0359 1100 cd20xrnt - ok
11:54:39.0640 1100 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
11:54:39.0718 1100 Cdaudio - ok
11:54:39.0984 1100 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
11:54:40.0078 1100 Cdfs - ok
11:54:40.0312 1100 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
11:54:40.0406 1100 Cdrom - ok
11:54:40.0640 1100 Changer - ok
11:54:40.0875 1100 cisvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
11:54:40.0953 1100 cisvc - ok
11:54:41.0218 1100 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
11:54:41.0296 1100 ClipSrv - ok
11:54:41.0515 1100 clr_optimization_v2.0.50727_32 (234b1bc2796483e1f5c3f26649fb3388) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
11:54:41.0640 1100 clr_optimization_v2.0.50727_32 - ok
11:54:41.0906 1100 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
11:54:41.0984 1100 CmdIde - ok
11:54:42.0171 1100 COMSysApp - ok
11:54:42.0421 1100 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
11:54:42.0500 1100 Cpqarray - ok
11:54:42.0765 1100 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
11:54:42.0843 1100 CryptSvc - ok
11:54:43.0140 1100 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
11:54:43.0250 1100 dac2w2k - ok
11:54:43.0500 1100 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
11:54:43.0578 1100 dac960nt - ok
11:54:43.0921 1100 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
11:54:44.0093 1100 DcomLaunch - ok
11:54:44.0390 1100 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
11:54:44.0484 1100 Dhcp - ok
11:54:44.0781 1100 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
11:54:44.0843 1100 Disk - ok
11:54:45.0046 1100 dmadmin - ok
11:54:45.0484 1100 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
11:54:45.0906 1100 dmboot - ok
11:54:46.0218 1100 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
11:54:46.0328 1100 dmio - ok
11:54:46.0625 1100 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
11:54:46.0703 1100 dmload - ok
11:54:46.0953 1100 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
11:54:47.0031 1100 dmserver - ok
11:54:47.0296 1100 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
11:54:47.0375 1100 DMusic - ok
11:54:47.0625 1100 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
11:54:47.0718 1100 Dnscache - ok
11:54:48.0031 1100 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
11:54:48.0140 1100 Dot3svc - ok
11:54:48.0390 1100 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
11:54:48.0484 1100 dpti2o - ok
11:54:48.0750 1100 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
11:54:48.0812 1100 drmkaud - ok
11:54:49.0062 1100 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
11:54:49.0171 1100 E100B - ok
11:54:49.0500 1100 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
11:54:49.0906 1100 e1express - ok
11:54:50.0156 1100 EagleNT - ok
11:54:50.0390 1100 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
11:54:50.0484 1100 EapHost - ok
11:54:50.0750 1100 ehRecvr (8301243bde5b6cd316d79c0191d50d9a) C:\WINDOWS\eHome\ehRecvr.exe
11:54:50.0859 1100 ehRecvr - ok
11:54:51.0062 1100 ehSched (a53243709439ac2a4c216b817f8d7411) C:\WINDOWS\eHome\ehSched.exe
11:54:51.0125 1100 ehSched - ok
11:54:51.0375 1100 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
11:54:51.0453 1100 ERSvc - ok
11:54:51.0718 1100 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
11:54:51.0750 1100 Eventlog - ok
11:54:52.0031 1100 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\System32\es.dll
11:54:52.0171 1100 EventSystem - ok
11:54:52.0437 1100 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
11:54:52.0531 1100 Fastfat - ok
11:54:52.0812 1100 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
11:54:52.0875 1100 FastUserSwitchingCompatibility - ok
11:54:53.0187 1100 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
11:54:53.0265 1100 Fdc - ok
11:54:53.0531 1100 FilterService (1edc0df2da14e04504dd3bac21aa32cd) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
11:54:53.0546 1100 FilterService - ok
11:54:53.0812 1100 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
11:54:53.0890 1100 Fips - ok
11:54:54.0250 1100 FLEXnet Licensing Service (8669be94f63944e4f899c3950b520241) C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
11:54:54.0671 1100 FLEXnet Licensing Service - ok
11:54:55.0015 1100 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
11:54:55.0093 1100 Flpydisk - ok
11:54:55.0375 1100 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
11:54:55.0468 1100 FltMgr - ok
11:54:55.0671 1100 FontCache3.0.0.0 (993883524aa9cf1c90e1545411a9ac9c) C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
11:54:55.0750 1100 FontCache3.0.0.0 - ok
11:54:56.0015 1100 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
11:54:56.0093 1100 Fs_Rec - ok
11:54:56.0390 1100 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
11:54:56.0500 1100 Ftdisk - ok
11:54:56.0765 1100 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
11:54:56.0859 1100 Gpc - ok
11:54:57.0015 1100 gupdate (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe
11:54:57.0093 1100 gupdate - ok
11:54:57.0156 1100 gupdatem (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe
11:54:57.0156 1100 gupdatem - ok
11:54:57.0312 1100 gusvc (cc839e8d766cc31a7710c9f38cf3e375) C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
11:54:57.0359 1100 gusvc - ok
11:54:57.0640 1100 hamachi (7929a161f9951d173ca9900fe7067391) C:\WINDOWS\system32\DRIVERS\hamachi.sys
11:54:57.0656 1100 hamachi - ok
11:54:57.0921 1100 hcwPP2 (d169892e959aa82d38e09c9f7517dbf7) C:\WINDOWS\system32\DRIVERS\hcwPP2.sys
11:54:58.0031 1100 hcwPP2 - ok
11:54:58.0296 1100 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
11:54:58.0375 1100 HDAudBus - ok
11:54:58.0515 1100 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
11:54:58.0593 1100 helpsvc - ok
11:54:58.0890 1100 HidIr (bb1a6fb7d35a91e599973fa74a619056) C:\WINDOWS\system32\DRIVERS\hidir.sys
11:54:58.0953 1100 HidIr - ok
11:54:59.0203 1100 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
11:54:59.0281 1100 HidServ - ok
11:54:59.0593 1100 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
11:54:59.0671 1100 HidUsb - ok
11:54:59.0937 1100 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
11:55:00.0031 1100 hkmsvc - ok
11:55:00.0328 1100 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
11:55:00.0390 1100 hpn - ok
11:55:00.0593 1100 hpt3xx - ok
11:55:00.0890 1100 HSFHWBS2 (c02dc9d4358e43d088f2061c2b2bf30e) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
11:55:00.0984 1100 HSFHWBS2 - ok
11:55:01.0484 1100 HSF_DPV (cbf6831420a97e8fbb91e5f52b707ef7) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
11:55:01.0968 1100 HSF_DPV - ok
11:55:02.0265 1100 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
11:55:02.0390 1100 HTTP - ok
11:55:02.0625 1100 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
11:55:02.0718 1100 HTTPFilter - ok
11:55:02.0843 1100 HWiNFO32 (cb457aa4b4f012672058e55096b7a3d9) C:\Documents and Settings\Finn\Desktop\hw32_236\HWiNFO32.SYS
11:55:02.0859 1100 HWiNFO32 - ok
11:55:03.0156 1100 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
11:55:03.0218 1100 i2omgmt - ok
11:55:03.0421 1100 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
11:55:03.0515 1100 i2omp - ok
11:55:03.0781 1100 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
11:55:03.0859 1100 i8042prt - ok
11:55:05.0453 1100 ialm (12c7f8d581c4a9f126f5f8f5683a1c29) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
11:55:08.0187 1100 ialm - ok
11:55:08.0312 1100 IDriverT (6f95324909b502e2651442c1548ab12f) C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
11:55:08.0343 1100 IDriverT ( UnsignedFile.Multi.Generic ) - warning
11:55:08.0343 1100 IDriverT - detected UnsignedFile.Multi.Generic (1)
11:55:08.0828 1100 idsvc (e7cc3aeaed9893a88876744cd439f76c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
11:55:09.0218 1100 idsvc ( UnsignedFile.Multi.Generic ) - warning
11:55:09.0218 1100 idsvc - detected UnsignedFile.Multi.Generic (1)
11:55:09.0531 1100 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
11:55:09.0609 1100 Imapi - ok
11:55:09.0890 1100 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
11:55:10.0000 1100 ImapiService - ok
11:55:10.0296 1100 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
11:55:10.0375 1100 ini910u - ok
11:55:11.0703 1100 IntcAzAudAddService (9f6320e7b0c43e4e5693e1515ba5595c) C:\WINDOWS\system32\drivers\RtkHDAud.sys
11:55:13.0875 1100 IntcAzAudAddService - ok
11:55:14.0171 1100 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
11:55:14.0250 1100 IntelIde - ok
11:55:14.0484 1100 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
11:55:14.0562 1100 intelppm - ok
11:55:14.0796 1100 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
11:55:14.0890 1100 Ip6Fw - ok
11:55:15.0171 1100 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
11:55:15.0265 1100 IpFilterDriver - ok
11:55:15.0500 1100 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
11:55:15.0578 1100 IpInIp - ok
11:55:15.0921 1100 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
11:55:16.0031 1100 IpNat - ok
11:55:16.0328 1100 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
11:55:16.0421 1100 IPSec - ok
11:55:16.0718 1100 IrBus (b43b36b382aea10861f7c7a37f9d4ae2) C:\WINDOWS\system32\DRIVERS\IrBus.sys
11:55:16.0812 1100 IrBus - ok
11:55:17.0078 1100 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
11:55:17.0156 1100 IRENUM - ok
11:55:17.0437 1100 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
11:55:17.0515 1100 isapnp - ok
11:55:17.0671 1100 JavaQuickStarterService - ok
11:55:17.0953 1100 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
11:55:18.0031 1100 Kbdclass - ok
11:55:18.0281 1100 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
11:55:18.0343 1100 kbdhid - ok
11:55:18.0656 1100 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
11:55:18.0781 1100 kmixer - ok
11:55:19.0078 1100 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
11:55:19.0187 1100 KSecDD - ok
11:55:19.0484 1100 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
11:55:19.0546 1100 lanmanserver - ok
11:55:19.0812 1100 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
11:55:19.0906 1100 lanmanworkstation - ok
11:55:20.0109 1100 lbrtfdc - ok
11:55:20.0359 1100 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
11:55:20.0437 1100 LmHosts - ok
11:55:20.0750 1100 LVPr2Mon (f96cfb47903854f228baaf3e2d41a0a3) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
11:55:20.0765 1100 LVPr2Mon - ok
11:55:20.0890 1100 LVPrcSrv (ff23862146a682fcc3dbaa002e22f958) C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
11:55:20.0937 1100 LVPrcSrv - ok
11:55:21.0406 1100 LVRS (e22fd7852e74f04cceb6b8a684a51f3e) C:\WINDOWS\system32\DRIVERS\lvrs.sys
11:55:21.0734 1100 LVRS - ok
11:55:22.0031 1100 LVUSBSta (5f987fc1aad215ec2c60cf07719b1cce) C:\WINDOWS\system32\DRIVERS\LVUSBSta.sys
11:55:22.0046 1100 LVUSBSta - ok
11:55:23.0828 1100 LVUVC (e89df2b88ee659954de79827ddf46dc9) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
11:55:26.0812 1100 LVUVC - ok
11:55:26.0953 1100 McrdSvc (df0a511f38f16016bf658fca0090cb87) C:\WINDOWS\ehome\mcrdsvc.exe
11:55:27.0015 1100 McrdSvc - ok
11:55:27.0281 1100 mdmxsdk (195741aee20369980796b557358cd774) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
11:55:27.0343 1100 mdmxsdk - ok
11:55:27.0593 1100 Messenger  (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
11:55:27.0687 1100 Messenger - ok
11:55:27.0984 1100 MHN (b7521f69c0a9b29d356157229376fb21) C:\WINDOWS\System32\mhn.dll
11:55:28.0031 1100 MHN ( UnsignedFile.Multi.Generic ) - warning
11:55:28.0031 1100 MHN - detected UnsignedFile.Multi.Generic (1)
11:55:28.0296 1100 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
11:55:28.0312 1100 MHNDRV ( UnsignedFile.Multi.Generic ) - warning
11:55:28.0312 1100 MHNDRV - detected UnsignedFile.Multi.Generic (1)
11:55:28.0562 1100 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
11:55:28.0640 1100 mnmdd - ok
11:55:28.0890 1100 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\System32\mnmsrvc.exe
11:55:28.0984 1100 mnmsrvc - ok
11:55:29.0234 1100 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
11:55:29.0312 1100 Modem - ok
11:55:29.0593 1100 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
11:55:29.0671 1100 Mouclass - ok
11:55:29.0984 1100 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
11:55:30.0062 1100 mouhid - ok
11:55:30.0343 1100 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
11:55:30.0421 1100 MountMgr - ok
11:55:30.0562 1100 mple7docserver (c049ef30ace3e2beebc41e37fe4bb2a1) C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe
11:55:30.0609 1100 mple7docserver ( UnsignedFile.Multi.Generic ) - warning
11:55:30.0609 1100 mple7docserver - detected UnsignedFile.Multi.Generic (1)
11:55:30.0890 1100 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
11:55:30.0968 1100 mraid35x - ok
11:55:31.0078 1100 MRENDIS5 (594b9d8194e3f4ecbf0325bd10bbeb05) C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
11:55:31.0093 1100 MRENDIS5 ( UnsignedFile.Multi.Generic ) - warning
11:55:31.0093 1100 MRENDIS5 - detected UnsignedFile.Multi.Generic (1)
11:55:31.0421 1100 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
11:55:31.0531 1100 MRxDAV - ok
11:55:31.0937 1100 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
11:55:32.0187 1100 MRxSmb - ok
11:55:32.0468 1100 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\System32\msdtc.exe
11:55:32.0546 1100 MSDTC - ok
11:55:32.0843 1100 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
11:55:32.0906 1100 Msfs - ok
11:55:33.0109 1100 MSIServer - ok
11:55:33.0359 1100 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
11:55:33.0437 1100 MSKSSRV - ok
11:55:33.0671 1100 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
11:55:33.0734 1100 MSPCLOCK - ok
11:55:34.0015 1100 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
11:55:34.0078 1100 MSPQM - ok
11:55:34.0359 1100 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
11:55:34.0437 1100 mssmbios - ok
11:55:34.0531 1100 MSSQL$SQLEXPRESS - ok
11:55:34.0593 1100 MSSQLServerADHelper (adaf062116b4e6d96e44d26486a87af6) c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe
11:55:34.0609 1100 MSSQLServerADHelper - ok
11:55:34.0875 1100 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
11:55:34.0953 1100 MSTEE - ok
11:55:35.0781 1100 msvsmon80 (73fa09b84b23a1897809a84f976d5d99) C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe
11:55:37.0171 1100 msvsmon80 - ok
11:55:37.0468 1100 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
11:55:37.0515 1100 Mup - ok
11:55:37.0796 1100 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
11:55:37.0875 1100 NABTSFEC - ok
11:55:38.0203 1100 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
11:55:38.0328 1100 napagent - ok
11:55:38.0609 1100 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
11:55:38.0734 1100 NDIS - ok
11:55:38.0968 1100 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
11:55:39.0031 1100 NdisIP - ok
11:55:39.0296 1100 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
11:55:39.0359 1100 NdisTapi - ok
11:55:39.0625 1100 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
11:55:39.0703 1100 Ndisuio - ok
11:55:39.0953 1100 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
11:55:40.0031 1100 NdisWan - ok
11:55:40.0312 1100 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
11:55:40.0343 1100 NDProxy - ok
11:55:40.0625 1100 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
11:55:40.0703 1100 NetBIOS - ok
11:55:41.0015 1100 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
11:55:41.0125 1100 NetBT - ok
11:55:41.0390 1100 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
11:55:41.0484 1100 NetDDE - ok
11:55:41.0515 1100 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
11:55:41.0578 1100 NetDDEdsdm - ok
11:55:41.0843 1100 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:55:41.0921 1100 Netlogon - ok
11:55:42.0203 1100 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
11:55:42.0328 1100 Netman - ok
11:55:42.0531 1100 NetTcpPortSharing (f9102685f97f9ba85f4a70afcf722cfe) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
11:55:42.0593 1100 NetTcpPortSharing ( UnsignedFile.Multi.Generic ) - warning
11:55:42.0593 1100 NetTcpPortSharing - detected UnsignedFile.Multi.Generic (1)
11:55:42.0875 1100 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
11:55:42.0968 1100 NIC1394 - ok
11:55:43.0265 1100 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
11:55:43.0328 1100 Nla - ok
11:55:43.0562 1100 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
11:55:43.0640 1100 nm - ok
11:55:43.0890 1100 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
11:55:43.0968 1100 Npfs - ok
11:55:44.0328 1100 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
11:55:44.0593 1100 Ntfs - ok
11:55:44.0843 1100 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\System32\lsass.exe
11:55:44.0906 1100 NtLmSsp - ok
11:55:45.0218 1100 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
11:55:45.0468 1100 NtmsSvc - ok
11:55:45.0734 1100 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
11:55:45.0796 1100 Null - ok
11:55:47.0875 1100 nv (4f15e1e56703f59c0ac00022162e5308) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
11:55:51.0578 1100 nv - ok
11:55:51.0890 1100 nvsvc (383aa018830eb16965181c39cb0f3b73) C:\WINDOWS\system32\nvsvc32.exe
11:55:51.0953 1100 nvsvc ( UnsignedFile.Multi.Generic ) - warning
11:55:51.0953 1100 nvsvc - detected UnsignedFile.Multi.Generic (1)
11:55:52.0203 1100 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
11:55:52.0281 1100 NwlnkFlt - ok
11:55:52.0531 1100 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
11:55:52.0609 1100 NwlnkFwd - ok
11:55:52.0875 1100 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
11:55:52.0968 1100 ohci1394 - ok
11:55:53.0250 1100 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
11:55:53.0328 1100 Parport - ok
11:55:53.0609 1100 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
11:55:53.0687 1100 PartMgr - ok
11:55:53.0937 1100 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
11:55:54.0000 1100 ParVdm - ok
11:55:54.0281 1100 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
11:55:54.0375 1100 PCI - ok
11:55:54.0578 1100 PCIDump - ok
11:55:54.0859 1100 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
11:55:54.0953 1100 PCIIde - ok
11:55:55.0203 1100 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
11:55:55.0312 1100 Pcmcia - ok
11:55:55.0515 1100 PDCOMP - ok
11:55:55.0734 1100 PDFRAME - ok
11:55:55.0937 1100 PDRELI - ok
11:55:56.0156 1100 PDRFRAME - ok
11:55:56.0406 1100 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
11:55:56.0484 1100 perc2 - ok
11:55:56.0750 1100 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
11:55:56.0828 1100 perc2hib - ok
11:55:57.0140 1100 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
11:55:57.0187 1100 PlugPlay - ok
11:55:57.0421 1100 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:55:57.0468 1100 PolicyAgent - ok
11:55:57.0734 1100 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
11:55:57.0828 1100 PptpMiniport - ok
11:55:57.0937 1100 PrismXL (33d7285f12d934268a34206dfc4ad1b3) C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
11:55:58.0000 1100 PrismXL ( UnsignedFile.Multi.Generic ) - warning
11:55:58.0000 1100 PrismXL - detected UnsignedFile.Multi.Generic (1)
11:55:58.0296 1100 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
11:55:58.0375 1100 Processor - ok
11:55:58.0625 1100 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:55:58.0671 1100 ProtectedStorage - ok
11:55:58.0937 1100 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
11:55:59.0031 1100 PSched - ok
11:55:59.0328 1100 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
11:55:59.0421 1100 Ptilink - ok
11:55:59.0671 1100 PxHelp20 (617accada2e0a0f43ec6030bbac49513) C:\WINDOWS\system32\Drivers\PxHelp20.sys
11:55:59.0718 1100 PxHelp20 - ok
11:55:59.0984 1100 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
11:56:00.0078 1100 ql1080 - ok
11:56:00.0312 1100 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
11:56:00.0406 1100 Ql10wnt - ok
11:56:00.0671 1100 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
11:56:00.0750 1100 ql12160 - ok
11:56:01.0015 1100 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
11:56:01.0109 1100 ql1240 - ok
11:56:01.0390 1100 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
11:56:01.0468 1100 ql1280 - ok
11:56:01.0687 1100 RapportCerberus_34302 (6b6f0a77365667912360ff1d5e984f25) C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys
11:56:01.0750 1100 RapportCerberus_34302 - ok
11:56:01.0875 1100 RapportEI (34992b59780a8a227a9eb54c97dc4608) C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys
11:56:01.0906 1100 RapportEI - ok
11:56:02.0015 1100 RapportIaso (dd3e4610de9252a957c5bd19bdf47ac4) c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\28896\rapportiaso.sys
11:56:02.0031 1100 RapportIaso - ok
11:56:02.0343 1100 RapportKELL (a231b5552148ade82ed3dfba25919b75) C:\WINDOWS\system32\Drivers\RapportKELL.sys
11:56:02.0359 1100 RapportKELL - ok
11:56:02.0687 1100 RapportMgmtService (5bd5895f002438f4e1c50c09bf6f1ce2) C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
11:56:03.0140 1100 RapportMgmtService - ok
11:56:03.0296 1100 RapportPG (060f8e34707d68178a564935ce4546eb) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
11:56:03.0343 1100 RapportPG - ok
11:56:03.0625 1100 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
11:56:03.0687 1100 RasAcd - ok
11:56:03.0921 1100 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
11:56:04.0031 1100 RasAuto - ok
11:56:04.0328 1100 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
11:56:04.0406 1100 Rasl2tp - ok
11:56:04.0734 1100 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
11:56:04.0828 1100 RasMan - ok
11:56:05.0078 1100 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
11:56:05.0171 1100 RasPppoe - ok
11:56:05.0437 1100 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
11:56:05.0515 1100 Raspti - ok
11:56:05.0828 1100 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
11:56:05.0953 1100 Rdbss - ok
11:56:06.0218 1100 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
11:56:06.0296 1100 RDPCDD - ok
11:56:06.0609 1100 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
11:56:06.0750 1100 rdpdr - ok
11:56:07.0062 1100 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
11:56:07.0125 1100 RDPWD - ok
11:56:07.0421 1100 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
11:56:07.0515 1100 RDSessMgr - ok
11:56:07.0765 1100 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
11:56:07.0859 1100 redbook - ok
11:56:08.0125 1100 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
11:56:08.0218 1100 RemoteAccess - ok
11:56:08.0453 1100 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
11:56:08.0531 1100 RemoteRegistry - ok
11:56:08.0671 1100 RivaTuner32 (c0c8909be3ecc9df8089112bf9be954e) C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner32.sys
11:56:08.0703 1100 RivaTuner32 ( UnsignedFile.Multi.Generic ) - warning
11:56:08.0703 1100 RivaTuner32 - detected UnsignedFile.Multi.Generic (1)
11:56:09.0265 1100 RosettaStoneDaemon (7f7ca7deeb68e68fd67870e9a5ec33e2) C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe
11:56:09.0968 1100 RosettaStoneDaemon - ok
11:56:10.0250 1100 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\System32\locator.exe
11:56:10.0328 1100 RpcLocator - ok
11:56:10.0640 1100 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
11:56:10.0703 1100 RpcSs - ok
11:56:11.0000 1100 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\System32\rsvp.exe
11:56:11.0078 1100 RSVP - ok
11:56:11.0390 1100 RT25USBAP (05691b0b52575c057e5ac35242e5d231) C:\WINDOWS\system32\DRIVERS\rt25usbap.sys
11:56:11.0437 1100 RT25USBAP ( UnsignedFile.Multi.Generic ) - warning
11:56:11.0437 1100 RT25USBAP - detected UnsignedFile.Multi.Generic (1)
11:56:11.0656 1100 RTL8023xp (e9877aa069dc11b03dbd1d33b8b2a3ca) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
11:56:11.0734 1100 RTL8023xp - ok
11:56:12.0000 1100 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:56:12.0062 1100 SamSs - ok
11:56:12.0312 1100 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
11:56:12.0406 1100 SCardSvr - ok
11:56:12.0671 1100 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
11:56:12.0796 1100 Schedule - ok
11:56:13.0046 1100 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
11:56:13.0140 1100 Secdrv - ok
11:56:13.0375 1100 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
11:56:13.0453 1100 seclogon - ok
11:56:13.0734 1100 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
11:56:13.0812 1100 SENS - ok
11:56:14.0046 1100 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
11:56:14.0125 1100 serenum - ok
11:56:14.0375 1100 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
11:56:14.0468 1100 Serial - ok
11:56:14.0734 1100 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
11:56:14.0812 1100 Sfloppy - ok
11:56:15.0140 1100 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
11:56:15.0359 1100 SharedAccess - ok
11:56:15.0640 1100 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
11:56:15.0671 1100 ShellHWDetection - ok
11:56:15.0921 1100 Simbad - ok
11:56:16.0171 1100 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
11:56:16.0234 1100 sisagp - ok
11:56:16.0468 1100 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
11:56:16.0546 1100 SLIP - ok
11:56:16.0812 1100 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
11:56:16.0859 1100 Sparrow - ok
11:56:17.0140 1100 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
11:56:17.0218 1100 splitter - ok
11:56:17.0468 1100 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
11:56:17.0531 1100 Spooler - ok
11:56:17.0953 1100 sptd (71e276f6d189413266ea22171806597b) C:\WINDOWS\system32\Drivers\sptd.sys
11:56:17.0953 1100 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: 71e276f6d189413266ea22171806597b
11:56:17.0953 1100 sptd ( LockedFile.Multi.Generic ) - warning
11:56:17.0953 1100 sptd - detected LockedFile.Multi.Generic (1)
11:56:18.0093 1100 SQLBrowser (3612108d36ea74f6f9fc5005e88e353b) c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
11:56:18.0156 1100 SQLBrowser - ok
11:56:18.0203 1100 SQLWriter (d37b8ce340b71d9e0ab2440addb2fdbf) c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
11:56:18.0234 1100 SQLWriter - ok
11:56:18.0500 1100 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
11:56:18.0593 1100 sr - ok
11:56:18.0906 1100 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
11:56:19.0000 1100 srservice - ok
11:56:19.0312 1100 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
11:56:19.0500 1100 Srv - ok
11:56:19.0781 1100 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
11:56:19.0875 1100 SSDPSRV - ok
11:56:20.0015 1100 StarWindService (ab2b9349ada4ac5ec74b622b8303fe23) C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
11:56:20.0078 1100 StarWindService ( UnsignedFile.Multi.Generic ) - warning
11:56:20.0078 1100 StarWindService - detected UnsignedFile.Multi.Generic (1)
11:56:20.0421 1100 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
11:56:20.0640 1100 stisvc - ok
11:56:20.0890 1100 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
11:56:20.0968 1100 streamip - ok
11:56:21.0234 1100 SunkFilt (86ca1a5c15a5a98d5533945fb1120b05) C:\WINDOWS\System32\Drivers\sunkfilt.sys
11:56:21.0234 1100 SunkFilt ( UnsignedFile.Multi.Generic ) - warning
11:56:21.0234 1100 SunkFilt - detected UnsignedFile.Multi.Generic (1)
11:56:21.0500 1100 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
11:56:21.0578 1100 swenum - ok
11:56:21.0859 1100 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
11:56:21.0937 1100 swmidi - ok
11:56:22.0187 1100 SwPrv - ok
11:56:22.0437 1100 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
11:56:22.0500 1100 symc810 - ok
11:56:22.0750 1100 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
11:56:22.0843 1100 symc8xx - ok
11:56:23.0125 1100 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
11:56:23.0203 1100 sym_hi - ok
11:56:23.0468 1100 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
11:56:23.0531 1100 sym_u3 - ok
11:56:23.0812 1100 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
11:56:23.0906 1100 sysaudio - ok
11:56:24.0171 1100 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
11:56:24.0281 1100 SysmonLog - ok
11:56:24.0578 1100 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
11:56:24.0718 1100 TapiSrv - ok
11:56:25.0062 1100 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
11:56:25.0234 1100 Tcpip - ok
11:56:25.0515 1100 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
11:56:25.0593 1100 TDPIPE - ok
11:56:25.0828 1100 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
11:56:25.0906 1100 TDTCP - ok
11:56:26.0171 1100 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
11:56:26.0250 1100 TermDD - ok
11:56:26.0593 1100 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
11:56:26.0750 1100 TermService - ok
11:56:27.0015 1100 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
11:56:27.0015 1100 Themes - ok
11:56:27.0296 1100 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\System32\tlntsvr.exe
11:56:27.0390 1100 TlntSvr - ok
11:56:27.0640 1100 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
11:56:27.0718 1100 TosIde - ok
11:56:28.0000 1100 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
11:56:28.0093 1100 TrkWks - ok
11:56:28.0375 1100 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
11:56:28.0453 1100 Udfs - ok
11:56:28.0718 1100 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
11:56:28.0781 1100 ultra - ok
11:56:29.0046 1100 UMWdf (9651e5d850b6f6bd7c77c70aa06f02bf) C:\WINDOWS\system32\wdfmgr.exe
11:56:29.0187 1100 UMWdf - ok
11:56:29.0546 1100 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
11:56:29.0781 1100 Update - ok
11:56:30.0046 1100 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
11:56:30.0171 1100 upnphost - ok
11:56:30.0437 1100 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
11:56:30.0515 1100 UPS - ok
11:56:30.0781 1100 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
11:56:30.0875 1100 usbaudio - ok
11:56:31.0109 1100 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
11:56:31.0203 1100 usbccgp - ok
11:56:31.0468 1100 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
11:56:31.0562 1100 usbehci - ok
11:56:31.0828 1100 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
11:56:31.0921 1100 usbhub - ok
11:56:32.0203 1100 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
11:56:32.0296 1100 usbohci - ok
11:56:32.0546 1100 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
11:56:32.0625 1100 usbprint - ok
11:56:32.0890 1100 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
11:56:32.0984 1100 USBSTOR - ok
11:56:33.0234 1100 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
11:56:33.0312 1100 usbuhci - ok
11:56:33.0656 1100 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
11:56:33.0765 1100 usbvideo - ok
11:56:34.0062 1100 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
11:56:34.0140 1100 VgaSave - ok
11:56:34.0421 1100 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
11:56:34.0500 1100 viaagp - ok
11:56:34.0781 1100 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
11:56:34.0859 1100 ViaIde - ok
11:56:35.0125 1100 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
11:56:35.0218 1100 VolSnap - ok
11:56:35.0531 1100 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
11:56:35.0656 1100 VSS - ok
11:56:35.0906 1100 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
11:56:36.0015 1100 W32Time - ok
11:56:36.0296 1100 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
11:56:36.0375 1100 Wanarp - ok
11:56:36.0609 1100 WDICA - ok
11:56:36.0875 1100 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
11:56:36.0968 1100 wdmaud - ok
11:56:37.0218 1100 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
11:56:37.0328 1100 WebClient - ok
11:56:37.0765 1100 winachsf (59d043485a6eda2ed2685c81489ae5bd) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
11:56:38.0125 1100 winachsf - ok
11:56:38.0437 1100 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
11:56:38.0531 1100 winmgmt - ok
11:56:38.0828 1100 WmdmPmSN (b9715b9c18bc6c8f4b66733d208cc9f7) C:\WINDOWS\System32\mspmsnsv.dll
11:56:38.0859 1100 WmdmPmSN - ok
11:56:39.0250 1100 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
11:56:39.0546 1100 Wmi - ok
11:56:39.0843 1100 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\System32\wbem\wmiapsrv.exe
11:56:39.0953 1100 WmiApSrv - ok
11:56:40.0203 1100 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
11:56:40.0281 1100 WS2IFSL - ok
11:56:40.0531 1100 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
11:56:40.0640 1100 wscsvc - ok
11:56:40.0906 1100 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
11:56:40.0968 1100 WSTCODEC - ok
11:56:41.0203 1100 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
11:56:41.0343 1100 wuauserv - ok
11:56:41.0734 1100 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
11:56:41.0984 1100 WZCSVC - ok
11:56:42.0265 1100 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
11:56:42.0453 1100 xmlprov - ok
11:56:42.0875 1100 xnacc (7a35352bcdff34d0a6e59d8267b3fcb7) C:\WINDOWS\system32\DRIVERS\xnacc.sys
11:56:43.0125 1100 xnacc - ok
11:56:43.0375 1100 YPCService (d46403ef02c003de80b4be8a31549fb4) C:\WINDOWS\system32\YPCSER~1.EXE
11:56:43.0421 1100 YPCService ( UnsignedFile.Multi.Generic ) - warning
11:56:43.0421 1100 YPCService - detected UnsignedFile.Multi.Generic (1)
11:56:43.0484 1100 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
11:56:43.0750 1100 \Device\Harddisk0\DR0 - ok
11:56:43.0750 1100 Boot (0x1200) (61e13328024e6a851af33dbfe2680239) \Device\Harddisk0\DR0\Partition0
11:56:43.0750 1100 \Device\Harddisk0\DR0\Partition0 - ok
11:56:43.0765 1100 ============================================================
11:56:43.0765 1100 Scan finished
11:56:43.0765 1100 ============================================================
11:56:43.0875 1092 Detected object count: 16
11:56:43.0875 1092 Actual detected object count: 16
11:57:28.0484 1092 Apache ( UnsignedFile.Multi.Generic ) - skipped by user
11:57:28.0484 1092 Apache ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:57:28.0484 1092 IDriverT ( UnsignedFile.Multi.Generic ) - skipped by user
11:57:28.0484 1092 IDriverT ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:57:28.0500 1092 idsvc ( UnsignedFile.Multi.Generic ) - skipped by user
11:57:28.0500 1092 idsvc ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:57:28.0500 1092 MHN ( UnsignedFile.Multi.Generic ) - skipped by user
11:57:28.0500 1092 MHN ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:57:28.0515 1092 MHNDRV ( UnsignedFile.Multi.Generic ) - skipped by user
11:57:28.0515 1092 MHNDRV ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:57:28.0515 1092 mple7docserver ( UnsignedFile.Multi.Generic ) - skipped by user
11:57:28.0515 1092 mple7docserver ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:57:28.0515 1092 MRENDIS5 ( UnsignedFile.Multi.Generic ) - skipped by user
11:57:28.0515 1092 MRENDIS5 ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:57:28.0531 1092 NetTcpPortSharing ( UnsignedFile.Multi.Generic ) - skipped by user
11:57:28.0531 1092 NetTcpPortSharing ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:57:28.0531 1092 nvsvc ( UnsignedFile.Multi.Generic ) - skipped by user
11:57:28.0531 1092 nvsvc ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:57:28.0531 1092 PrismXL ( UnsignedFile.Multi.Generic ) - skipped by user
11:57:28.0531 1092 PrismXL ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:57:28.0546 1092 RivaTuner32 ( UnsignedFile.Multi.Generic ) - skipped by user
11:57:28.0546 1092 RivaTuner32 ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:57:28.0546 1092 RT25USBAP ( UnsignedFile.Multi.Generic ) - skipped by user
11:57:28.0546 1092 RT25USBAP ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:57:28.0546 1092 sptd ( LockedFile.Multi.Generic ) - skipped by user
11:57:28.0546 1092 sptd ( LockedFile.Multi.Generic ) - User select action: Skip 
11:57:28.0562 1092 StarWindService ( UnsignedFile.Multi.Generic ) - skipped by user
11:57:28.0562 1092 StarWindService ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:57:28.0562 1092 SunkFilt ( UnsignedFile.Multi.Generic ) - skipped by user
11:57:28.0562 1092 SunkFilt ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:57:28.0578 1092 YPCService ( UnsignedFile.Multi.Generic ) - skipped by user
11:57:28.0578 1092 YPCService ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:59:24.0921 1064 Deinitialize success


----------



## eddie5659 (Mar 19, 2001)

Okay, whilst I go through all the logs, lets try aswmbr first 

*FIX*

Re-Run aswMBR

Click *Scan*

On completion of the scan

Click the *Fix* for TDL4 Button










Save the log as before and post in your next reply


----------



## Justletmepost (Mar 11, 2012)

Oh, I forgot to mention before - aswMBR prompts me to download Avast virus definitions. But, you know, no internet.

Anyway...the middle "Fix" button is never enabled for me. Only the FixMBR button is available. Should I use that? Or not?


----------



## eddie5659 (Mar 19, 2001)

If the FixMBR is only available, then yes, click that. Still looking at the logs, but its okay about leaving the Avast prompts about the definitions.


----------



## eddie5659 (Mar 19, 2001)

*P2P Warning!*


*IMPORTANT* I notice there are signs of one or more *P2P (Person to Person) File Sharing Programs* on your computer.

*Azureus*

Please note that as long as you are using any form of *Peer-to-Peer networking* and *downloading files* from non-documented sources, you can expect infestations of malware to occur 
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation

I'd like you to read the *Guidelines for P2P Programs* where we explain why it's not a good idea to have them.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

Cyber Education Letter
File sharing infects 500,000 computers 
USAToday

I would recommend that you uninstall the above, however that choice is up to you. If you choose to remove these programs, you can do so via *Control Panel >> Add or Remove Programs*.

*If you decide to keep the program in spite of the risks involved, do not use it until I have finished cleaning your computer and have given you the all clear.*

----------------------------
Now that's out of the way, lets get started 

After the aswmbr has been run, can you also try this:

Please download *Farbar Service Scanner* and run it on the computer with the issue.
Make sure the following options are checked:
*Internet Services*
*Windows Firewall*
*System Restore*
*Security Center*
*Windows Update*

Press "*Scan*".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

eddie


----------



## Justletmepost (Mar 11, 2012)

....ha! I don't know when it happened exactly, because I've had my ethernet cable unplugged most of the time - but I tried it again and the infected computer can connect to the internet again! One problem down. I'll try the java online installer next...unless you think it might be wise to keep the infected computer unplugged for the time being. Should I run Combofix again to see if it still reports ZeroAccess?

Regarding Azureus: Believe me, I've always been intensely paranoid about torrents. In any case, it definitely isn't the cause of this infection, as I haven't touched it in months, perhaps years.

Now logs.

====================================================
*aswmbr log from Fixing*
====================================================
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-26 19:34:01
-----------------------------
19:34:01.171 OS Version: Windows 5.1.2600 Service Pack 3
19:34:01.171 Number of processors: 2 586 0x1706
19:34:01.171 ComputerName: FINN-GE6QC5 UserName: Finn
19:34:11.171 Initialize success
19:35:33.671 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
19:35:33.671 Disk 0 Vendor: ST3160815AS 4.AAA Size: 152627MB BusType: 3
19:35:33.671 Disk 0 MBR read successfully
19:35:33.687 Disk 0 MBR scan
19:35:33.687 Disk 0 Windows XP default MBR code
19:35:33.687 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 131061 MB offset 63
19:35:33.687 Disk 0 scanning sectors +268414020
19:35:33.796 Disk 0 scanning C:\WINDOWS\system32\drivers
19:35:49.421 Service scanning
19:36:21.156 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
19:36:26.359 Modules scanning
19:36:31.859 Module: C:\WINDOWS\System32\Drivers\atapi.sys **SUSPICIOUS**
19:36:39.968 Module: C:\WINDOWS\System32\drivers\dxgthk.sys **SUSPICIOUS**
19:36:42.515 Disk 0 trace - called modules:
19:36:42.531 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spmm.sys >>UNKNOWN [0x8a824938]<<
19:36:42.531 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a730ab8]
19:36:42.531 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\000000a4[0x8a7cfd40]
19:36:42.531 5 ACPI.sys[b7e67620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a7db940]
19:36:42.546 Scan finished successfully
19:59:06.000 Verifying
19:59:16.000 Disk 0 Windows 501 MBR fixed successfully
21:02:21.906 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Finn\Desktop\MBR.dat"
21:02:21.906 The log file has been saved successfully to "C:\Documents and Settings\Finn\Desktop\aswMBR_2.txt"

====================================================
*Farvar Service Scanner*
====================================================
Farbar Service Scanner Version: 01-03-2012
Ran by Finn (administrator) on 26-03-2012 at 21:14:36
Running from "C:\Documents and Settings\Finn\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:
=============

Firewall Disabled Policy: 
==================

System Restore:
============

System Restore Disabled Policy: 
========================

Security Center:
============

Windows Update:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) 
0x06000000050000000300000004000000010000000600000007000000
IpSec Tag value is correct.

**** End of log ****


----------



## eddie5659 (Mar 19, 2001)

Good news on the connection. I would leave the Java for now, as the infection is the main thing.

Can you delete the copy of ComboFix you have, and get a new version from here and run as before, and tell me if it still says it has ZeroAccess. Don't worry about the Recovery Console, its now installed always 

*ComboFix Download*


----------



## Justletmepost (Mar 11, 2012)

Sadly, the Combofix process was near-identical to before. It still warned about about not being able to do something because of access being denied. It still reported Rootkit.ZerAccess and said it needed to reboot. I still needed to log into the admin account in safe mode in order to get Combofix to resume. Bizzarrely, it even still claimed I don't have the recovery console and prompted me to download it, even though the related warning isn't present in the log. And yes, I did delete the old combofix executable and download a new one.

===============================================
*combofix log, after return of internet connection*
===============================================
ComboFix 12-03-26.02 - Administrator 03/27/2012 0:24.3.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2031.1763 [GMT 1:00]
Running from: c:\documents and settings\Finn\Desktop\Finn456.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-02-26 to 2012-03-26 )))))))))))))))))))))))))))))))
.
.
2012-03-18 23:40 . 2012-03-19 00:32 2617176 ----a-w- C:\revosetup.exe
2012-03-16 20:38 . 2012-03-16 20:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2012-03-09 20:54 . 2012-03-09 20:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2012-03-09 17:41 . 2012-03-09 17:46 -------- d-----w- C:\aaaaaaREGBACKUP_ERONT
2012-03-09 17:27 . 2012-03-09 17:39 -------- d-----w- C:\zzzwinsockfix
2012-03-09 17:16 . 2012-03-09 17:16 -------- d-----w- c:\windows\system32\wbem\Repository
2012-03-08 23:20 . 2012-03-09 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-03-08 23:20 . 2012-03-08 23:20 -------- d-----w- c:\program files\AVAST Software
2012-03-08 22:13 . 2012-03-08 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2012-03-08 22:13 . 2012-03-08 22:13 -------- d-----w- c:\program files\AVG
2012-03-08 22:03 . 2012-03-08 22:03 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-03-08 22:02 . 2012-03-08 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-03-07 20:37 . 2012-03-08 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-25 10:16 . 2012-01-25 10:16 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2006-05-03 11:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 12:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 14:30 216064 --sha-r- c:\windows\system32\nbDX.dll
2010-01-06 23:00 107520 --sha-r- c:\windows\system32\TAKDSDecoder.dll
.
.
((((((((((((((((((((((((((((( [email protected]_19.36.16 )))))))))))))))))))))))))))))))))))))))))
.
- 2001-08-23 12:00 . 2012-01-13 00:50 60180 c:\windows\system32\perfc009.dat
+ 2001-08-23 12:00 . 2012-03-26 10:24 60180 c:\windows\system32\perfc009.dat
+ 2001-08-23 12:00 . 2012-03-26 10:24 377306 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2012-01-13 00:50 377306 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 12:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2006-12-08 543232]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"HostManager"="c:\program files\Common Files\AOL\1169214453\ee\AOLSoftware.exe" [2006-05-24 50760]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"Motive SmartBridge"="c:\progra~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 462935]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 16377344]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-06 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-06 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-06 138008]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-12 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-10-11 421888]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-09 966656]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"CHotkey"="zHotkey.exe" [2004-12-08 550912]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Finn\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BT Broadband Desktop Help.lnk - c:\program files\BT Home Hub\Help\bin\matcli.exe [2009-1-5 217088]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
backup=c:\windows\pss\ATI CATALYST System Tray.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Nintendo Wi-Fi USB Connector Registration Tool.lnk]
backup=c:\windows\pss\Run Nintendo Wi-Fi USB Connector Registration Tool.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Finn^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\svc]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lionhead Studios Ltd\\Black & White\\runblack.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1169214453\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1169214453\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Documents and Settings\\Finn\\Desktop\\eclipse-java-ganymede-SR1-win32\\eclipse\\eclipse.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3 DEMO\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3 DEMO\\RosettaStoneVersion3.exe"=
"c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Ltd Services
"c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Daemon
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone TOTALe\\RosettaStoneTOTALe.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\explorer.exe"= %windir%\explorer.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP"= 9842:TCP:*isabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*isabled:SolidNetworkManager
"57224:TCP"= 57224:TCPando Media Booster
"57224:UDP"= 57224:UDPando Media Booster
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"<NO NAME>"= 
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/4/2009 03:36 717296]
S0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [1/25/2012 11:16 56208]
S1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [12/15/2011 17:55 228208]
S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [1/25/2012 11:16 71440]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [1/25/2012 11:16 164112]
S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [12/30/2009 19:04 464264]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [12/30/2009 19:04 234888]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 07:26 135664]
S2 HWiNFO32;HWiNFO32 Kernel Driver;c:\documents and settings\Finn\Desktop\hw32_236\HWiNFO32.sys [11/21/2008 10:48 16616]
S2 mple7docserver;Maya 7 PLE Documentation Server;c:\program files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe [1/2/2009 21:39 126976]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [1/25/2012 11:16 931640]
S2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe [5/17/2010 14:45 1615176]
S3 BGRaSvc;BGRaSvc;"c:\program files\BullGuard Software\BullGuard\support\bgrasvc.exe" --> c:\program files\BullGuard Software\BullGuard\support\bgrasvc.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 07:26 135664]
S3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportIaso.sys [8/7/2011 13:43 21520]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 08:01 2799808]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs REG_MULTI_SZ ???t eaphost
dot3svc REG_MULTI_SZ ???c dot3svc
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-01-02 12:42]
.
2012-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 06:26]
.
2012-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 06:26]
.
2012-03-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1214440339-725345543-1003Core.job
- c:\documents and settings\Finn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-08 11:57]
.
2012-03-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1214440339-725345543-1003UA.job
- c:\documents and settings\Finn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-08 11:57]
.
2011-02-08 c:\windows\Tasks\Reimage Reminder.job
- c:\program files\Reimage\Reimage Repair\ReimageReminder.exe [2011-02-03 13:09]
.
.
------- Supplementary Scan -------
.
mStart Page = about:blank
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0sgtbcgg.default\
FF - Ext: Click to call with Skype: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-27 00:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-03-27 00:42:25
ComboFix-quarantined-files.txt 2012-03-26 23:42
ComboFix2.txt 2012-03-23 19:13
ComboFix3.txt 2012-03-21 19:41
.
Pre-Run: 11,332,890,624 bytes free
Post-Run: 11,317,727,232 bytes free
.
- - End Of File - - BBAFEFFBC26B7CED8ADF7B821EFAAC31


----------



## eddie5659 (Mar 19, 2001)

When you're running ComboFix in normal Windows, are you running as an Admin? The reason I ask, is you say this:



> I still needed to log into the admin account in safe mode in order to get Combofix to resume


If not, can you run as Admin in normal Windows, and see if that removes the infection.


----------



## Justletmepost (Mar 11, 2012)

My user account in normal Windows has admin rights, yes. 
But in response to what you said, and a whim, I tried creating a new user account with admin rights (called Temp_for_fix) and running combofix on that...and that way I was able to do the full scan without having to go into safe mode! (So it seems there's a problem localized to my main user account specifically) Here's the log. I don't know yet if it's successfully removed the rootkit, of course. Should I run it agian? Should I delete it and download a new version again? Come to that, it still claims I don't have the Recovery Console - next time, should I plug in my ethernet cable and let it download it, or could problems be caused by it trying to install something that's already there?

Also, I noticed through this that that warning message I mentioned earlier...:
"Warning:
Unknown(): Unable to load dynamic library '..\php4\extensions\php_curl.dll' - The specified module could not be found."
...happens before I even pick a user account to log into. Odd.

=============================================
*combofix log after creating new admin account, Temp_for_fix*
=============================================
ComboFix 12-03-26.02 - Temp_for_fix 03/28/2012 3:45.4.2 - x86
Running from: c:\documents and settings\Finn\Desktop\Finn456.exe
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-28 )))))))))))))))))))))))))))))))
.
.
2012-03-28 02:03 . 2012-03-28 02:03 -------- d-----w- c:\documents and settings\Temp_for_fix
2012-03-18 23:40 . 2012-03-19 00:32 2617176 ----a-w- C:\revosetup.exe
2012-03-16 20:38 . 2012-03-16 20:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2012-03-09 20:54 . 2012-03-09 20:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2012-03-09 17:41 . 2012-03-09 17:46 -------- d-----w- C:\aaaaaaREGBACKUP_ERONT
2012-03-09 17:27 . 2012-03-09 17:39 -------- d-----w- C:\zzzwinsockfix
2012-03-09 17:16 . 2012-03-09 17:16 -------- d-----w- c:\windows\system32\wbem\Repository
2012-03-08 23:20 . 2012-03-09 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-03-08 23:20 . 2012-03-08 23:20 -------- d-----w- c:\program files\AVAST Software
2012-03-08 22:13 . 2012-03-08 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2012-03-08 22:13 . 2012-03-08 22:13 -------- d-----w- c:\program files\AVG
2012-03-08 22:03 . 2012-03-08 22:03 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-03-08 22:02 . 2012-03-08 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-03-07 20:37 . 2012-03-08 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-25 10:16 . 2012-01-25 10:16 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2006-05-03 11:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 12:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 14:30 216064 --sha-r- c:\windows\system32\nbDX.dll
2010-01-06 23:00 107520 --sha-r- c:\windows\system32\TAKDSDecoder.dll
.
.
((((((((((((((((((((((((((((( [email protected]_19.36.16 )))))))))))))))))))))))))))))))))))))))))
.
- 2001-08-23 12:00 . 2012-01-13 00:50 60180 c:\windows\system32\perfc009.dat
+ 2001-08-23 12:00 . 2012-03-26 10:24 60180 c:\windows\system32\perfc009.dat
- 2009-01-05 02:04 . 2012-03-18 21:21 5536 c:\windows\system32\d3d9caps.dat
+ 2009-01-05 02:04 . 2012-03-28 01:52 5536 c:\windows\system32\d3d9caps.dat
+ 2001-08-23 12:00 . 2012-03-26 10:24 377306 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2012-01-13 00:50 377306 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 12:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2006-12-08 543232]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"HostManager"="c:\program files\Common Files\AOL\1169214453\ee\AOLSoftware.exe" [2006-05-24 50760]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"Motive SmartBridge"="c:\progra~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 462935]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 16377344]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-06 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-06 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-06 138008]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-12 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-10-11 421888]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-09 966656]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"CHotkey"="zHotkey.exe" [2004-12-08 550912]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Finn\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BT Broadband Desktop Help.lnk - c:\program files\BT Home Hub\Help\bin\matcli.exe [2009-1-5 217088]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
backup=c:\windows\pss\ATI CATALYST System Tray.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Nintendo Wi-Fi USB Connector Registration Tool.lnk]
backup=c:\windows\pss\Run Nintendo Wi-Fi USB Connector Registration Tool.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Finn^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\svc]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lionhead Studios Ltd\\Black & White\\runblack.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1169214453\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1169214453\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Documents and Settings\\Finn\\Desktop\\eclipse-java-ganymede-SR1-win32\\eclipse\\eclipse.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3 DEMO\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3 DEMO\\RosettaStoneVersion3.exe"=
"c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Ltd Services
"c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Daemon
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone TOTALe\\RosettaStoneTOTALe.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\explorer.exe"= %windir%\explorer.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP"= 9842:TCP:*isabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*isabled:SolidNetworkManager
"57224:TCP"= 57224:TCPando Media Booster
"57224:UDP"= 57224:UDPando Media Booster
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"<NO NAME>"= 
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [1/25/2012 11:16 56208]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/4/2009 03:36 717296]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [12/15/2011 17:55 228208]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [1/25/2012 11:16 71440]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [1/25/2012 11:16 164112]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [12/30/2009 19:04 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [12/30/2009 19:04 234888]
R2 HWiNFO32;HWiNFO32 Kernel Driver;c:\documents and settings\Finn\Desktop\hw32_236\HWiNFO32.sys [11/21/2008 10:48 16616]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [1/25/2012 11:16 931640]
R2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe [5/17/2010 14:45 1615176]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 07:26 135664]
S2 mple7docserver;Maya 7 PLE Documentation Server;c:\program files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe [1/2/2009 21:39 126976]
S3 BGRaSvc;BGRaSvc;"c:\program files\BullGuard Software\BullGuard\support\bgrasvc.exe" --> c:\program files\BullGuard Software\BullGuard\support\bgrasvc.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 07:26 135664]
S3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportIaso.sys [8/7/2011 13:43 21520]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 08:01 2799808]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs REG_MULTI_SZ ???t eaphost
dot3svc REG_MULTI_SZ ???c dot3svc
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-01-02 12:42]
.
2012-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 06:26]
.
2012-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 06:26]
.
2012-03-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1214440339-725345543-1003Core.job
- c:\documents and settings\Finn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-08 11:57]
.
2012-03-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1214440339-725345543-1003UA.job
- c:\documents and settings\Finn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-08 11:57]
.
2011-02-08 c:\windows\Tasks\Reimage Reminder.job
- c:\program files\Reimage\Reimage Repair\ReimageReminder.exe [2011-02-03 13:09]
.
.
------- Supplementary Scan -------
.
mStart Page = about:blank
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
DPF: Microsoft XML Parser for Java
FF - ProfilePath - 
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-28 04:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-03-28 04:07:20
ComboFix-quarantined-files.txt 2012-03-28 03:07
ComboFix2.txt 2012-03-26 23:42
ComboFix3.txt 2012-03-23 19:13
ComboFix4.txt 2012-03-21 19:41
.
Pre-Run: 11,266,744,320 bytes free
Post-Run: 11,258,740,736 bytes free
.
- - End Of File - - 2DF537994798BB99F39AD84CA1A0558E


----------



## eddie5659 (Mar 19, 2001)

Hmmm, not sure it keeps asking for the Recovery Console, but just leave it as it is, as its showing as installed.

In the meantime, can you do this for me:

Please download *DeFogger* to your *desktop*.

Double click *DeFogger* to run the tool.

 The application window will appear
 Click the *Disable* button to disable your CD Emulation drivers
 Click *Yes* to continue
 A *'Finished!'* message will appear
 Click *OK*
 DeFogger will now ask to reboot the machine - click *OK*
*IMPORTANT!* If you receive an error message while running DeFogger, please post the log *defogger_disable* which will appear on your desktop.

*Do not* re-enable these drivers until otherwise instructed.

Then, can you re-run ASWMBR again, on a scan like you initially did, and post the log.


----------



## Justletmepost (Mar 11, 2012)

Ran defogger without problems.

When I ran aswmbr, decided on a possibly foolish whim to plug in the ehternet and let it download those AVAST virus definitions. I hope I won't regret connecting hte infected computer to the internet unnecessarily. I don't think the Avast scan actually completed, anyway - it just got stuck on one folder (really should have taken note of what it was....it was in All Users, at least) for hours until I decided to give up and click Save Log.

===============================================
*aswmbr log after running defogger*
===============================================
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-28 21:42:50
-----------------------------
21:42:50.984 OS Version: Windows 5.1.2600 Service Pack 3
21:42:50.984 Number of processors: 2 586 0x1706
21:42:50.984 ComputerName: FINN-GE6QC5 UserName: Finn
21:42:53.171 Initialize success
21:46:56.953 AVAST engine defs: 12032801
21:48:40.984 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
21:48:41.000 Disk 0 Vendor: ST3160815AS 4.AAA Size: 152627MB BusType: 3
21:48:41.015 Disk 0 MBR read successfully
21:48:41.015 Disk 0 MBR scan
21:48:41.062 Disk 0 Windows XP default MBR code
21:48:41.062 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 131061 MB offset 63
21:48:41.078 Disk 0 scanning sectors +268414020
21:48:41.203 Disk 0 scanning C:\WINDOWS\system32\drivers
21:49:03.078 Service scanning
21:50:02.062 Modules scanning
21:50:14.671 Module: C:\WINDOWS\System32\drivers\dxgthk.sys **SUSPICIOUS**
21:50:17.546 Module: C:\WINDOWS\system32\ntdll.dll **SUSPICIOUS**
21:50:17.546 Disk 0 trace - called modules:
21:50:17.562 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys 
21:50:17.578 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a7ffab8]
21:50:17.578 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\000000a2[0x8a7fb2d8]
21:50:17.578 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a800940]
21:50:19.078 AVAST engine scan C:\
23:40:36.359 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Finn\Desktop\MBR.dat"
23:40:36.359 The log file has been saved successfully to "C:\Documents and Settings\Finn\Desktop\aswMBR_after_defogger.txt"


----------



## eddie5659 (Mar 19, 2001)

It should be okay to log on the interent, but we'll carry on even though it stuck on a folder 

------------

Can you see if you can uninstall these (only one may show):
*
Vuze Toolbar
Ask Toolbar*

Then, can you run this fix:

Run OTL 

Under the *Custom Scans/Fixes* box at the bottom, paste in the following 

```
:OTL
PRC - [2009/04/02 12:47:04 | 000,234,888 | ---- | M] () -- C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
PRC - [2009/04/02 12:47:02 | 000,464,264 | ---- | M] () -- C:\Program Files\AskBarDis\bar\bin\AskService.exe
MOD - [2009/04/02 12:47:04 | 000,234,888 | ---- | M] () -- C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
MOD - [2009/04/02 12:47:02 | 000,464,264 | ---- | M] () -- C:\Program Files\AskBarDis\bar\bin\AskService.exe
SRV - File not found [On_Demand | Stopped] -- -- (MSDTC)
SRV - File not found [Auto | Stopped] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - File not found [On_Demand | Stopped] -- -- (iPod Service)
SRV - File not found [On_Demand | Stopped] -- C:\Program Files\BullGuard Software\BullGuard\support\bgrasvc.exe -- (BGRaSvc)
SRV - [2009/04/02 12:47:04 | 000,234,888 | ---- | M] () [Auto | Running] -- C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe -- (ASKUpgrade)
SRV - [2009/04/02 12:47:02 | 000,464,264 | ---- | M] () [Auto | Running] -- C:\Program Files\AskBarDis\bar\bin\AskService.exe -- (ASKService)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (EagleNT)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (axs71oml)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (autvhncu)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\AFGSp50.sys -- (AFGSp50)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\AFGMp50.sys -- (AFGMp50)
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
FF - user.js - File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll File not found
FF - HKLM\Software\MozillaPlugins\@nexon.net/NxGame: File not found
FF - HKLM\Software\MozillaPlugins\@yverinfo.yahoo.com/YahooVersionInfoPlugin;version=1.0.0.1: File not found
File not found (No name found) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
File not found (No name found) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll File not found
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: Microsoft XML Parser for Java Reg Error: Value error. (Reg Error: Key error.)
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found
[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
@Alternate Data Stream - 987 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:hLXU3ApKgF4zH4NFvaKAYv6U
@Alternate Data Stream - 1181 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:N8OiaQpowBd9eS5o7VTnK78bLMX0
@Alternate Data Stream - 1173 bytes -> C:\Documents and Settings\Finn\Local Settings\Application Data\RrfAVfog:xv6Wij3iLukewgJHKJT
@Alternate Data Stream - 1172 bytes -> C:\Program Files\Common Files\Microsoft Shared:AHTRWoYdSQfim69aQCm
@Alternate Data Stream - 1017 bytes -> C:\Documents and Settings\Finn\Local Settings\Application Data\oovlLTQFvMNO:tx1FoL3AopAxvWTLFSg
:Files
ipconfig /flushdns /c
:Commands 
[purity] 
[resethosts] 
[emptytemp] 
[emptyjava]
[EMPTYFLASH] 
[CREATERESTOREPOINT] 
[Reboot]
```

Then click the *Run Fix* button at the top 
Click OK.
OTL may ask to reboot the machine. Please do so if asked.

The report should appear in Notepad after the reboot. Copy/Paste the report in your next reply.

eddie


----------



## Justletmepost (Mar 11, 2012)

I had to to log into that new user profile I made, temp_for_fix, to get the report to show up after the reboot. There's *definitely* something wrong with the Finn user account.

=================================================
*OTL custom fix log*
=================================================
All processes killed
========== OTL ==========
No active process named ASKUpgrade.exe was found!
No active process named AskService.exe was found!
Service MSDTC stopped successfully!
Service MSDTC deleted successfully!
Service JavaQuickStarterService stopped successfully!
Service JavaQuickStarterService deleted successfully!
File C:\Program Files\Java\jre6\bin\jqs.exe not found.
Service iPod Service stopped successfully!
Service iPod Service deleted successfully!
Service BGRaSvc stopped successfully!
Service BGRaSvc deleted successfully!
File C:\Program Files\BullGuard Software\BullGuard\support\bgrasvc.exe not found.
Error: No service named ASKUpgrade was found to stop!
Service\Driver key ASKUpgrade not found.
File C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe not found.
Error: No service named ASKService was found to stop!
Service\Driver key ASKService not found.
File C:\Program Files\AskBarDis\bar\bin\AskService.exe not found.
Service WDICA stopped successfully!
Service WDICA deleted successfully!
Service PDRFRAME stopped successfully!
Service PDRFRAME deleted successfully!
Service PDRELI stopped successfully!
Service PDRELI deleted successfully!
Service PDFRAME stopped successfully!
Service PDFRAME deleted successfully!
Service PDCOMP stopped successfully!
Service PDCOMP deleted successfully!
Service PCIDump stopped successfully!
Service PCIDump deleted successfully!
Service lbrtfdc stopped successfully!
Service lbrtfdc deleted successfully!
Service EagleNT stopped successfully!
Service EagleNT deleted successfully!
Service Changer stopped successfully!
Service Changer deleted successfully!
Service catchme stopped successfully!
Service catchme deleted successfully!
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys not found.
Error: No service named axs71oml was found to stop!
Service\Driver key axs71oml not found.
Error: No service named autvhncu was found to stop!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\autvhncu deleted successfully.
Service AFGSp50 stopped successfully!
Service AFGSp50 deleted successfully!
File System32\Drivers\AFGSp50.sys not found.
Service AFGMp50 stopped successfully!
Service AFGMp50 deleted successfully!
File System32\Drivers\AFGMp50.sys not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Bar| /E : value set successfully!
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\\CustomSearch| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@java.com/JavaPlugin\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@nexon.net/NxGame\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@yverinfo.yahoo.com/YahooVersionInfoPlugin;version=1.0.0.1\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{201f27d4-3704-41d6-89c1-aa35e39143ed}\ not found.
File C:\Program Files\AskBarDis\bar\bin\askBar.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{3041d03e-fd4b-44e0-b742-2d9b88305f98} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3041d03e-fd4b-44e0-b742-2d9b88305f98}\ not found.
File C:\Program Files\AskBarDis\bar\bin\askBar.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Starting removal of ActiveX control Microsoft XML Parser for Java Reg Error: Value error.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java Reg Error: Value error.\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java Reg Error: Value error.\ not found.
Registry key HKEY_CURRENT_USER\Software\Classes\.exe\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Classes\exefile\ not found.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
C:\WINDOWS\002902_.tmp deleted successfully.
C:\WINDOWS\003050_.tmp deleted successfully.
C:\WINDOWS\006526_.tmp deleted successfully.
C:\WINDOWS\1C4551A64743409391E41477CD655043.TMP\WiseCustomCalla.dll deleted successfully.
C:\WINDOWS\1C4551A64743409391E41477CD655043.TMP\WiseData.ini deleted successfully.
C:\WINDOWS\1C4551A64743409391E41477CD655043.TMP folder deleted successfully.
C:\WINDOWS\msdownld.tmp folder deleted successfully.
C:\WINDOWS\SET3.tmp deleted successfully.
C:\WINDOWS\SET7.tmp deleted successfully.
C:\WINDOWS\SET88.tmp deleted successfully.
C:\WINDOWS\SET94.tmp deleted successfully.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\Microsoft:hLXU3ApKgF4zH4NFvaKAYv6U deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\Microsoft:N8OiaQpowBd9eS5o7VTnK78bLMX0 deleted successfully.
ADS C:\Documents and Settings\Finn\Local Settings\Application Data\RrfAVfog:xv6Wij3iLukewgJHKJT deleted successfully.
ADS C:\Program Files\Common Files\Microsoft Shared:AHTRWoYdSQfim69aQCm deleted successfully.
ADS C:\Documents and Settings\Finn\Local Settings\Application Data\oovlLTQFvMNO:tx1FoL3AopAxvWTLFSg deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Finn\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Finn\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
-> No Temporary Internet Files cache folder defined!
->FireFox cache emptied: 3440528 bytes

User: All Users
-> No Temporary Internet Files cache folder defined!

User: Default User
->Temp folder emptied: 0 bytes
-> No Temporary Internet Files cache folder defined!

User: f6062011
-> No Temporary Internet Files cache folder defined!

User: Finn
->Temp folder emptied: 1554671365 bytes
-> No Temporary Internet Files cache folder defined!
->FireFox cache emptied: 162208899 bytes
->Google Chrome cache emptied: 221113702 bytes

User: LocalService
->Temp folder emptied: 0 bytes
-> No Temporary Internet Files cache folder defined!

User: MyDocumentsFromOtherComputer
-> No Temporary Internet Files cache folder defined!

User: NetworkService
->Temp folder emptied: 0 bytes
-> No Temporary Internet Files cache folder defined!

User: publicversionofMyDocuments_see_other_HD
-> No Temporary Internet Files cache folder defined!

User: Temp_for_fix
->Temp folder emptied: 0 bytes
-> No Temporary Internet Files cache folder defined!

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 53795619 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 11372 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33996 bytes
RecycleBin emptied: shell32.dll unable to determine bytes removed.

Total Files Cleaned = 1,903.00 mb

[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: f6062011

User: Finn

User: LocalService

User: MyDocumentsFromOtherComputer

User: NetworkService

User: publicversionofMyDocuments_see_other_HD

User: Temp_for_fix

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: f6062011

User: Finn

User: LocalService

User: MyDocumentsFromOtherComputer

User: NetworkService

User: publicversionofMyDocuments_see_other_HD

User: Temp_for_fix

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.39.2 log created on 03292012_232522

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


----------



## Justletmepost (Mar 11, 2012)

bump


----------



## eddie5659 (Mar 19, 2001)

No need to bump, I was busy most of the weekend, but I got the email reply 

Download *CKScanner* from *here*

*Important :* Save it to your desktop. 

Doubleclick CKScanner.exe and click *Search For Files*. 
After a very short time, when the cursor hourglass disappears, click *Save List To File*. 
A message box will verify that the file is saved. 
Double-click the *CKFiles.txt* icon on your desktop and copy/paste the contents in your next reply.

--------

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*

Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield:

```
:dir
c:\documents and settings\finn\application data\Qerayw
c:\documents and settings\finn\application data\Tuyzynv
c:\documents and settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E
:file
c:\documents and settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E
:reg
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost /sub
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List /sub
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /sub
:filefind
*DAEMON
*Viewpoint
*Vuze
*Ask Toolbar
:folderfind
*DAEMON
*Viewpoint
*Vuze
*Ask Toolbar
:regfind
*DAEMON
*Viewpoint
*Vuze
*Ask Toolbar
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found at on your Desktop entitled *SystemLook.txt*


----------



## Justletmepost (Mar 11, 2012)

...when I turned on the infected computer just now and tried to log into the Finn profile, it told me:
"Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile. 
DETAIL - The process cannot access the file because it is being used by another process. "
And hten that it ws logging me in with a temporary profile. 



Could this have anything to do with the OTL custom fix? >_>


There seems to be no problem with logging into the Temp_for_fix profile. I'd run the tools you just suggested on that, but you say it's important that I run CKscanner from the desktop. Which desktop? Should I put it in Finn's desktop folder even while working from the Temp_for_fix profile, and run it from there? Or put it on Temp_for_fix's desktop? Or what?


----------



## eddie5659 (Mar 19, 2001)

You said this here:



> My user account in normal Windows has admin rights, yes.
> But in response to what you said, and a whim, I tried creating a new user account with admin rights (called Temp_for_fix) and running combofix on that...and that way I was able to do the full scan without having to go into safe mode! (So it seems there's a problem localized to my main user account specifically)


http://forums.techguy.org/8301537-post32.html

So, it appears to have been corrupt from there, and you did say that only the Admin account worked properly in safe mode.

The OTL fix didn't remove anything that could have caused this.

This is what Microsoft have: http://support.microsoft.com/kb/812339

Did you notice if the Admin account was having problems at the very beginning of this thread, when you originally found the virus and started to remove it?

Are your folders etc still hidden? If so, run this tool to see if they come back, as this may help:

http://download.bleepingcomputer.com/grinler/unhide.exe

---

For CKscanner, see if running on the new account works, that you just created.

Also, if you boot to SafeMode, does the message for the Admin account appear?

If you can also run the following Systemlook for me, that would be great. I've added something else to look for, so use the new one below:

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*

Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield:

```
:dir
c:\documents and settings\finn\application data\Qerayw
c:\documents and settings\finn\application data\Tuyzynv
c:\documents and settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E
:file
c:\documents and settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E
:reg
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost /sub
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List /sub
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /sub
:filefind
*StiSvc
*DAEMON
*Viewpoint
*Vuze
*Ask Toolbar
:folderfind
*DAEMON
*Viewpoint
*Vuze
*Ask Toolbar
:regfind
*DAEMON
*Viewpoint
*Vuze
*Ask Toolbar
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found at on your Desktop entitled *SystemLook.txt*

eddie


----------



## Justletmepost (Mar 11, 2012)

...

...started up the infected computer again. Didn't get that error about the Finn profile being corrupt this time. It loaded with no problems. Utterly baffled. I never did anything on that computer after noticing that error and posting my last post, I just turned it off. But now it's fine? Restarted the computer a further three times, couldn't reproduce the problem. I don't get it, but apparently the "corrupt" profile has fixed itself on its own?

Thus, ran all the tools you just suggested on Finn account.

Yes, folders were still hidden.
Ran Unhide.exe. It noted (as shown in log below) that it couldn't restore missing start menu items due to a missing folder, and directed me to a forum post to see how to deal with it. Decided to leave that for the time being. C:/ folder still set to Hidden. Rebooted. On startup, computer automatically ran CHKDSK from a blue screen for some reason, saying my disk needed to be checked for consistency. When that was done, found C:/ folder still set to Hidden. Rebooted again. C:/ still hidden, no CHKDSK this time.
Checked out that forum post link in the log. Found this quote about unhide.exe: " It will not, though, unhide any files that also have the +S attribute.". Presumably that's why C:/ (and Program Files, I see) is still Hidden. Downloaded that post's script (winxp pro version) for resetting your Start Menu items to default, but decided not to run it because I'm not sure if "Start Menu items" includes stuff under All Programs (which is still intact for me).

When I ran CKScanner, I immediately got an error message: "Failed to create key MainForm" before it proceeded to open the CKScanner window. Ran the scan(which actually took longer than ten minutes), saved the log below. When I closed to close the CKScanner window(whether by standard Windows close button or by CK's Exit button) I got that ""Failed to create key MainForm" error again and it didn't actually close. I had to terminate it from task manager.

Ran Systemlook (with the stuff from your second post) with no problems.

Restarted computer again for good measure. No obvious new problems.

LOG TIME.

===============================================
*unhide.txt*
===============================================
Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/forums/topic405109.html

Program started at: 04/03/2012 01:13:11 AM
Windows Version: Windows XP

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 578104 files processed.

The C:\WINDOWS\TEMP\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/forums/topic405109.html

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
No registry changes detected.

Program finished at: 04/03/2012 01:43:07 AM
Execution time: 0 hours(s), 29 minute(s), and 56 seconds(s)

===============================================
*ckfiles.txt*
===============================================
CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\finn\application data\yoclient\rsrc\bundles\tiles\outdoors\base\bundle\crackedmud.raw
c:\documents and settings\finn\application data\yoclient\rsrc\bundles\tiles\outdoors\structures\bundle\jettyedge_crack.raw
c:\documents and settings\finn\desktop\fraps_2.9.6_cracked.rar
c:\documents and settings\finn\desktop\fyp notes\cryptload_1.1.8\plugins\crypt.dll
c:\documents and settings\finn\desktop\fyp notes\netserver\bin\stable\php4\extensions\php_crack.dll
c:\documents and settings\finn\desktop\samples\c++\direct3d\uvatlas\crackdecl.cpp
c:\documents and settings\finn\desktop\samples\c++\direct3d\uvatlas\crackdecl.h
c:\program files\alias\maya 7.0 personal learning edition\brushes\fun\cracks.mel
c:\program files\alias\maya 7.0 personal learning edition\brushes\fun\cracks.mel.icon
c:\program files\alias\maya 7.0 personal learning edition\scripts\others\crackshatter.mel
c:\program files\gimp-2.0\share\gimp\2.0\patterns\cracked.pat
c:\program files\microsoft directx sdk (august 2008)\samples\c++\direct3d\uvatlas\crackdecl.cpp
c:\program files\microsoft directx sdk (august 2008)\samples\c++\direct3d\uvatlas\crackdecl.h
c:\program files\microsoft directx sdk (december 2006)\samples\c++\direct3d\uvatlas\crackdecl.cpp
c:\program files\microsoft directx sdk (december 2006)\samples\c++\direct3d\uvatlas\crackdecl.h
c:\program files\ssh communications security\ssh secure shell\ssh-keygen2.exe
scanner sequence 3.IG.11.IINALA
----- EOF -----

===============================================
*systemlook.txt*
===============================================
SystemLook 30.07.11 by jpshortstuff
Log created at 04:09 on 03/04/2012 by Finn
Administrator - Elevation successful

========== dir ==========

c:\documents and settings\finn\application data\Qerayw - Parameters: "(none)"

---Files---
None found.

---Folders---
None found.

c:\documents and settings\finn\application data\Tuyzynv - Parameters: "(none)"

---Files---
None found.

---Folders---
None found.

c:\documents and settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E - Parameters: "(none)"

---Files---
F4D55F17000073230120E1C3D151FC4E --a---- 328 bytes [20:37 07/03/2012] [22:24 08/03/2012]

---Folders---
None found.

========== file ==========

c:\documents and settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E - Unable to find/read file.

========== reg ==========

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"LocalService"="Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV"
"NetworkService"="DnsCache"
"netsvcs"="6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto Rasman Remoteaccess Schedule Seclogon SENS Sharedaccess SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt TermService wuauserv BITS ShellHWDetection helpsvc xmlprov wscsvc napagent hkmsvc"
"rpcss"="RpcSs"
"imgsvc"="StiSvc"
"termsvcs"="TermService"
"HTTPFilter"="HTTPFilter"
"DcomLaunch"="DcomLaunch TermService"
"eapsvcs"="慥桰獯t eaphost"
"dot3svc"="潤㍴癳c dot3svc"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\DComLaunch]
"CoInitializeSecurityParam"= 0x0000000001 (1)
"DefaultRpcStackSize"= 0x0000000008 (8)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\dot3svc]
"AuthenticationCapabilities"= 0x0000003020 (12320)
"CoInitializeSecurityParam"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\eapsvcs]
"AuthenticationCapabilities"= 0x0000003020 (12320)
"CoInitializeSecurityParam"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\HTTPFilter]
"CoInitializeSecurityParam"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\LocalService]
"CoInitializeSecurityParam"= 0x0000000001 (1)
"AuthenticationCapabilities"= 0x0000002000 (8192)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\netsvcs]
"CoInitializeSecurityParam"= 0x0000000001 (1)
"AuthenticationCapabilities"= 0x0000003020 (12320)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\PCHealth]
"CoInitializeSecurityParam"= 0x0000000002 (2)
"AuthenticationCapabilities"= 0x0000000040 (64)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\termsvcs]
"CoInitializeSecurityParam"= 0x0000000001 (1)
"DefaultRpcStackSize"= 0x0000000008 (8)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP"="1900:UDP:LocalSubNet:Enabledxpsp2res.dll,-22007"
"2869:TCP"="2869:TCP:LocalSubNet:Enabledxpsp2res.dll,-22008"
"139:TCP"="139:TCP:*:Enabledxpsp2res.dll,-22004"
"445:TCP"="445:TCP:*:Enabledxpsp2res.dll,-22005"
"137:UDP"="137:UDP:*:Enabledxpsp2res.dll,-22001"
"138:UDP"="138:UDP:*:Enabledxpsp2res.dll,-22002"
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP"="1900:UDP:LocalSubNet:Enabledxpsp2res.dll,-22007"
"2869:TCP"="2869:TCP:LocalSubNet:Enabledxpsp2res.dll,-22008"
"9842:TCP"="9842:TCP:*isabled:SolidNetworkManager"
"9842:UDP"="9842:UDP:*isabled:SolidNetworkManager"
"139:TCP"="139:TCP:LocalSubNet:Enabledxpsp2res.dll,-22004"
"445:TCP"="445:TCP:LocalSubNet:Enabledxpsp2res.dll,-22005"
"137:UDP"="137:UDP:LocalSubNet:Enabledxpsp2res.dll,-22001"
"138:UDP"="138:UDP:LocalSubNet:Enabledxpsp2res.dll,-22002"
"57224:TCP"="57224:TCP:*:Enabledando Media Booster"
"57224:UDP"="57224:UDP:*:Enabledando Media Booster"
"3389:TCP"="3389:TCP:*:Enabledxpsp2res.dll,-22009"
"3724:TCP"="3724:TCP:*:Enabled:Blizzard Downloader: 3724"
@=""

========== filefind ==========

Searching for "*StiSvc"
No files found.

Searching for "*DAEMON"
No files found.

Searching for "*Viewpoint"
No files found.

Searching for "*Vuze"
C:\Documents and Settings\Finn\Application Data\Azureus\subs\26C0589314DD8BF44930.vuze --a---- 2625 bytes [07:55 30/11/2010] [07:55 30/11/2010] B48CA77013757553FBDC2AC482B0223A
C:\Documents and Settings\Finn\Application Data\Azureus\subs\277ACC855F44411975B6.vuze --a---- 3005 bytes [07:55 30/11/2010] [07:55 30/11/2010] 6322A3E2223D1562E9187887B59C8345
C:\Documents and Settings\Finn\Application Data\Azureus\subs\342B99025BEC42B98FD0.vuze --a---- 1105 bytes [18:20 30/12/2009] [18:20 30/12/2009] 76208FC54E484C55099384164A3B5A67
C:\Documents and Settings\Finn\Application Data\Azureus\subs\A29987CF9CA4C6EAEA4D.vuze --a---- 3006 bytes [07:55 30/11/2010] [07:55 30/11/2010] 329B430F55B3B7443B7832E39B054A0B
C:\Documents and Settings\Finn\Application Data\Azureus\subs\EF82A8EFB1D60FB4232E.vuze --a---- 3222 bytes [07:35 30/11/2010] [07:35 30/11/2010] CCD97AB04E82FEEE21F377AF2FD95A0A

Searching for "*Ask Toolbar"
No files found.

========== folderfind ==========

Searching for "*DAEMON"
No folders found.

Searching for "*Viewpoint"
No folders found.

Searching for "*Vuze"
No folders found.

Searching for "*Ask Toolbar"
No folders found.

========== regfind ==========

Searching for "*DAEMON"
No data found.

Searching for "*Viewpoint"
No data found.

Searching for "*Vuze"
No data found.

Searching for "*Ask Toolbar"
No data found.

-= EOF =-


----------



## eddie5659 (Mar 19, 2001)

Good to see the profile now works, may be one of those things that happens and we never know what made it work again 

I'll look into the CKScanner error, it may be due to the hidden drive, but I'll see what I can find out about it 

--------


Double click on the OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted. 
Under the Custom Scan box paste this in


```
/md5start
explorer.exe
winlogon.exe
userinit.exe
svchost.exe
consrv.dll
mswsock.dll
dxgthk.sys
ntdll.dll
/md5stop
%windir%\system32\tasks\*.*
```

Then click the *Run Scan* button at the top 
When the scan completes, it will open a notepad window. *OTL.Txt*. This is saved in the same location as OTL. 
Please copy *(Edit->Select All, Edit->Copy)* the contents of this file

--------

Also, can you run this tool for me. Its called OTS, and its similar to OTL 

Download *OTS* to your Desktop and double-click on it to run it 

Make sure you close all other programs and *don't* use the PC while the scan runs. 
Now click the *Run Scan* button on the toolbar. Make sure not to use the PC while the program is running or it will freeze. 
When the scan is complete Notepad will open with the report file loaded in it. 
Click the *Format* menu and make sure that *Wordwrap* is not checked. If it is then click on it to uncheck it. 
Use the Add Reply button and post the information back here in an *attachment*. I will review it when it comes in. The last line is *< End of Report >*, so make sure that is the last line in the attached report.

*Make sure you attach the report in your reply. If it is too big to upload, then zip the text file and upload it that way*

eddie


----------



## Justletmepost (Mar 11, 2012)

==============================================
*OTL log*
==============================================
OTL logfile created on: 04/04/2012 22:02:14 - Run 2
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\Finn\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: | Country: | Language: | Date Format:

1.98 Gb Total Physical Memory | 1.59 Gb Available Physical Memory | 80.29% Memory free
3.83 Gb Paging File | 3.61 Gb Available in Paging File | 94.24% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 127.99 Gb Total Space | 11.81 Gb Free Space | 9.23% Space Free | Partition Type: NTFS
Drive F: | 61.21 Mb Total Space | 37.82 Mb Free Space | 61.78% Space Free | Partition Type: FAT32

Computer Name: FINN-GE6QC5 | User Name: Finn | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/03/23 20:26:00 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Finn\Desktop\OTL.exe
PRC - [2012/01/25 11:16:28 | 000,931,640 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
PRC - [2010/05/17 14:45:32 | 001,615,176 | ---- | M] (Rosetta Stone Ltd.) -- C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe
PRC - [2008/12/16 22:59:50 | 000,150,040 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2006/02/06 12:55:42 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
PRC - [2005/04/27 00:37:56 | 000,020,537 | ---- | M] (Apache Software Foundation) -- C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\apache\apache.exe
PRC - [2005/04/02 02:51:48 | 000,217,600 | ---- | M] (Rocket Division Software) -- C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
PRC - [2004/07/16 22:26:44 | 000,126,976 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe
PRC - [2004/05/07 09:20:52 | 000,024,681 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.exe

========== Modules (No Company Name) ==========

MOD - [2011/11/03 16:28:36 | 001,292,288 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll
MOD - [2011/08/07 13:43:07 | 000,516,368 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportMS.dll
MOD - [2011/02/04 18:48:30 | 000,291,840 | ---- | M] () -- C:\WINDOWS\system32\sbe.dll
MOD - [2009/02/12 10:38:25 | 000,051,716 | ---- | M] () -- C:\WINDOWS\system32\pdf995mon.dll
MOD - [2008/04/14 01:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/14 01:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2005/07/11 16:26:52 | 000,671,744 | ---- | M] () -- C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\php4\extensions\php_pdf.dll
MOD - [2005/07/11 16:26:52 | 000,040,960 | ---- | M] () -- C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\php4\extensions\php_sockets.dll
MOD - [2005/07/11 16:26:52 | 000,028,672 | ---- | M] () -- C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\php4\php4apache2.dll
MOD - [2005/07/11 16:26:50 | 001,531,904 | ---- | M] () -- C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\php4\extensions\php_mbstring.dll
MOD - [2005/07/11 16:26:50 | 000,794,624 | ---- | M] () -- C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\php4\extensions\php_gd2.dll
MOD - [2005/07/11 16:26:44 | 000,061,440 | ---- | M] () -- C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\php4\extensions\php_bz2.dll
MOD - [2004/09/29 09:16:30 | 000,118,867 | ---- | M] () -- C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\apache\modules\mod_perl.so
MOD - [2004/07/16 22:26:44 | 000,126,976 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe
MOD - [2004/07/16 22:26:44 | 000,065,536 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\lib\wrapper.dll
MOD - [2004/05/07 09:20:54 | 000,057,455 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\net.dll
MOD - [2004/05/07 09:20:54 | 000,057,453 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\verify.dll
MOD - [2004/05/07 09:20:54 | 000,053,364 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\zip.dll
MOD - [2004/05/07 09:20:52 | 000,102,515 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.dll
MOD - [2004/05/07 09:20:52 | 000,028,791 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\hpi.dll
MOD - [2004/05/07 09:20:52 | 000,024,681 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.exe
MOD - [2004/05/07 09:20:50 | 001,212,546 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\client\jvm.dll

========== Win32 Services (SafeList) ==========

SRV - [2012/01/25 11:16:28 | 000,931,640 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2011/08/30 13:39:52 | 001,045,256 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/05/17 14:45:32 | 001,615,176 | ---- | M] (Rosetta Stone Ltd.) [Auto | Running] -- C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe -- (RosettaStoneDaemon)
SRV - [2008/12/16 22:59:50 | 000,150,040 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2006/02/06 12:55:42 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) [Auto | Running] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [2005/09/23 08:01:16 | 002,799,808 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe -- (msvsmon80)
SRV - [2005/04/27 00:37:56 | 000,020,537 | ---- | M] (Apache Software Foundation) [Auto | Running] -- C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\apache\apache.exe -- (Apache)
SRV - [2005/04/02 02:51:48 | 000,217,600 | ---- | M] (Rocket Division Software) [Auto | Running] -- C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe -- (StarWindService)
SRV - [2004/07/16 22:26:44 | 000,126,976 | ---- | M] () [Auto | Running] -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe -- (mple7docserver)
SRV - [2003/05/19 17:07:38 | 000,086,016 | ---- | M] (Yahoo! Inc.) [On_Demand | Stopped] -- C:\WINDOWS\System32\YPCSER~1.EXE -- (YPCService)

========== Driver Services (SafeList) ==========

DRV - [2012/01/25 11:16:44 | 000,164,112 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - [2012/01/25 11:16:44 | 000,071,440 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys -- (RapportEI)
DRV - [2012/01/25 11:16:44 | 000,056,208 | ---- | M] (Trusteer Ltd.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\RapportKELL.sys -- (RapportKELL)
DRV - [2011/12/15 17:55:49 | 000,228,208 | ---- | M] () [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys -- (RapportCerberus_34302)
DRV - [2011/08/07 13:43:07 | 000,021,520 | ---- | M] (Trusteer Ltd.) [Kernel | On_Demand | Stopped] -- c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\28896\rapportiaso.sys -- (RapportIaso)
DRV - [2009/08/22 19:25:00 | 000,009,088 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner32.sys -- (RivaTuner32)
DRV - [2009/01/08 03:19:41 | 000,025,280 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\hamachi.sys -- (hamachi)
DRV - [2009/01/06 12:51:45 | 000,717,296 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2008/12/17 07:02:08 | 000,023,832 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\lvuvcflt.sys -- (FilterService)
DRV - [2008/12/17 07:01:44 | 006,364,440 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\lvuvc.sys -- (LVUVC) Logitech QuickCam Pro 9000(UVC)
DRV - [2008/12/17 07:01:22 | 000,041,752 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\LVUSBSta.sys -- (LVUSBSta)
DRV - [2008/12/17 07:00:14 | 000,768,024 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\lvrs.sys -- (LVRS)
DRV - [2008/12/16 22:58:54 | 000,025,624 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\DRIVERS\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2008/11/21 10:48:56 | 000,016,616 | ---- | M] (REALiX(tm)) [Kernel | Auto | Running] -- C:\Documents and Settings\Finn\Desktop\hw32_236\HWiNFO32.SYS -- (HWiNFO32)
DRV - [2008/04/13 19:53:09 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\NMnt.sys -- (nm)
DRV - [2008/04/13 19:45:34 | 000,046,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\IrBus.sys -- (IrBus)
DRV - [2007/06/22 19:14:40 | 004,432,384 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/03/24 17:53:07 | 000,018,003 | ---- | M] (Motive, Inc.) [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS -- (MRENDIS5)
DRV - [2005/12/14 21:46:58 | 000,160,256 | ---- | M] (Hauppauge Computer Works, Inc.) [23|25|26]xxx) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\hcwPP2.sys -- (hcwPP2)
DRV - [2005/10/25 00:17:40 | 000,162,816 | ---- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\rt25usbap.sys -- (RT25USBAP)
DRV - [2005/09/26 16:07:00 | 003,644,800 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/03/17 17:51:16 | 001,033,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/03/17 17:50:36 | 000,221,440 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2005/03/17 17:50:32 | 000,705,280 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys -- (winachsf)
DRV - [2004/11/15 18:41:54 | 000,036,804 | ---- | M] (Alcor Micro Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\sunkfilt.sys -- (SunkFilt)
DRV - [2004/04/14 05:14:12 | 000,070,144 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\Rtlnicxp.sys -- (RTL8023xp)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}:5.6.0.8153
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@bittorrent.com/BitTorrentDNA: C:\Program Files\DNA\plugins\npbtdna.dll (BitTorrent, Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.1: C:\Program Files\Yahoo!\Shared\npYState.dll ( )
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@unity3d.com/UnityPlayer: C:\Program Files\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/08 04:21:32 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/06 18:23:21 | 000,000,000 | ---D | M]

[2012/03/18 01:08:28 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/09/06 00:06:16 | 000,000,000 | ---D | M] (Click to call with Skype) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
File not found (No name found) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
File not found (No name found) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2011/07/20 01:59:31 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2009/05/20 03:46:27 | 000,239,432 | ---- | M] (Pando Networks) -- C:\Program Files\mozilla firefox\plugins\npPandoWebInst.dll
[2010/07/15 17:08:59 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2010/07/15 17:08:59 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2010/07/15 17:08:59 | 000,000,769 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2010/07/15 17:08:59 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{googleriginalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Disabled) = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Chrome\User Data\PepperFlash\11.1.31.203\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Chrome\Application\17.0.963.66\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Chrome\Application\17.0.963.66\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Chrome\Application\17.0.963.66\pdf.dll
CHR - plugin: Skype Toolbars (Enabled) = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.6.0.8153_0\npSkypeChromePlugin.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Acrobat 7.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.260.3 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java(TM) Platform SE 6 U26 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Microsoft\u00AE Windows Media Player Firefox Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
CHR - plugin: DivX\u00AE Web Player (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npdivx32.dll
CHR - plugin: Windows Genuine Advantage (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
CHR - plugin: Pando Web Installer (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll
CHR - plugin: QuickTime Plug-in 7.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: AOL Media Playback Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npunagi2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Update\1.3.21.99\npGoogleUpdate3.dll
CHR - plugin: Unity Player (Enabled) = C:\Documents and Settings\Finn\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
CHR - plugin: DNA Plug-in (Enabled) = C:\Program Files\DNA\plugins\npbtdna.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.3_0\
CHR - Extension: Google Search = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.17_0\
CHR - Extension: Click to call with Skype = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.6.0.8153_0\
CHR - Extension: Gmail = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/03/29 23:25:37 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O2 - BHO: (SidebarAutoLaunch Class) - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll (Yahoo! Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe (Motive Communications, Inc.)
O4 - HKLM..\Run: [CHotkey] C:\WINDOWS\zHotkey.exe ()
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\AOL\1169214453\ee\AOLSoftware.exe (America Online, Inc.)
O4 - HKLM..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe (America Online, Inc.)
O4 - HKLM..\Run: [LogitechQuickCamRibbon] C:\Program Files\Logitech\QuickCam\Quickcam.exe ()
O4 - HKLM..\Run: [Motive SmartBridge] C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe (Motive)
O4 - HKLM..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE ()
O4 - HKLM..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe (SoftThinks)
O4 - HKLM..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe (Alcor Micro, Corp.)
O4 - HKLM..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe (Yahoo! Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme [2009/01/04 03:29:31 | 000,000,000 | ---D | M]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O9 - Extra Button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra Button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Plugin Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4d68-a152-f7252adaa4f2/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1231200248818 (WUWebControl Class)
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} http://www.acclaim.com/cabs/acclaim_v6.cab (GameLauncher Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} http://www.crucial.com/controls/cpcScanner.cab (Crucial cpcScan)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} http://cdn1.acclaimdownloads.com/solidstateion.cab (CSolidBrowserObj Object)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object)
O16 - DPF: Microsoft XML Parser for Java Reg Error: Value error. (Reg Error: Key error.)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\System32\userinit.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/01 01:41:41 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/29 23:25:22 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/03/29 23:25:22 | 000,000,000 | ---D | C] -- \_OTL
[2012/03/28 04:07:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/03/28 02:56:14 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\LocalService\Cookies
[2012/03/27 21:34:08 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\NetworkService\Cookies
[2012/03/23 19:29:05 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/03/23 19:29:05 | 000,000,000 | RHSD | C] -- \cmdcons
[2012/03/20 00:59:10 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/03/20 00:59:10 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/03/20 00:59:10 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/03/20 00:59:10 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/03/20 00:59:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/03/20 00:58:12 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/03/20 00:58:12 | 000,000,000 | ---D | C] -- \Qoobox
[2012/03/19 00:40:46 | 002,617,176 | ---- | C] (VS Revo Group Ltd.) -- C:\revosetup.exe
[2012/03/09 18:41:08 | 000,000,000 | ---D | C] -- C:\aaaaaaREGBACKUP_ERONT
[2012/03/09 18:41:08 | 000,000,000 | ---D | C] -- \aaaaaaREGBACKUP_ERONT
[2012/03/09 18:27:30 | 000,000,000 | ---D | C] -- C:\zzzwinsockfix
[2012/03/09 18:27:30 | 000,000,000 | ---D | C] -- \zzzwinsockfix
[2012/03/09 00:20:00 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2012/03/09 00:20:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2012/03/08 23:13:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[2012/03/08 23:13:19 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2012/03/08 23:03:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2012/03/08 23:02:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2012/03/07 21:37:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E

========== Files - Modified Within 30 Days ==========

[2012/04/04 21:57:57 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/04/04 21:57:55 | 000,012,654 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/04/04 21:55:44 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/04/03 06:38:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1214440339-725345543-1003UA.job
[2012/04/03 06:22:20 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/04/02 00:13:15 | 000,249,324 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2012/03/29 23:25:37 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2012/03/29 20:38:00 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1214440339-725345543-1003Core.job
[2012/03/28 21:37:57 | 000,000,020 | ---- | M] () -- C:\Documents and Settings\Finn\defogger_reenable
[2012/03/28 02:52:09 | 000,005,536 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/03/26 11:24:31 | 000,377,306 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/03/26 11:24:30 | 000,060,180 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/03/23 19:29:18 | 000,000,420 | RHS- | M] () -- C:\boot.ini
[2012/03/19 01:32:48 | 002,617,176 | ---- | M] (VS Revo Group Ltd.) -- C:\revosetup.exe
[2012/03/16 16:42:45 | 2129,846,272 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2012/03/09 16:34:13 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2012/03/07 21:24:18 | 000,002,358 | ---- | M] () -- C:\Documents and Settings\Finn\.recently-used.xbel
[2012/03/07 04:39:34 | 000,002,255 | ---- | M] () -- C:\Documents and Settings\Finn\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk

========== Files Created - No Company Name ==========

[2012/03/28 21:37:36 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\Finn\defogger_reenable
[2012/03/23 19:29:18 | 000,000,304 | ---- | C] () -- C:\Boot.bak
[2012/03/23 19:29:18 | 000,000,304 | ---- | C] () -- \Boot.bak
[2012/03/23 19:29:12 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/03/23 19:29:12 | 000,260,272 | RHS- | C] () -- \cmldr
[2012/03/20 00:59:10 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/03/20 00:59:10 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/03/20 00:59:10 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/03/20 00:59:10 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/03/20 00:59:10 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/03/19 00:40:46 | 002,617,176 | ---- | C] () -- \revosetup.exe
[2012/03/09 18:25:20 | 000,001,599 | ---- | C] () -- C:\Remote Assistance.lnk
[2012/03/09 18:25:20 | 000,001,599 | ---- | C] () -- \Remote Assistance.lnk
[2012/03/07 21:24:18 | 000,002,358 | ---- | C] () -- C:\Documents and Settings\Finn\.recently-used.xbel
[2012/01/13 01:50:00 | 000,088,992 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/12/04 23:02:18 | 000,001,117 | ---- | C] () -- C:\WINDOWS\unins001.dat
[2011/07/16 20:22:24 | 000,032,256 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2011/07/16 20:18:45 | 000,107,520 | RHS- | C] () -- C:\WINDOWS\System32\TAKDSDecoder.dll
[2011/02/09 00:11:51 | 000,000,286 | ---- | C] () -- C:\WINDOWS\reimage.ini
[2011/02/08 14:15:57 | 001,228,854 | ---- | C] () -- \fsqwr.bmp
[2011/02/02 08:10:58 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Finn\Local Settings\Application Data\PUTTY.RND
[2010/08/01 15:18:37 | 000,000,038 | ---- | C] () -- C:\WINDOWS\camcodec100.ini
[2010/08/01 15:17:49 | 000,695,578 | ---- | C] () -- C:\WINDOWS\System32\unins000.exe
[2010/08/01 15:17:49 | 000,001,074 | ---- | C] () -- C:\WINDOWS\System32\unins000.dat
[2010/05/07 20:52:46 | 000,041,872 | ---- | C] () -- C:\WINDOWS\System32\xfcodec.dll

========== Custom Scans ==========

< MD5 for: DXGTHK.SYS >
[2001/08/23 13:00:00 | 000,003,328 | ---- | M] (Microsoft Corporation) MD5=A73F5D6705B1D820C19B18782E176EFD -- C:\WINDOWS\system32\dllcache\dxgthk.sys
[2001/08/23 13:00:00 | 000,003,328 | ---- | M] (Microsoft Corporation) MD5=A73F5D6705B1D820C19B18782E176EFD -- C:\WINDOWS\system32\drivers\dxgthk.sys

< MD5 for: EXPLORER.EXE >
[2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2007/06/13 12:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2004/08/10 20:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
[2004/08/10 20:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

< MD5 for: MSWSOCK.DLL >
[2008/06/20 18:36:11 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=1DFCA7713EA5A70D5D93B436AEA0317A -- C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\mswsock.dll
[2004/08/10 20:00:00 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=4E74AF063C3271FBEA20DD940CFD1184 -- C:\WINDOWS\$NtServicePackUninstall$\mswsock.dll
[2004/08/10 20:00:00 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=4E74AF063C3271FBEA20DD940CFD1184 -- C:\WINDOWS\$NtUninstallKB951748_0$\mswsock.dll
[2008/06/20 18:46:57 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=832E4DD8964AB7ACC880B2837CB1ED20 -- C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\mswsock.dll
[2008/06/20 18:46:57 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=832E4DD8964AB7ACC880B2837CB1ED20 -- C:\WINDOWS\$NtUninstallKB2509553$\mswsock.dll
[2008/06/20 17:02:47 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=943337D786A56729263071623BBB9DE5 -- C:\WINDOWS\ERDNT\cache\mswsock.dll
[2008/06/20 17:02:47 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=943337D786A56729263071623BBB9DE5 -- C:\WINDOWS\system32\dllcache\mswsock.dll
[2008/06/20 17:02:47 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=943337D786A56729263071623BBB9DE5 -- C:\WINDOWS\system32\mswsock.dll
[2008/04/14 01:12:01 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=B4138E99236F0F57D4CF49BAE98A0746 -- C:\WINDOWS\ServicePackFiles\i386\mswsock.dll
[2008/06/20 18:43:05 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=FCEE5FCB99F7C724593365C706D28388 -- C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\mswsock.dll
[2008/06/20 18:43:05 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=FCEE5FCB99F7C724593365C706D28388 -- C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\mswsock.dll

< MD5 for: NTDLL.DLL >
[2010/12/09 16:15:41 | 000,718,336 | ---- | M] (Microsoft Corporation) MD5=15CE4DBC22FAB90B3CA5352AF1FFF81C -- C:\WINDOWS\$hf_mig$\KB2393802\SP3QFE\ntdll.dll
[2008/04/14 01:11:24 | 000,706,048 | ---- | M] (Microsoft Corporation) MD5=27D9ED8CB8B62D1E0A8E5ACE6CF52E2F -- C:\WINDOWS\$NtUninstallKB956572$\ntdll.dll
[2008/04/14 01:11:24 | 000,706,048 | ---- | M] (Microsoft Corporation) MD5=27D9ED8CB8B62D1E0A8E5ACE6CF52E2F -- C:\WINDOWS\ServicePackFiles\i386\ntdll.dll
[2009/02/09 13:10:48 | 000,714,752 | ---- | M] (Microsoft Corporation) MD5=911DDF2E16761643A47225F654D811E5 -- C:\WINDOWS\$NtUninstallKB2393802$\ntdll.dll
[2009/02/09 11:56:35 | 000,715,264 | ---- | M] (Microsoft Corporation) MD5=B0913005EE3FC15D7F72472D0B8A30EB -- C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\ntdll.dll
[2004/08/04 01:56:38 | 000,708,096 | ---- | M] (Microsoft Corporation) MD5=BB5CBFFC096497506167BCE1D9690EF2 -- C:\cmdcons\SYSTEM32\NTDLL.DLL
[2004/08/10 20:00:00 | 000,708,096 | ---- | M] (Microsoft Corporation) MD5=BB5CBFFC096497506167BCE1D9690EF2 -- C:\WINDOWS\$NtServicePackUninstall$\ntdll.dll
[2004/08/10 20:00:00 | 000,708,096 | ---- | M] (Microsoft Corporation) MD5=BB5CBFFC096497506167BCE1D9690EF2 -- C:\WINDOWS\I386\NTDLL.DLL
[2004/08/10 20:00:00 | 000,708,096 | ---- | M] (Microsoft Corporation) MD5=BB5CBFFC096497506167BCE1D9690EF2 -- C:\WINDOWS\I386\SYSTEM32\NTDLL.DLL
[2010/12/09 16:15:09 | 000,718,336 | ---- | M] (Microsoft Corporation) MD5=F8F0D25CA553E39DDE485D8FC7FCCE89 -- C:\WINDOWS\system32\dllcache\ntdll.dll
[2010/12/09 16:15:09 | 000,718,336 | ---- | M] (Microsoft Corporation) MD5=F8F0D25CA553E39DDE485D8FC7FCCE89 -- C:\WINDOWS\system32\ntdll.dll

< MD5 for: SVCHOST.EXE >
[2008/04/14 01:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ERDNT\cache\svchost.exe
[2008/04/14 01:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008/04/14 01:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
[2004/08/04 08:56:57 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe

< MD5 for: USERINIT.EXE >
[2004/08/04 08:56:57 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2008/04/14 01:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ERDNT\cache\userinit.exe
[2008/04/14 01:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/14 01:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2004/08/04 08:56:57 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2008/04/14 01:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2008/04/14 01:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/14 01:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< %windir%\system32\tasks\*.* >

< End of report >


----------



## eddie5659 (Mar 19, 2001)

Thanks 

Hope you are having a nice Easter 

Run OTL 

Under the *Custom Scans/Fixes* box at the bottom, paste in the following 

```
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"eapsvcs"=hex(7):"eapsvcs"
"dot3svc"=hex(7):"dot3svc"
:Files
ipconfig /flushdns /c
:Commands 
[purity] 
[resethosts] 
[emptytemp] 
[emptyjava]
[EMPTYFLASH] 
[CREATERESTOREPOINT] 
[Reboot]
```

Then click the *Run Fix* button at the top 
Click OK.
OTL may ask to reboot the machine. Please do so if asked.

The report should appear in Notepad after the reboot. Copy/Paste the report in your next reply.

eddie


----------



## Justletmepost (Mar 11, 2012)

OTL didn't terminate properly. It finished doing things (box I pasted the commands into was empty again), the gren bar was full, and it said "Processing Complete!" at the bottom...and it froze like that. Had to restart the computer manually. Still got the log, at least.

Also, it seems I still have to log into the Temp_for_fix profile after reboot to get the log to show up =/

=============================================
*OTL fix log*
=============================================
All processes killed
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\"eapsvcs"|hex(7):"eapsvcs" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\"dot3svc"|hex(7):"dot3svc" /E : value set successfully!
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Finn\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Finn\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
-> No Temporary Internet Files cache folder defined!
->FireFox cache emptied: 0 bytes

User: All Users
-> No Temporary Internet Files cache folder defined!

User: Default User
->Temp folder emptied: 0 bytes
-> No Temporary Internet Files cache folder defined!

User: f6062011
-> No Temporary Internet Files cache folder defined!

User: Finn
->Temp folder emptied: 0 bytes
-> No Temporary Internet Files cache folder defined!
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
-> No Temporary Internet Files cache folder defined!

User: MyDocumentsFromOtherComputer
-> No Temporary Internet Files cache folder defined!

User: NetworkService
->Temp folder emptied: 0 bytes
-> No Temporary Internet Files cache folder defined!

User: publicversionofMyDocuments_see_other_HD
-> No Temporary Internet Files cache folder defined!

User: Temp_for_fix
->Temp folder emptied: 597727 bytes
-> No Temporary Internet Files cache folder defined!

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 158712 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: shell32.dll unable to determine bytes removed.

Total Files Cleaned = 1.00 mb

[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: f6062011

User: Finn

User: LocalService

User: MyDocumentsFromOtherComputer

User: NetworkService

User: publicversionofMyDocuments_see_other_HD

User: Temp_for_fix

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: f6062011

User: Finn

User: LocalService

User: MyDocumentsFromOtherComputer

User: NetworkService

User: publicversionofMyDocuments_see_other_HD

User: Temp_for_fix

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.39.2 log created on 04072012_160639

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


----------



## eddie5659 (Mar 19, 2001)

Okay, lets see if we can get the main profile back. Firstly, we'll work on this part:



> Ran Unhide.exe. It noted (as shown in log below) that it couldn't restore missing start menu items due to a missing folder, and directed me to a forum post to see how to deal with it. Decided to leave that for the time being. C:/ folder still set to Hidden. Rebooted. On startup, computer automatically ran CHKDSK from a blue screen for some reason, saying my disk needed to be checked for consistency. When that was done, found C:/ folder still set to Hidden. Rebooted again. C:/ still hidden, no CHKDSK this time.
> Checked out that forum post link in the log. Found this quote about unhide.exe: " It will not, though, unhide any files that also have the +S attribute.". Presumably that's why C:/ (and Program Files, I see) is still Hidden. Downloaded that post's script (winxp pro version) for resetting your Start Menu items to default, but decided not to run it because I'm not sure if "Start Menu items" includes stuff under All Programs (which is still intact for me).


So, what we can do is set a restore point first, then run the fix.

First, create the restore point as explained in this link:

http://support.microsoft.com/kb/948247

Call it 'Unhide' so its easy to find if needbe 

Then, download this:

http://download.bleepingcomputer.com/grinler/fakehdd/winxp-pro-32bit-sm-reset.exe

And then run it. It may need a reboot, so let me know how it goes.

----

Also, when that is done, can you run the following script again, in Systemlook:


```
:reg
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost /sub
```
and post the new log.

eddie


----------



## Justletmepost (Mar 11, 2012)

Also, noticed another couple of problems with the Finn account that I don't think I've mentioned.
1)rightclick->New only has Folder and Shortcut as options
2)file extensions are globally hidden, and more importantly, making them visible via Folder Options doesn't work.

Anyway, made a restore point and ran that Unhide thing to restore my Start Menu...and as far as I can tell, it did exactly nothing. I've attached a pair of screenshots to be perfectly clear.

And ran the new systemlook script. Here's the log.

============================================
*Systemlook log*
============================================
SystemLook 30.07.11 by jpshortstuff
Log created at 08:16 on 10/04/2012 by Finn
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"LocalService"="Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV"
"NetworkService"="DnsCache"
"netsvcs"="6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto Rasman Remoteaccess Schedule Seclogon SENS Sharedaccess SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt TermService wuauserv BITS ShellHWDetection helpsvc xmlprov wscsvc napagent hkmsvc"
"rpcss"="RpcSs"
"imgsvc"="StiSvc"
"termsvcs"="TermService"
"HTTPFilter"="HTTPFilter"
"DcomLaunch"="DcomLaunch TermService"
"eapsvcs"="eapsvcs"
"dot3svc"="dot3svc"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\DComLaunch]
"CoInitializeSecurityParam"= 0x0000000001 (1)
"DefaultRpcStackSize"= 0x0000000008 (8)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\dot3svc]
"AuthenticationCapabilities"= 0x0000003020 (12320)
"CoInitializeSecurityParam"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\eapsvcs]
"AuthenticationCapabilities"= 0x0000003020 (12320)
"CoInitializeSecurityParam"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\HTTPFilter]
"CoInitializeSecurityParam"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\LocalService]
"CoInitializeSecurityParam"= 0x0000000001 (1)
"AuthenticationCapabilities"= 0x0000002000 (8192)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\netsvcs]
"CoInitializeSecurityParam"= 0x0000000001 (1)
"AuthenticationCapabilities"= 0x0000003020 (12320)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\PCHealth]
"CoInitializeSecurityParam"= 0x0000000002 (2)
"AuthenticationCapabilities"= 0x0000000040 (64)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\termsvcs]
"CoInitializeSecurityParam"= 0x0000000001 (1)
"DefaultRpcStackSize"= 0x0000000008 (8)

-= EOF =-


----------



## eddie5659 (Mar 19, 2001)

Just going back to have a re-read, and is Smart Fortress 2012 still showing as there?

If so, can you try the instructions given here:

http://www.bleepingcomputer.com/virus-removal/remove-smart-fortress-2012

Obviously if your internet is still not working, download the files onto a disk/usb drive, and pop them on when you get to Safe Mode 

Let me know how that goes, and any questions, please ask


----------



## Justletmepost (Mar 11, 2012)

Yes, Smart Fortress is still in my Start->All Programs.

*tries your suggestion*



> Could not install MBAM on Finn account - annoying, considering those instructions specifically instructed me to install and run it on the infected account in safe mode =/.
> When I tried installing it on Finn (in both safe mode and normal mode), I got this error:
> 
> Error creating registry key:
> ...


I assumed this was important, so I Aborted both times.

Back into Safe mode, tried installing it on Temp_for_fix account. Worked with no problems. *rolls eyes* Plugged in ethernet cable to let it update itself (the computer has been able to connect to the internet for a while now, but I won't feel comfortable letting it do so unnecessarily until you've told me I'm probably not infected anymore). Those instructions seemed to imply I should install and then immediately run without restarting, so I ran it on Temp_for_fix (log of this is below). It found two things, which I deleted.

However, Smart Fortress is STILL present my All Programs list.
Right now I'm running in a new scan, this time from Finn (in safe mode)...but before that I tried actually running Smart Fortress from that All Programs entry, and it just tells me that "Windows is searching for [long randomized-looking executable name]". So I suspect that the actual program is gone, and those All Program entries are all that's left. Incidentally, those entries only exist on the Finn account.

========================================================
*MBAM log*
=======================================================
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.11.01

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 7.0.5730.13
Temp_for_fix :: FINN-GE6QC5 [administrator]

4/11/2012 08:40:22
mbam-log-2012-04-11 (08-40-22).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 775644
Time elapsed: 3 hour(s), 3 minute(s), 46 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Documents and Settings\Finn\Desktop\FYP NOTES\CryptLoad_1.1.8\router\FRITZ!Box\nc.exe (PUP.Netcat) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{81B923B0-751B-408C-8D52-143726BAD7E4}\RP356\A1418915.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

(end)


----------



## Justletmepost (Mar 11, 2012)

double post whee

Ran MBAM from Finn in safemode. Found one additional thing. Deleted it. Restarted. Smart Fortress entry in All Programs stll there.

========================================
*MBAM log...again*
========================================
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.11.01

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 7.0.5730.13
Finn :: FINN-GE6QC5 [administrator]

4/11/2012 1:13:42 PM
mbam-log-2012-04-11 (13-13-42).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 775630
Time elapsed: 3 hour(s), 4 minute(s), 24 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\System Volume Information\_restore{81B923B0-751B-408C-8D52-143726BAD7E4}\RP393\A1428913.exe (PUP.Netcat) -> Quarantined and deleted successfully.

(end)


----------



## eddie5659 (Mar 19, 2001)

Pretty sure you did, but just checking that you also went into the Internet Options, and set it up as per the link?

Can you try running MBAM as stated here, using the Chameleon folder, from the section underneath the CMD picture, titled:

*If Malwarebytes Anti-Malware is already installed on the infected computer.*

From this link:

http://www.geekstogo.com/forum/topic/315729-removal-instructions-for-smart-fortress-2012/

Then, after doing all that, can you run this:

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*

Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield:


```
:filefind
*DAEMON*
*Viewpoint*
*Vuze*
*Smart Fortress*
:folderfind
*DAEMON
*Viewpoint
*Vuze
*Smart Fortress
:regfind
*DAEMON
*Viewpoint
*Vuze
*Smart Fortress
:dir
%CommonAppData%
C:\Documents and Settings\All Users\Application Data
:reg
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
HKEY_CURRENT_USER\Software\Classes\.exe /sub
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found at on your Desktop entitled *SystemLook.txt*

And post the SystemLookUp and MBAM logs.


----------



## Justletmepost (Mar 11, 2012)

> Pretty sure you did, but just checking that you also went into the Internet Options, and set it up as per the link?


You mean the proxy settings thing? Yes. Neither Internet Explorer nor Firefox are set up to use a proxy.

Did everything you asked (on the Finn account, in normal mode).

MBAM chameleon thing didn't find anything, nor did it ask me reboot.

===========================================
*MBAM chameleon*
===========================================
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.13.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
:: FINN-GE6QC5 [administrator]

4/13/2012 7:24:24 PM
mbam-log-2012-04-13 (19-24-24).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 255914
Time elapsed: 15 minute(s), 18 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

===========================================
*SystemLook*
===========================================
SystemLook 30.07.11 by jpshortstuff
Log created at 19:54 on 13/04/2012 by Finn
Administrator - Elevation successful

========== filefind ==========

Searching for "*DAEMON*"
C:\BACKUP OF NEW COMPUTER'S DOWNLOADS FOLDER\daemon4302-lite.exe --a---- 7410632 bytes [01:33 01/01/2009] [01:30 28/12/2008] DC10EB942C6995D137788ECB087D304B
C:\devkitpro\devkitGP2X\sysroot\usr\include\sys\kdaemon.h --a---- 1168 bytes [01:17 23/05/2009] [00:04 20/11/2005] 03DDAF43102E5B124CAB8A018B918539
C:\Documents and Settings\All Users\Start Menu\Programs\DAEMON Tools Lite\DAEMON Tools Lite.lnk --a---- 745 bytes [12:03 06/01/2009] [12:03 06/01/2009] CAB525C2E0D444FFC198CEF5A1A32FA1
C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\47edvphp.default\searchplugins\daemon-search.xml --a---- 2921 bytes [01:38 02/01/2009] [22:12 05/12/2008] 735490B3663F1FD92F86349AB9AC4EE1
C:\Program Files\DAEMON Tools Lite\daemon.dll --a---- 617952 bytes [09:15 04/12/2008] [09:15 04/12/2008] 7322E53B5E9A82361AE1327E27522F82
C:\Program Files\DAEMON Tools Lite\daemon.exe --a---- 687560 bytes [10:40 29/12/2008] [10:40 29/12/2008] 2AC015CD0D8AA59E4AAD8EFFE29798EF
C:\Program Files\NetBeans 6.5.1\ruby2\jruby-1.1.4\lib\ruby\gems\1.8\gems\activesupport-2.1.0\lib\active_support\core_ext\kernel\daemonizing.rb --a---- 186 bytes [17:59 01/04/2009] [04:39 06/03/2009] AA53079271A90E5F3F8F1C5E88DA2A7E
C:\Program Files\NetBeans 6.5.1\ruby2\jruby-1.1.4\lib\ruby\gems\1.8\gems\activesupport-2.1.0\lib\active_support\core_ext\process\daemon.rb --a---- 757 bytes [17:59 01/04/2009] [04:39 06/03/2009] FA7C497B44FECE130C3D42D4FB781268
C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\Help\Databases\RivaTuner\DontUninstallStartupDaemon.rth --a---- 191 bytes [18:25 22/08/2009] [18:25 22/08/2009] 9D1C357CD9880962F93E40C9AF22C4AA
C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\Help\Databases\RivaTuner\ForceAlternateStartupDaemon.rth --a---- 208 bytes [18:25 22/08/2009] [18:25 22/08/2009] E35D94C464D39718C3827E7F0C4EB4E8
C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\Help\Databases\RivaTuner\NvCplDaemon.rth --a---- 156 bytes [18:25 22/08/2009] [18:25 22/08/2009] 340402579D8CE345C49A76FC6D2DCE2B
C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\Help\Databases\RivaTuner\RivaTunerStartupDaemon.rth --a---- 153 bytes [18:25 22/08/2009] [18:25 22/08/2009] D0D2BEA4DEB4DA0C8978A81658892D78
C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\Help\Databases\RivaTuner\StartupDaemonDelay.rth --a---- 301 bytes [18:25 22/08/2009] [18:25 22/08/2009] 4A1C6179918F1495695DEA01360F453F
C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\Help\Databases\RivaTuner\UseAlternateStartupDaemon.rth --a---- 128 bytes [18:25 22/08/2009] [18:25 22/08/2009] 653551A931AB2531557D615BFE98F00A
C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\Localization\Rus\Help\Databases\RivaTuner\DontUninstallStartupDaemon.rth --a---- 226 bytes [18:25 22/08/2009] [18:25 22/08/2009] E26985E26F6BF884AFC9C69B24DB2811
C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\Localization\Rus\Help\Databases\RivaTuner\ForceAlternateStartupDaemon.rth --a---- 264 bytes [18:25 22/08/2009] [18:25 22/08/2009] 7597898D9736E731FE784F1A941B876F
C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\Localization\Rus\Help\Databases\RivaTuner\NvCplDaemon.rth --a---- 105 bytes [18:25 22/08/2009] [18:25 22/08/2009] A4917A71921C5DCA83EC575DBB7EAEF0
C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\Localization\Rus\Help\Databases\RivaTuner\RivaTunerStartupDaemon.rth --a---- 82 bytes [18:25 22/08/2009] [18:25 22/08/2009] DC20763EAFA301AA60A1B56218DDFA76
C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\Localization\Rus\Help\Databases\RivaTuner\StartupDaemonDelay.rth --a---- 388 bytes [18:25 22/08/2009] [18:25 22/08/2009] B3E0BFA69E6483CE2AB452E09BEFA2B1
C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\Localization\Rus\Help\Databases\RivaTuner\UseAlternateStartupDaemon.rth --a---- 183 bytes [18:25 22/08/2009] [18:25 22/08/2009] 67DADD80DE9EA4294195A0D1E0E9063B
C:\Program Files\RosettaStoneLtdServices\ActivationDaemonPlugin.dll --a---- 23128 bytes [13:45 17/05/2010] [13:45 17/05/2010] 8EE9E41D9D237A35EACDC4C8B9F33BD3
C:\Program Files\RosettaStoneLtdServices\DataInstallerDaemonPlugin.dll --a---- 28472 bytes [13:45 17/05/2010] [13:45 17/05/2010] 2BCE077A01B8E8647B9E3F926C8BCA47
C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.dll --a---- 1106392 bytes [13:45 17/05/2010] [13:45 17/05/2010] E4A348B63D22FC5FB6CAB5305A873193
C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe --a---- 1615176 bytes [13:45 17/05/2010] [13:45 17/05/2010] 7F7CA7DEEB68E68FD67870E9A5EC33E2
C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemonConfiguration.txt --a---- 394 bytes [13:45 17/05/2010] [12:37 30/08/2011] ACAC59FA660879E9CCD77E4A2AE2FE4F
C:\Program Files\RosettaStoneLtdServices\SREDaemonPlugin.dll --a---- 40928 bytes [13:45 17/05/2010] [13:45 17/05/2010] 30C0932DAD28FE1F1D222684F6C7069F
C:\Program Files\Vulture's Eye\tiles\monster.pm_mail_daemon.png --a---- 13255 bytes [22:09 15/07/2008] [22:09 15/07/2008] C86FC97313482AF9A8101BBC2310B202
C:\Python24\Tools\Scripts\mailerdaemon.py --a---- 8157 bytes [01:31 03/01/2009] [19:15 28/10/2005] 947EE9B1BE9BB43BEEA8BC0CEFC38646
C:\WINDOWS\I386\CIDAEMON.EX_ --a---- 4083 bytes [02:17 04/01/2009] [19:00 10/08/2004] 61F30DE4630B16750AD2BE6E6537E943
C:\WINDOWS\system32\cidaemon.exe --a---- 8192 bytes [12:00 23/08/2001] [12:00 23/08/2001] 582304F6F1946FA5068CF143D729D7ED
C:\WINDOWS\system32\dllcache\cidaemon.exe --a--c- 8192 bytes [12:00 23/08/2001] [12:00 23/08/2001] 582304F6F1946FA5068CF143D729D7ED

Searching for "*Viewpoint*"
No files found.

Searching for "*Vuze*"
C:\Documents and Settings\All Users\Desktop\Vuze.lnk --a---- 1534 bytes [18:01 30/12/2009] [21:48 02/07/2010] 7577E25377CC0B62CB13BEAFF7AB01E9
C:\Documents and Settings\All Users\Start Menu\Programs\Vuze.lnk --a---- 1534 bytes [18:01 30/12/2009] [21:48 02/07/2010] 76B93FF9DE78C2B02D71684A9F58B97E
C:\Documents and Settings\Finn\Application Data\Azureus\VuzeActivities.config --a---- 1459 bytes [18:05 30/12/2009] [07:30 30/11/2010] 9ED43AF46A424CB669F4E4D40A632138
C:\Documents and Settings\Finn\Application Data\Azureus\VuzeActivities.config.bak --a---- 1099 bytes [00:03 09/06/2010] [07:30 30/11/2010] 694715AA621F44298F66D2A6B3B176B3
C:\Documents and Settings\Finn\Application Data\Azureus\subs\26C0589314DD8BF44930.vuze --a---- 2625 bytes [07:55 30/11/2010] [07:55 30/11/2010] B48CA77013757553FBDC2AC482B0223A
C:\Documents and Settings\Finn\Application Data\Azureus\subs\277ACC855F44411975B6.vuze --a---- 3005 bytes [07:55 30/11/2010] [07:55 30/11/2010] 6322A3E2223D1562E9187887B59C8345
C:\Documents and Settings\Finn\Application Data\Azureus\subs\342B99025BEC42B98FD0.vuze --a---- 1105 bytes [18:20 30/12/2009] [18:20 30/12/2009] 76208FC54E484C55099384164A3B5A67
C:\Documents and Settings\Finn\Application Data\Azureus\subs\A29987CF9CA4C6EAEA4D.vuze --a---- 3006 bytes [07:55 30/11/2010] [07:55 30/11/2010] 329B430F55B3B7443B7832E39B054A0B
C:\Documents and Settings\Finn\Application Data\Azureus\subs\EF82A8EFB1D60FB4232E.vuze --a---- 3222 bytes [07:35 30/11/2010] [07:35 30/11/2010] CCD97AB04E82FEEE21F377AF2FD95A0A
C:\Documents and Settings\Finn\Application Data\Microsoft\Internet Explorer\Quick Launch\Vuze.lnk --a---- 1534 bytes [18:01 30/12/2009] [21:48 02/07/2010] 9309300446ED6249B9CCA5BC99EF287C
C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\47edvphp.default\CT2504091\feed\http___blog_vuze_com_index_php_feed__history.xml --a---- 0 bytes [10:50 03/07/2010] [10:50 03/07/2010] D41D8CD98F00B204E9800998ECF8427E
C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\47edvphp.default\CT2504091\feed\http___blog_vuze_com_index_php_feed__structured.xml --a---- 0 bytes [10:50 03/07/2010] [10:50 03/07/2010] D41D8CD98F00B204E9800998ECF8427E
C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\47edvphp.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\chrome\vuze_remote.jar --a---- 607057 bytes [21:47 02/07/2010] [21:47 02/07/2010] 97565F79FCEE5F674673E01BE227974F
C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\r0v8pfpr.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\chrome\vuze_remote.jar --a---- 607057 bytes [21:47 02/07/2010] [21:47 02/07/2010] 97565F79FCEE5F674673E01BE227974F
C:\Program Files\Azureus\Vuze.ico --a---- 55652 bytes [18:01 30/12/2009] [18:45 22/06/2009] 70B3D77F119821239FB492F4B4F69043
C:\Program Files\Azureus\plugins\azemp\vuzeplayer.exe --a---- 6123008 bytes [21:56 02/07/2010] [21:56 02/07/2010] 7C3702BE08DE8844DCF5C367A3DC1BFF

Searching for "*Smart Fortress*"
C:\Documents and Settings\Finn\Desktop\Smart Fortress 2012.lnk --a---- 1324 bytes [20:47 07/03/2012] [20:47 07/03/2012] DDE46959408713B94CECAE9D154679D4
C:\Documents and Settings\Finn\Start Menu\Programs\Smart Fortress 2012\Smart Fortress 2012.lnk --a---- 1336 bytes [20:47 07/03/2012] [20:47 07/03/2012] 95EF6B0B5ECACCC5B6DEE32D4083BBC6

========== folderfind ==========

Searching for "*DAEMON"
No folders found.

Searching for "*Viewpoint"
No folders found.

Searching for "*Vuze"
No folders found.

Searching for "*Smart Fortress"
No folders found.

========== regfind ==========

Searching for "*DAEMON"
No data found.

Searching for "*Viewpoint"
No data found.

Searching for "*Vuze"
No data found.

Searching for "*Smart Fortress"
No data found.

========== dir ==========

%CommonAppData% - Unable to find folder.

C:\Documents and Settings\All Users\Application Data - Parameters: "(none)"

---Files---
desktop.ini --ahs-- 62 bytes [16:06 01/01/2009] [21:58 05/01/2009]
hpzinstall.log --a---- 1738 bytes [16:06 01/01/2009] [08:10 03/07/2011]
QTSBandwidthCache --a---- 1365 bytes [16:06 01/01/2009] [23:52 18/03/2007]

---Folders---
Adobe d------ [12:37 30/08/2011]
AOL d------ [22:12 04/01/2009]
AVAST Software d------ [23:20 08/03/2012]
AVG2012 d------ [22:13 08/03/2012]
Azureus d------ [18:05 30/12/2009]
Blizzard d------ [04:01 01/01/2010]
Blizzard Entertainment d------ [00:08 02/01/2010]
BullGuard d------ [22:12 04/01/2009]
Common Files d------ [22:03 08/03/2012]
CyberLink d------ [10:41 26/02/2009]
DAEMON Tools Lite d------ [12:03 06/01/2009]
DivX d------ [13:33 01/08/2010]
F4D55F17000073230120E1C3D151FC4E d------ [20:37 07/03/2012]
FLEXnet d------ [16:40 31/07/2011]
Google d------ [23:52 05/01/2009]
HP d------ [08:36 26/02/2009]
LogiShrd d------ [15:37 11/12/2009]
Malwarebytes d------ [06:47 11/04/2012]
McAfee d------ [16:15 15/07/2010]
MFAData d------ [22:02 08/03/2012]
Microsoft d-a---- [21:27 04/01/2009]
Microsoft Help d------ [02:16 05/01/2009]
Motive d------ [22:12 04/01/2009]
nEfJfJe06504 d------ [04:04 28/02/2011]
NOS d------ [16:07 01/01/2009]
NVIDIA Corporation d------ [22:58 29/08/2009]
PACE Anti-Piracy d------ [21:19 11/10/2010]
pdf995 d------ [09:38 12/02/2009]
PMB Files d------ [02:46 20/05/2009]
PreEmptive Solutions d------ [18:55 06/01/2009]
Prism Deploy d------ [16:07 01/01/2009]
QuickTime d------ [16:07 01/01/2009]
Rosetta Stone d------ [12:38 30/08/2011]
Rosetta Stone DEMO d------ [13:45 31/07/2011]
RosettaStoneLtdServices d------ [12:37 30/08/2011]
Skype d------ [16:07 01/01/2009]
Skype Extras d------ [17:49 16/05/2011]
Spybot - Search & Destroy d------ [16:06 01/01/2009]
Sun d------ [01:05 02/08/2010]
Trusteer d------ [02:31 15/04/2011]
Windows Genuine Advantage d------ [16:06 01/01/2009]
yahoo! d------ [16:06 01/01/2009]
Yahoo! Companion d------ [16:06 01/01/2009]

========== reg ==========

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
(Unable to open key - key not found)

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}]
@="Start Menu Pin"

[HKEY_CURRENT_USER\Software\Classes\.exe]
(Unable to open key - key not found)

-= EOF =-


----------



## eddie5659 (Mar 19, 2001)

Ah, we may have the little so and so 

Can you do this with SystemLook again, to see if we can find it fully:


```
:dir
C:\Documents and Settings\All Users\Application Data\nEfJfJe06504 /sub
C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E /sub
:reg
HKEY_CLASSES_ROOT\%s /sub
HKEY_CURRENT_USER\Software\Classes\%s /sub
HKEY_CURRENT_USER\Software\Classes\.exe /sub
:regfind
F4D55F17000073230120E1C3D151FC4E
F4D55
jau38uj.bin
```
and post the results again.

eddie


----------



## Justletmepost (Mar 11, 2012)

=======================================
*Systemlook log*
=======================================

SystemLook 30.07.11 by jpshortstuff
Log created at 22:05 on 16/04/2012 by Finn
Administrator - Elevation successful

========== dir ==========

C:\Documents and Settings\All Users\Application Data\nEfJfJe06504 - Parameters: "/sub"

---Files---
None found.

No folders found.

C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E - Parameters: "/sub"

---Files---
F4D55F17000073230120E1C3D151FC4E --a---- 328 bytes [20:37 07/03/2012] [22:24 08/03/2012]

No folders found.

========== reg ==========

[HKEY_CLASSES_ROOT\%s]
@="F4D55"

[HKEY_CURRENT_USER\Software\Classes\%s]
@="F4D55"

[HKEY_CURRENT_USER\Software\Classes\.exe]
(Unable to open key - key not found)

========== regfind ==========

Searching for "F4D55F17000073230120E1C3D151FC4E"
[HKEY_CURRENT_USER\Software\Classes\F4D55\shell\open\command]
@=""C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E\F4D55F17000073230120E1C3D151FC4E.exe" -s "%1" %*"
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003\Software\Classes\F4D55\shell\open\command]
@=""C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E\F4D55F17000073230120E1C3D151FC4E.exe" -s "%1" %*"
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003_Classes\F4D55\shell\open\command]
@=""C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E\F4D55F17000073230120E1C3D151FC4E.exe" -s "%1" %*"

Searching for "F4D55"
[HKEY_CURRENT_USER\Software\Classes\%s]
@="F4D55"
[HKEY_CURRENT_USER\Software\Classes\F4D55]
[HKEY_CURRENT_USER\Software\Classes\F4D55\shell\open\command]
@=""C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E\F4D55F17000073230120E1C3D151FC4E.exe" -s "%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\153B2ABF4D55F155CACF811C82ADEE8B]
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003\Software\Classes\%s]
@="F4D55"
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003\Software\Classes\F4D55]
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003\Software\Classes\F4D55\shell\open\command]
@=""C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E\F4D55F17000073230120E1C3D151FC4E.exe" -s "%1" %*"
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003_Classes\%s]
@="F4D55"
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003_Classes\F4D55]
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003_Classes\F4D55\shell\open\command]
@=""C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E\F4D55F17000073230120E1C3D151FC4E.exe" -s "%1" %*"

Searching for "jau38uj.bin"
No data found.

-= EOF =-


----------



## eddie5659 (Mar 19, 2001)

Just checking a few things and will reply as soon as I can with the fix. Need to be 100% sure on a few registry items


----------



## eddie5659 (Mar 19, 2001)

Okay, lets create a backup first. I think you have ERUNT already, but just in case:

*Backing Up Your Registry*
Download *ERUNT* 
_(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)_
Install *ERUNT* by following the prompts
_(use the default install settings but say no to the portion that asks you to add *ERUNT* to the start-up folder, if you like you can enable this option later)_
Start *ERUNT*
_(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)_
Choose a location for the backup
_(the default location is C:\WINDOWS\ERDNT which is acceptable)._
Make sure that at least the first two check boxes are ticked
Press *OK*
Press *YES* to create the folder.










------------

Then, delete any CFScript that you have, and create a new one as follows:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open *notepad* and copy/paste the text in the quotebox below into it:



> Folder::
> C:\Documents and Settings\All Users\Application Data\nEfJfJe06504
> C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E
> Registry::
> ...


Save this as *CFScript.txt*, in the same location as ComboFix.exe










Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at *C:\ComboFix.txt* which I will require in your next reply.

------------

also, can you re-run the SystemLookUp after as well, to see if any remain.

eddie


----------



## Justletmepost (Mar 11, 2012)

Combofix complained of being out of date, so I redownloaded it. It also STILL complained of me not having the recovery console(and it not being able to attempt certain fixes as a result), so I plugged in ethernet and let it download/install that again to placate it. As before, it reported rootkit activity and needed to reboot. As before, I had to log into the Temp_for_fix profile for it to resume the process after reboot.

Restarted computer again after it was done. No obvious problems, so it doesn't seem to have done anything horrible to the registry 

Ran systemlook again after all that as requested.

======================================
*Combofix log*
======================================
ComboFix 12-04-17.01 - Temp_for_fix 04/17/2012 23:25:55.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2031.1618 [GMT 1:00]
Running from: c:\documents and settings\Finn\Desktop\Finn789.exe
Command switches used :: c:\documents and settings\Finn\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E
c:\documents and settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E\F4D55F17000073230120E1C3D151FC4E
c:\documents and settings\All Users\Application Data\nEfJfJe06504
.
.
((((((((((((((((((((((((( Files Created from 2012-03-17 to 2012-04-17 )))))))))))))))))))))))))))))))
.
.
2012-04-17 21:37 . 2012-04-17 21:37 -------- d-----w- c:\program files\ERUNT
2012-04-13 18:20 . 2012-04-13 18:20 32072 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-04-13 14:26 . 2012-04-13 14:26 -------- d-----w- C:\SendTo
2012-04-11 07:24 . 2012-04-11 07:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-11 07:24 . 2012-04-04 14:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-11 06:47 . 2012-04-11 06:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-04-11 06:19 . 2012-04-11 06:08 883616 ----a-w- C:\FixExec.com
2012-03-29 22:25 . 2012-03-29 22:25 -------- d-----w- C:\_OTL
2012-03-28 02:03 . 2012-03-28 02:03 -------- d-----w- c:\documents and settings\Temp_for_fix
2012-03-18 23:40 . 2012-03-19 00:32 2617176 ----a-w- C:\revosetup.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-25 10:16 . 2012-01-25 10:16 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2006-05-03 11:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 12:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 14:30 216064 --sha-r- c:\windows\system32\nbDX.dll
2010-01-06 23:00 107520 --sha-r- c:\windows\system32\TAKDSDecoder.dll
.
.
((((((((((((((((((((((((((((( [email protected]_19.36.16 )))))))))))))))))))))))))))))))))))))))))
.
- 2001-08-23 12:00 . 2012-01-13 00:50 60180 c:\windows\system32\perfc009.dat
+ 2001-08-23 12:00 . 2012-03-26 10:24 60180 c:\windows\system32\perfc009.dat
- 2009-01-01 00:42 . 2012-02-24 18:22 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-01 00:42 . 2012-03-28 20:47 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2012-03-28 20:48 . 2012-03-28 20:47 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-01 00:42 . 2012-02-24 18:22 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2012-04-13 18:22 . 2012-04-13 18:22 22016 c:\windows\Installer\5866577.msi
+ 2012-04-17 21:39 . 2012-04-17 21:39 61440 c:\windows\ERDNT\17-04-2012\Users\00000001\ntuser.dat
+ 2009-01-05 02:04 . 2012-03-28 01:52 5536 c:\windows\system32\d3d9caps.dat
- 2009-01-05 02:04 . 2012-03-18 21:21 5536 c:\windows\system32\d3d9caps.dat
+ 2001-08-23 12:00 . 2012-03-26 10:24 377306 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2012-01-13 00:50 377306 c:\windows\system32\perfh009.dat
- 2011-09-05 23:06 . 2011-09-05 23:06 371272 c:\windows\Installer\{AA59DDE4-B672-4621-A016-4C248204957A}\SkypeIcon.exe
+ 2012-04-13 14:26 . 2012-04-13 14:26 371272 c:\windows\Installer\{AA59DDE4-B672-4621-A016-4C248204957A}\SkypeIcon.exe
+ 2012-04-17 21:39 . 2012-04-17 21:39 262144 c:\windows\ERDNT\17-04-2012\Users\00000002\UsrClass.dat
+ 2012-04-17 21:39 . 2005-10-20 11:02 163328 c:\windows\ERDNT\17-04-2012\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2006-12-08 543232]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"HostManager"="c:\program files\Common Files\AOL\1169214453\ee\AOLSoftware.exe" [2006-05-24 50760]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"Motive SmartBridge"="c:\progra~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 462935]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 16377344]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-06 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-06 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-06 138008]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-12 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-10-11 421888]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-09 966656]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"CHotkey"="zHotkey.exe" [2004-12-08 550912]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Finn\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BT Broadband Desktop Help.lnk - c:\program files\BT Home Hub\Help\bin\matcli.exe [2009-1-5 217088]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
backup=c:\windows\pss\ATI CATALYST System Tray.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Nintendo Wi-Fi USB Connector Registration Tool.lnk]
backup=c:\windows\pss\Run Nintendo Wi-Fi USB Connector Registration Tool.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Finn^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\svc]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lionhead Studios Ltd\\Black & White\\runblack.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1169214453\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1169214453\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Documents and Settings\\Finn\\Desktop\\eclipse-java-ganymede-SR1-win32\\eclipse\\eclipse.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3 DEMO\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3 DEMO\\RosettaStoneVersion3.exe"=
"c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Ltd Services
"c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Daemon
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone TOTALe\\RosettaStoneTOTALe.exe"=
"%windir%\explorer.exe"= %windir%\explorer.exe
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP"= 9842:TCP:*isabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*isabled:SolidNetworkManager
"57224:TCP"= 57224:TCPando Media Booster
"57224:UDP"= 57224:UDPando Media Booster
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"<NO NAME>"= 
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [1/25/2012 11:16 56208]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [12/15/2011 17:55 228208]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [1/25/2012 11:16 71440]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [1/25/2012 11:16 164112]
R2 HWiNFO32;HWiNFO32 Kernel Driver;c:\documents and settings\Finn\Desktop\hw32_236\HWiNFO32.sys [11/21/2008 10:48 16616]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [1/25/2012 11:16 931640]
R2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe [5/17/2010 14:45 1615176]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 07:26 135664]
S2 mple7docserver;Maya 7 PLE Documentation Server;c:\program files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe [1/2/2009 21:39 126976]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 07:26 135664]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [4/13/2012 19:20 32072]
S3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportIaso.sys [8/7/2011 13:43 21520]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 08:01 2799808]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/4/2009 03:36 717296]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs REG_MULTI_SZ eapsvcs
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-01-02 12:42]
.
2012-04-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 06:26]
.
2012-04-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 06:26]
.
2012-04-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1214440339-725345543-1003Core.job
- c:\documents and settings\Finn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-08 11:57]
.
2012-04-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1214440339-725345543-1003UA.job
- c:\documents and settings\Finn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-08 11:57]
.
2011-02-08 c:\windows\Tasks\Reimage Reminder.job
- c:\program files\Reimage\Reimage Repair\ReimageReminder.exe [2011-02-03 13:09]
.
.
------- Supplementary Scan -------
.
mStart Page = about:blank
mSearch Bar = 
TCP: DhcpNameServer = 192.168.1.254
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Finn\Application Data\Mozilla\Firefox\Profiles\58w0as7u.temptemptemp\
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-17 23:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-04-17 23:46:34
ComboFix-quarantined-files.txt 2012-04-17 22:46
ComboFix2.txt 2012-03-28 03:07
ComboFix3.txt 2012-03-26 23:42
ComboFix4.txt 2012-03-23 19:13
ComboFix5.txt 2012-04-17 21:47
.
Pre-Run: 11,878,346,752 bytes free
Post-Run: 11,914,809,344 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
.
- - End Of File - - F392302B599E51BBCB6A82894CDC7243

======================================
*Systemlook log*
======================================
SystemLook 30.07.11 by jpshortstuff
Log created at 00:34 on 18/04/2012 by Finn
Administrator - Elevation successful

========== dir ==========

C:\Documents and Settings\All Users\Application Data\nEfJfJe06504 - Unable to find folder.

C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E - Unable to find folder.

========== reg ==========

[HKEY_CLASSES_ROOT\%s]
@="F4D55"

[HKEY_CURRENT_USER\Software\Classes\%s]
@="F4D55"

[HKEY_CURRENT_USER\Software\Classes\.exe]
(Unable to open key - key not found)

========== regfind ==========

Searching for "F4D55F17000073230120E1C3D151FC4E"
[HKEY_CURRENT_USER\Software\Classes\F4D55\shell\open\command]
@=""C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E\F4D55F17000073230120E1C3D151FC4E.exe" -s "%1" %*"
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003\Software\Classes\F4D55\shell\open\command]
@=""C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E\F4D55F17000073230120E1C3D151FC4E.exe" -s "%1" %*"
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003_Classes\F4D55\shell\open\command]
@=""C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E\F4D55F17000073230120E1C3D151FC4E.exe" -s "%1" %*"

Searching for "F4D55"
[HKEY_CURRENT_USER\Software\Classes\%s]
@="F4D55"
[HKEY_CURRENT_USER\Software\Classes\F4D55]
[HKEY_CURRENT_USER\Software\Classes\F4D55\shell\open\command]
@=""C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E\F4D55F17000073230120E1C3D151FC4E.exe" -s "%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\153B2ABF4D55F155CACF811C82ADEE8B]
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003\Software\Classes\%s]
@="F4D55"
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003\Software\Classes\F4D55]
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003\Software\Classes\F4D55\shell\open\command]
@=""C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E\F4D55F17000073230120E1C3D151FC4E.exe" -s "%1" %*"
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003_Classes\%s]
@="F4D55"
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003_Classes\F4D55]
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003_Classes\F4D55\shell\open\command]
@=""C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E\F4D55F17000073230120E1C3D151FC4E.exe" -s "%1" %*"

Searching for "jau38uj.bin"
No data found.

-= EOF =-


----------



## eddie5659 (Mar 19, 2001)

Okay, looks like its still there 

Okay, with SystemLook, can you run this for me. It may be long, and if it is, just upload it instead 


```
:filefind
*F4D55*
:regfind
*F4D55*
:folderfind
*F4D55*
```
And post the details

---

Also, I know we had problems earlier, but can you uninstall GMER as follows:

*Uninstall GMER*


*Copy the entire contents of the Quote Box * below to *Notepad*. 
Name the file as *gmer_uninstall.bat * 
Change the *Save as Type* to *All Files * 
and *Save* it in the folder*GMER* was saved 
 Once saved, double click on the *gmer_uninstall.bat* file. the MSDOS window will be displayed. That is normal.



> @echo off
> sc stop gmer
> sc delete gmer
> if exist %SystemRoot%\System32\drivers\gmer.sys del /f /q %SystemRoot%\System32\drivers\gmer.sys
> ...


-----

Please download *DeFogger* to your *desktop*.

Double click *DeFogger* to run the tool.

 The application window will appear
 Click the *Disable* button to disable your CD Emulation drivers
 Click *Yes* to continue
 A *'Finished!'* message will appear
 Click *OK*
 DeFogger will now ask to reboot the machine - click *OK*
*IMPORTANT!* If you receive an error message while running DeFogger, please post the log *defogger_disable* which will appear on your desktop.

*Do not* re-enable these drivers until otherwise instructed.

Then, download a fresh copy of GMER from here and see if you can run a scan:

Please download *GMER* *(only for use on 32-bit operating systems)* from: http://gmer.net/index.php

Click on the "Download EXE" button and save the randomly named .exe file to your desktop.

*Note: You must uninstall any CD Emulation programs that you have before running GMER as they can cause conflicts and give false results.*

Double click the GMER .exe file on your desktop to run the tool and it will automatically do a quick scan.

If the tool warns of rootkit activity and asks if you want to run a full scan, click on No and make sure the following are *unchecked *on the right-hand side:

IAT/EAT
Any drive letter other than the primary system drive (which is generally C).

Click the *Scan *button and when the scan is finished, click *Save* and save the log in Notepad with the name ark.txt to your desktop.

*Note: It's important that all other windows be closed and that you don't touch the mouse or do anything with the computer during the scan as it may cause it to freeze.*


----------



## Justletmepost (Mar 11, 2012)

Here's the systemlook log (what on earth is Qoobox?). I'll get on the other stuff now and post the gmer log in my next post.

========================================
*Systemook log*
========================================
SystemLook 30.07.11 by jpshortstuff
Log created at 20:56 on 19/04/2012 by Finn
Administrator - Elevation successful

========== filefind ==========

Searching for "*F4D55*"
C:\Documents and Settings\All Users\Application Data\Rosetta Stone DEMO\Content\data\24\7\2471075690c0110fd89ccb2111edff4d555fba67 --a---- 8009 bytes [16:31 31/07/2011] [16:31 31/07/2011] 8D03A0EBB7B66E5D04B1F0605E331646
C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\user\conf\1028148\logos\59c5f903767eb1f83af4d55c0eaa14ef_var_0.png.data --a---- 6336 bytes [19:51 13/04/2012] [18:29 13/04/2012] F76444D38CABDB953B88ABF0A76DCEA7
C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\user\conf\1028647\logos\59c5f903767eb1f83af4d55c0eaa14ef_var_0.png.data --a---- 6336 bytes [21:38 17/04/2012] [21:38 17/04/2012] 06725042EDDE28AFB791FBFBD44D3739
C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\user\conf\1029137\logos\59c5f903767eb1f83af4d55c0eaa14ef_var_0.png.data --a---- 6336 bytes [19:36 19/04/2012] [19:36 19/04/2012] 04F7A05DC67C99087B94BA8D1BA43218
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E\F4D55F17000073230120E1C3D151FC4E.vir --a---- 328 bytes [20:37 07/03/2012] [22:24 08/03/2012] F3B426D1AAB722C30FD76398419996B8

========== regfind ==========

Searching for "*F4D55*"
No data found.

========== folderfind ==========

Searching for "*F4D55*"
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E d------ [22:42 17/04/2012]

-= EOF =-


----------



## Justletmepost (Mar 11, 2012)

You already got me to run Defogger before, and I haven't installed or enabled any CD emulation software since then, so I didn't bother to download or run it again.

The bat file didn't remove the gmer executable. Presumably because it was randomly named and the bat refers specfically to gmer.exe? So I just (shift-)deleted it manually.

Redownloaded it, ran the scan...and this time I managed to save a log! Shortly after I did so it bluescreened with that BAD_POOL_CALLER error again...but I'd saved the log to desktop by then, so it didn't matter 

==================================
*GMER log*
==================================
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-20 06:39:48
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3160815AS rev.4.AAA
Running: m0kmzhln.exe; Driver: C:\WINDOWS\TEMP\kwldrfog.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xAE4D0080]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xAE4D0BDE]
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys ZwCreateThread [0xAE6405E0]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteFile [0xAE4D0DD6]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteKey [0xAE4D45AC]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteValueKey [0xAE4D45DE]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwLoadKey [0xAE4D4740]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xAE4D0CF6]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenProcess [0xAE4D01F6]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenThread [0xAE4D03EA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwProtectVirtualMemory [0xAE4D051C]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwQueryValueKey [0xAE4D46B6]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xAE4D4620]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwReplaceKey [0xAE4D4652]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRestoreKey [0xAE4D4684]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetContextThread [0xAE4D0026]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetInformationFile [0xAE4D0E7C]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetValueKey [0xAE4D4544]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSuspendThread [0xAE4CFFC0]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateProcess [0xAE4CFEE8]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateThread [0xAE4CFF30]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CDC 80504578 5 Bytes [D6, 0D, 4D, AE, AC]
.text ntkrnlpa.exe!ZwCallbackReturn + 2CE2 8050457E 2 Bytes [4D, AE] {DEC EBP; SCASB }
.text ntkrnlpa.exe!ZwCallbackReturn + 2DE4 80504680 4 Bytes [EA, 03, 4D, AE]
.text ntkrnlpa.exe!ZwCallbackReturn + 2FE8 80504884 8 Bytes CALL B0FE9587 
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6721380, 0x3DF545, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[908] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 00414DA0 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[908] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71A70001 
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[908] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71A10022 
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[908] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 71AE0022

---- Files - GMER 1.0.15 ----

File C:\Program Files\doxygen\examples\group\html\annotated.html 1744 bytes
File C:\Program Files\doxygen\examples\group\html\class_c1.html 1399 bytes
File C:\Program Files\doxygen\examples\group\html\class_c2.html 1399 bytes
File C:\Program Files\doxygen\examples\group\html\class_c3.html 1400 bytes
File C:\Program Files\doxygen\examples\group\html\class_c4.html 1400 bytes
File C:\Program Files\doxygen\examples\group\html\class_c5.html 1505 bytes
File C:\Program Files\doxygen\examples\group\html\doxygen.css 5188 bytes
File C:\Program Files\doxygen\examples\group\html\doxygen.png 1576 bytes
File C:\Program Files\doxygen\examples\group\html\files.html 1174 bytes
File C:\Program Files\doxygen\examples\group\html\globals.html 1376 bytes
File C:\Program Files\doxygen\examples\group\html\globals_func.html 1298 bytes
File C:\Program Files\doxygen\examples\group\html\group_8cpp.html 4211 bytes
File C:\Program Files\doxygen\examples\group\html\group__group1.html 3174 bytes
File C:\Program Files\doxygen\examples\group\html\group__group2.html 2095 bytes
File C:\Program Files\doxygen\examples\group\html\group__group3.html 2503 bytes
File C:\Program Files\doxygen\examples\group\html\group__group4.html 1505 bytes
File C:\Program Files\doxygen\examples\group\html\group__group5.html 1295 bytes
File C:\Program Files\doxygen\examples\group\html\index.html 965 bytes
File C:\Program Files\doxygen\examples\group\html\modules.html 1331 bytes
File C:\Program Files\doxygen\examples\group\html\namespaces.html 1163 bytes
File C:\Program Files\doxygen\examples\group\html\namespace_n1.html 1780 bytes
File C:\Program Files\doxygen\examples\page\html\doxygen.css 5188 bytes
File C:\Program Files\doxygen\examples\page\html\doxygen.png 1576 bytes
File C:\Program Files\doxygen\examples\page\html\index.html 743 bytes
File C:\Program Files\doxygen\examples\page\html\page1.html 1266 bytes
File C:\Program Files\doxygen\examples\page\html\page2.html 776 bytes
File C:\Program Files\doxygen\examples\page\html\pages.html 916 bytes
File C:\Program Files\doxygen\examples\par\html 0 bytes

---- EOF - GMER 1.0.15 ----


----------



## eddie5659 (Mar 19, 2001)

Qoobox is Combofix's Quarantine folder, which we'll be removing at the end of the malware removal 

Okay, can you run this with SystemLookUp instead:


```
:reg
HKEY_CLASSES_ROOT\%s /sub
HKEY_CURRENT_USER\Software\Classes\%s /sub
HKEY_CURRENT_USER\Software\Classes\.exe /sub
:regfind
F4D55F17000073230120E1C3D151FC4E
F4D55
```
-------------

Please download *Rootkit Unhooker* from one of the following links and save it to your desktop.

Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)
In order to use this tool if you downloaded from either of the second two links, you will need to extract the *RKUnhookerLE.exe* file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.


Double-click on *RKUnhookerLE.exe* to start the program.
_*Vista*/*Windows 7* users right-click and select Run As Administrator_.
Click the *Report* tab, then click *Scan*.
Check *Drivers, Stealth,* and uncheck the rest.
Click *OK*.
Wait until it's finished and then go to *File* > *Save Report*.
Save the report to your *Desktop*.
Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "_*Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?*_".

eddie


----------



## Justletmepost (Mar 11, 2012)

Here's the systemlook log - other stuff in my next post when I have it.

===========================
*Systemlook log*
===========================
SystemLook 30.07.11 by jpshortstuff
Log created at 00:40 on 23/04/2012 by Finn
Administrator - Elevation successful

========== reg ==========

[HKEY_CLASSES_ROOT\%s]
@="F4D55"

[HKEY_CURRENT_USER\Software\Classes\%s]
@="F4D55"

[HKEY_CURRENT_USER\Software\Classes\.exe]
(Unable to open key - key not found)

========== regfind ==========

Searching for "F4D55F17000073230120E1C3D151FC4E"
[HKEY_CURRENT_USER\Software\Classes\F4D55\shell\open\command]
@=""C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E\F4D55F17000073230120E1C3D151FC4E.exe" -s "%1" %*"
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003\Software\Classes\F4D55\shell\open\command]
@=""C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E\F4D55F17000073230120E1C3D151FC4E.exe" -s "%1" %*"
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003_Classes\F4D55\shell\open\command]
@=""C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E\F4D55F17000073230120E1C3D151FC4E.exe" -s "%1" %*"

Searching for "F4D55"
[HKEY_CURRENT_USER\Software\Classes\%s]
@="F4D55"
[HKEY_CURRENT_USER\Software\Classes\F4D55]
[HKEY_CURRENT_USER\Software\Classes\F4D55\shell\open\command]
@=""C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E\F4D55F17000073230120E1C3D151FC4E.exe" -s "%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\153B2ABF4D55F155CACF811C82ADEE8B]
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003\Software\Classes\%s]
@="F4D55"
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003\Software\Classes\F4D55]
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003\Software\Classes\F4D55\shell\open\command]
@=""C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E\F4D55F17000073230120E1C3D151FC4E.exe" -s "%1" %*"
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003_Classes\%s]
@="F4D55"
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003_Classes\F4D55]
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003_Classes\F4D55\shell\open\command]
@=""C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E\F4D55F17000073230120E1C3D151FC4E.exe" -s "%1" %*"

-= EOF =-


----------



## Justletmepost (Mar 11, 2012)

Doublepost - systemlook log in last post.

=================================
*Rootkit Unhooker log*
=================================
RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xB6BA3000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 7733248 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 190.62 )
0xBD012000 C:\WINDOWS\System32\nv4_disp.dll 5849088 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 190.62 )
0xB063B000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4583424 bytes (Realtek Semiconductor Corp., Realtek(r) High Definition Audio Function Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2154496 bytes
0x804D7000 RAW 2154496 bytes
0x804D7000 WMIxWDM 2154496 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB7E1D000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB0424000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB4BBD000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB0555000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xAFD2D000 C:\WINDOWS\System32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBD5A6000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB6B4E000 C:\WINDOWS\System32\DRIVERS\e1e5132.sys 266240 bytes (Intel Corporation, Intel(R) PRO/1000 Adapter NDIS 5.2 deserialized driver)
0xAFDAD000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB05E1000 C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys 221184 bytes
0xB4C1B000 C:\WINDOWS\System32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB7F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xAFEDE000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB7DF0000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB04BA000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB6B02000 C:\WINDOWS\System32\DRIVERS\HDAudBus.sys 163840 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xB052D000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB7F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xB0507000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB0494000 C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys 155648 bytes (Trusteer Ltd., RapportPG)
0xB0617000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB6B2A000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB6ACB000 C:\WINDOWS\System32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB04E5000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E5000 ACPI_HAL 134400 bytes
0x806E5000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB7ED3000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB7F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB7DD6000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB7F0B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB040C000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB7EF3000 C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xB7EAA000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB4C5C000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xAF32E000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB6AEE000 C:\WINDOWS\System32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB6B8F000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB05AE000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBD000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB7EC1000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB7F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB4C4B000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xB7A18000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xB7A38000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xB7A78000 C:\WINDOWS\System32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xB80A8000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xB82C8000 C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys 65536 bytes (Trusteer Ltd., RapportEI)
0xB7A68000 C:\WINDOWS\System32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xB1A75000 C:\WINDOWS\System32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xB1AB5000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xB7A28000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xAFE36000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xB81D8000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xB80B8000 C:\WINDOWS\System32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xB8108000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xB7A58000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xB81B8000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xB80E8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xB8138000 RapportKELL.sys 49152 bytes (Trusteer Ltd., RapportKE)
0xB82E8000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xB8178000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)
0xB8168000 agpCPQ.sys 45056 bytes (Microsoft Corporation, CompatNT AGP Filter)
0xB8158000 alim1541.sys 45056 bytes (Microsoft Corporation, ALi M1541 NT AGP Filter)
0xB8148000 amdagp.sys 45056 bytes (Advanced Micro Devices, Inc., AMD Win2000 AGP Filter)
0xB81F8000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xB7A48000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xB80D8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xB82D8000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xB8118000 viaagp.sys 45056 bytes (Microsoft Corporation, VIA NT AGP Filter)
0xB80C8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xB4F60000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xB8128000 sisagp.sys 40960 bytes (Silicon Integrated Systems Corporation, SiS NT AGP Filter)
0xB81C8000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xAF130000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xB80F8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xB7A88000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xB8268000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xB1A85000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB1A95000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xB8430000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xB8410000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xB8428000 C:\WINDOWS\System32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xB83D0000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xB8328000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xB8418000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xB8420000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xB8408000 C:\WINDOWS\System32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xB8370000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xB8458000 C:\WINDOWS\System32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xB1A2D000 C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys 20480 bytes (-, -)
0xB1EDD000 C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS 20480 bytes (Motive, Inc., Motive NDIS 5.0 Protocol Driver)
0xB83B8000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xB8330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xB8440000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xB8338000 PxHelp20.sys 20480 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xB8468000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xB1E9D000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB84BC000 cbidf2k.sys 16384 bytes (Microsoft Corporation, CardBus/PCMCIA IDE Miniport Driver)
0xB7547000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB0093000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB753B000 C:\WINDOWS\System32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xB84B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB4C97000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB00F7000 C:\Documents and Settings\Finn\Desktop\hw32_236\HWiNFO32.SYS 12288 bytes (REALiX(tm), HWiNFO32 Kernel Driver)
0xB3B65000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xAFFE7000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xB7DAE000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB7DB2000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xB8548000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0xB85CC000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xB85AC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xB85D2000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xB85CA000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xB85A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xB85CE000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xB8630000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xB85D0000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xB85D8000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xB862E000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xB85AA000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xB86E2000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xB8702000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xB87E6000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xB8670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================


----------



## eddie5659 (Mar 19, 2001)

Okay, can you run an online scan here, and we'll see what it removes:

Please go to *here* to run an online scannner from ESET.

 Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to *YES, I accept the Terms of Use.*
Click *Start*
When asked, allow the activex control to install
Click *Start*
Make sure that the option *Remove found threats* is *ticked*, and the option *Scan unwanted applications* is *checked*
Click on *Advanced Settings* and ensure these options are ticked:
*Scan for potentially unwanted applications*
*Scan for potentially unsafe applications*
*Enable Anti-Stealth Technology*

Click *Scan*
Wait for the scan to finish
If any threats were found, click the *'List of found threats' *, then click* Export to text file...*. 
Save it to your desktop, then please copy and paste that log as a reply to this topic.

On a side note, since the Eset scanner is a 32-bit applcation, If you're running a 64-bit system you have to choose the 32-bit option in IE when running the scan


----------



## Justletmepost (Mar 11, 2012)

I had to use the Temp_for_fix profile to get this to work - on Finn it never asked me to install an activeX control. 
Also, this has made me notice that, on Finn only, Internet Explorer (which I normally never use) complains of insufficient security settings (paraphrased) when I open it. It gives an option to automatically "fix settings". Is there any reason I shouldn't let it do this?

Also, no "scan unwanted applications" option was available. 
*Scan for potentially unsafe applications *was there, though.

=============================
*ESET log*
=============================
C:\Documents and Settings\Finn\Desktop\FYP NOTES\PerfectUninstaller_Setup.exe a variant of Win32/PerfectUninstaller application deleted - quarantined
C:\Documents and Settings\Finn\Desktop\FYP NOTES\SUPERsetup.exe Win32/OpenCandy application deleted - quarantined
C:\Documents and Settings\Finn\Desktop\FYP NOTES\kag157w\setup.exe Win32/OpenCandy application deleted - quarantined
C:\Documents and Settings\Finn\My Documents\Downloads\lmms-0.4.13-win32.exe Win32/Toolbar.Babylon application deleted - quarantined
C:\Program Files\LMMS\Babylon9_setup.exe Win32/Toolbar.Babylon application cleaned by deleting - quarantined
C:\Program Files\Perfect Uninstaller\PU.exe a variant of Win32/PerfectUninstaller application cleaned by deleting - quarantined
C:\System Volume Information\_restore{81B923B0-751B-408C-8D52-143726BAD7E4}\RP356\A1418723.sys a variant of Win32/Rootkit.Kryptik.KD trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{81B923B0-751B-408C-8D52-143726BAD7E4}\RP356\A1418840.sys a variant of Win32/Rootkit.Kryptik.KD trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{81B923B0-751B-408C-8D52-143726BAD7E4}\RP356\A1418853.sys a variant of Win32/Rootkit.Kryptik.KD trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{81B923B0-751B-408C-8D52-143726BAD7E4}\RP356\A1418860.sys a variant of Win32/Rootkit.Kryptik.KD trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{81B923B0-751B-408C-8D52-143726BAD7E4}\RP356\A1418921.sys a variant of Win32/Rootkit.Kryptik.KD trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{81B923B0-751B-408C-8D52-143726BAD7E4}\RP359\A1419214.sys a variant of Win32/Rootkit.Kryptik.KD trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{81B923B0-751B-408C-8D52-143726BAD7E4}\RP359\A1419232.sys a variant of Win32/Rootkit.Kryptik.KD trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{81B923B0-751B-408C-8D52-143726BAD7E4}\RP359\A1419244.sys a variant of Win32/Rootkit.Kryptik.KD trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{81B923B0-751B-408C-8D52-143726BAD7E4}\RP359\A1419296.sys a variant of Win32/Rootkit.Kryptik.KD trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{81B923B0-751B-408C-8D52-143726BAD7E4}\RP359\A1419402.sys a variant of Win32/Rootkit.Kryptik.KD trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{81B923B0-751B-408C-8D52-143726BAD7E4}\RP401\A1433782.exe a variant of Win32/PerfectUninstaller application deleted - quarantined
C:\System Volume Information\_restore{81B923B0-751B-408C-8D52-143726BAD7E4}\RP401\A1433783.exe Win32/OpenCandy application deleted - quarantined
C:\System Volume Information\_restore{81B923B0-751B-408C-8D52-143726BAD7E4}\RP401\A1433784.exe Win32/OpenCandy application deleted - quarantined
C:\System Volume Information\_restore{81B923B0-751B-408C-8D52-143726BAD7E4}\RP401\A1433785.exe Win32/Toolbar.Babylon application deleted - quarantined
C:\System Volume Information\_restore{81B923B0-751B-408C-8D52-143726BAD7E4}\RP402\A1433786.exe Win32/Toolbar.Babylon application cleaned by deleting - quarantined
C:\System Volume Information\_restore{81B923B0-751B-408C-8D52-143726BAD7E4}\RP402\A1433789.exe a variant of Win32/PerfectUninstaller application cleaned by deleting - quarantined


----------



## Justletmepost (Mar 11, 2012)

Doublepost.
Some odd stuff since my last post.

-Soon after that post, that thing of windows declaring the Finn profile corrupt and unloadable happened again, followed, as before, by a forced CHKDSK on reboot. But again, after that, no problems.

-Also, I've noticed that even what I thought were missing drivers (i.e. my sound not working) only applies on the Finn account. On Temp_for_fix sound works just fine 0_o


----------



## eddie5659 (Mar 19, 2001)

It looks like from what you're saying that the main account is corrupt. Can you make the new account an Admin?

Also, for the last SystemLook scan that you ran, was that using the temp account, or the Admin Finn account?

If it was temp, just see if you can run it for the Finn.

Download *RogueKiller* to your desktop


Quit all running programs 
For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe 
Wait until the Pre-scan has finished.
Click on Scan
If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe 
Click on Report and copy/paste the contents here.
Also, in the RKQuarantine folder on the Desktop, is a file called Physicaldrive0_User. Can you zip and attach the file here

I'm away for two weeks from tonight, but I'm letting other's know so someone else will reply whilst I'm away.

eddie


----------



## Justletmepost (Mar 11, 2012)

All right. Enjoy your holiday 

I made the Temp_for_fix account Admin when I created it.

As to the Systemlook scan, I'm pretty sure that everything I haven't specifically stated I ran on Temp_for_fix, I ran on Finn.

=====================================
*Roguekiller report*
=====================================
RogueKiller V7.3.3 [04/22/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Finn [Admin rights]
Mode: Scan -- Date: 04/30/2012 01:00:15

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 11 ¤¤¤
[] HKCU\[...]\Internet Settings : () -> ACCESS DENIED
[] HKCU\[...]\Internet Settings : () -> ACCESS DENIED
[] HKCU\[...]\Desktop : () -> ACCESS DENIED
[] HKCU\[...]\Desktop : () -> ACCESS DENIED
[] HKCU\[...]\ClassicStartMenu : () -> ACCESS DENIED
[] HKCU\[...]\NewStartPanel : () -> ACCESS DENIED
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[] HKCU\[...]\ClassicStartMenu : () -> ACCESS DENIED
[] HKCU\[...]\NewStartPanel : () -> ACCESS DENIED
[] HKCU\[...]\ClassicStartMenu : () -> ACCESS DENIED
[] HKCU\[...]\NewStartPanel : () -> ACCESS DENIED

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤
SSDT[53] : NtCreateThread @ 0x805D1018 -> HOOKED (\??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys @ 0xACAFB5E0)

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3160815AS +++++
--- User ---
[MBR] 6444df522286b7b10541b09ef82cdadf
[BSP] f981b19202d8d17c2f2b6169412be07b : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 131061 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt


----------



## eddie5659 (Mar 19, 2001)

Okay, just spent the past two hours re-reading this to refresh myself 

So, I can see a few things, so I'll ask now to clear them up 

Are you still getting this on startup:



> "Warning:
> Unknown(): Unable to load dynamic library '..\php4\extensions\php_curl.dll' - The specified module could not be found.


If so, it looks like its part of this:

C:\Documents and Settings\Finn\Desktop\FYP NOTES

As this is an example of what you have on your computer (found in the OTL logs):



> MOD - [2005/07/11 15:26:52 | 000,671,744 | ---- | M] () -- C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\php4\extensions\php_pdf.dll


-----

We may be able to recover your shortcuts, but do you have them with your temp_fix account? Is it just the main Finn account that's missing them?

--

The above log that you posted, as this is from the main account, the entries that are denied is not normal. This can point to a problem with the account settings, which fits into the same pattern we're seeing.

I'll look at that in a bit, as I just need to check a few things first 

eddie


----------



## Justletmepost (Mar 11, 2012)

Welcome back, Eddie!

Yes, I still get that message on startup.
And...huh. FYP Notes, as I might have said at some point, is my firefox downloads folder. Why is windows trying ot load a dll from there on startup...I suppose I must have downloaded a program to there (Netserver, apparently), and run it from there and directly and set it to start on startup...? *doesn't remember* >_>

Yes, I still have my shortcuts on the Temp_For_Fix account. Only missing on Finn. 

And while we're asking questions, you never answered one of mine (or I didn't notice if you did): Is there any reason at all I shouldn't let the computer apply a Windows Update at the moment? I assume there's no reason I shouldn't, but I just wanted to check in case it was possible the virus might have hijacked it or something.

Also: you know how my original GMER attempts resulted in Blue Screens? Well, yesterday this happened again when I did a full hard drive search for particular phrase. So perhaps it's happening as a result of accessing a particular file somewhere?


----------



## eddie5659 (Mar 19, 2001)

For the Netserver, this looks like it:

http://sourceforge.net/projects/netserver/

Do you use it, or know its installed?

For the Blue Screens, is it the same message?

We have some things to try now 

------

First of all, can you delete the copy of ComboFix that you have, and download a fresh one from one of these links:

*Link 1*
*Link 2*

Don't run it, but do this:

Delete any copies of CFScript.txt if you have them, and then create a new one as below:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open *notepad* and copy/paste the text in the quotebox below into it:



> File::
> c:\windows\system32\drivers\sptd.sys
> Driver::
> sptd


Save this as *CFScript.txt*, in the same location as ComboFix.exe










Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at *C:\ComboFix.txt* which I will require in your next reply.

---------------------

Then, can you re-run aswMBR again and allow the Avast Engine this time. This is the canned just to make it easier to run 

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan 









On completion of the scan click save log, save it to your desktop and post in your next reply 









------------

We'll go from there to start with 

eddie


----------



## Justletmepost (Mar 11, 2012)

You still haven't answered my question about the Windows Update.

Anyway, I am fairly sure I downloaded/installed Netserver deliberately. But it was long enough ago that I can't remember WHY I downloaded it. So uninstalling it wouldn't be a huge loss 

Combofix behaved in exactly the same way as every other time as far as I could be bothered to observe, right down to AGAIN claiming I didn't have the Recovery Console - and so, again, I let it redownload it. Perhaps this only happens because I start the scan on the Finn account? And, again, after rebooting I had to log into Temp_for_fox for it to finish teh scan. Here follows the log - ASWMBR will be in my next post.

=============================================
*Combofix log*
==============================================
ComboFix 12-05-15.04 - Temp_for_fix 05/16/2012 4:36.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2031.1621 [GMT 1:00]
Running from: c:\documents and settings\Finn\Desktop\Finn101112.exe
Command switches used :: c:\documents and settings\Finn\Desktop\CFScript.txt
.
FILE ::
"c:\windows\system32\drivers\sptd.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SPTD
-------\Service_sptd
-------\Service_usnjsvc
.
.
((((((((((((((((((((((((( Files Created from 2012-04-16 to 2012-05-16 )))))))))))))))))))))))))))))))
.
.
2012-05-04 08:07 . 2012-05-04 08:07 -------- d-----w- c:\documents and settings\Temp_for_fix\Application Data\OpenOffice.org
2012-05-02 12:51 . 2012-05-02 12:51 -------- d-----w- c:\program files\Lame For Audacity
2012-05-02 11:22 . 2012-05-02 11:22 -------- d-----w- c:\documents and settings\Temp_for_fix\Application Data\DivX
2012-05-01 09:18 . 2012-05-01 09:18 -------- d-----w- c:\documents and settings\Temp_for_fix\Contacts
2012-04-28 23:39 . 2012-04-29 01:33 -------- d-----w- c:\documents and settings\Temp_for_fix\Local Settings\Application Data\WMTools Downloaded Files
2012-04-28 23:18 . 2012-04-28 23:19  -------- d-----w- c:\documents and settings\Temp_for_fix\Local Settings\Application Data\ApplicationHistory
2012-04-28 07:02 . 2012-04-28 07:02 -------- d-----w- c:\documents and settings\Temp_for_fix\Application Data\vlc
2012-04-23 20:49 . 2012-04-23 20:49 -------- d-----w- c:\program files\ESET
2012-04-23 20:48 . 2012-04-23 20:48 -------- d-----r- c:\documents and settings\Temp_for_fix\Application Data\yahoo!
2012-04-23 20:46 . 2012-04-23 20:47 -------- d-----w- c:\documents and settings\Temp_for_fix\Local Settings\Application Data\Google
2012-04-20 06:05 . 2012-04-20 06:05 -------- d-----w- c:\documents and settings\Temp_for_fix\Local Settings\Application Data\Adobe
2012-04-17 23:13 . 2012-04-17 23:13 -------- d-----w- c:\documents and settings\Temp_for_fix\Local Settings\Application Data\Mozilla
2012-04-17 21:37 . 2012-04-17 21:37 -------- d-----w- c:\program files\ERUNT
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-13 18:20 . 2012-04-13 18:20 32072 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-04-11 06:08 . 2012-04-11 06:19 883616 ----a-w- C:\FixExec.com
2012-04-04 14:56 . 2012-04-11 07:24 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-19 00:32 . 2012-03-18 23:40 2617176 ----a-w- C:\revosetup.exe
2006-05-03 11:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 12:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 14:30 216064 --sha-r- c:\windows\system32\nbDX.dll
2010-01-06 23:00 107520 --sha-r- c:\windows\system32\TAKDSDecoder.dll
.
.
((((((((((((((((((((((((((((( [email protected]_19.36.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-05-16 04:08 . 2012-05-16 04:08 16384 c:\windows\temp\Perflib_Perfdata_16d0.dat
+ 2001-08-23 12:00 . 2012-03-26 10:24 60180 c:\windows\system32\perfc009.dat
- 2001-08-23 12:00 . 2012-01-13 00:50 60180 c:\windows\system32\perfc009.dat
+ 2009-01-01 00:42 . 2012-03-28 20:47 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-01 00:42 . 2012-02-24 18:22 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2012-04-13 18:22 . 2012-04-13 18:22 22016 c:\windows\Installer\5866577.msi
- 2009-12-11 15:38 . 2009-12-11 15:38 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\QuickCamStartMenuS_65895B9BA1A04BCBAB7BF5673B44A0E4.exe
+ 2009-12-11 15:38 . 2012-04-29 01:45 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\QuickCamStartMenuS_65895B9BA1A04BCBAB7BF5673B44A0E4.exe
+ 2009-12-11 15:38 . 2012-04-29 01:45 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\QuickCamDesktopSho_C0678C37AA5341A4BE4781BAF94DE0CC.exe
- 2009-12-11 15:38 . 2009-12-11 15:38 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\QuickCamDesktopSho_C0678C37AA5341A4BE4781BAF94DE0CC.exe
+ 2009-12-11 15:38 . 2012-04-29 01:45 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\ARPPRODUCTICON.exe
- 2009-12-11 15:38 . 2009-12-11 15:38 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\ARPPRODUCTICON.exe
+ 2012-05-01 09:18 . 2012-05-01 09:18 29926 c:\windows\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
- 2009-02-04 22:07 . 2009-02-04 22:07 29926 c:\windows\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
+ 2012-04-17 21:39 . 2012-04-17 21:39 61440 c:\windows\ERDNT\17-04-2012\Users\00000001\ntuser.dat
- 2009-01-05 02:04 . 2012-03-18 21:21 5536 c:\windows\system32\d3d9caps.dat
+ 2009-01-05 02:04 . 2012-03-28 01:52 5536 c:\windows\system32\d3d9caps.dat
+ 2012-05-16 03:59 . 2008-12-16 21:59 109080 c:\windows\temp\logishrd\LVPrcInj01.dll
+ 2001-08-23 12:00 . 2012-03-26 10:24 377306 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2012-01-13 00:50 377306 c:\windows\system32\perfh009.dat
- 2011-09-05 23:06 . 2011-09-05 23:06 371272 c:\windows\Installer\{AA59DDE4-B672-4621-A016-4C248204957A}\SkypeIcon.exe
+ 2012-04-13 14:26 . 2012-04-13 14:26 371272 c:\windows\Installer\{AA59DDE4-B672-4621-A016-4C248204957A}\SkypeIcon.exe
+ 2012-04-17 21:39 . 2012-04-17 21:39 262144 c:\windows\ERDNT\17-04-2012\Users\00000002\UsrClass.dat
+ 2012-04-17 21:39 . 2005-10-20 11:02 163328 c:\windows\ERDNT\17-04-2012\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-06 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2006-12-08 543232]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"HostManager"="c:\program files\Common Files\AOL\1169214453\ee\AOLSoftware.exe" [2006-05-24 50760]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"Motive SmartBridge"="c:\progra~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 462935]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 16377344]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-06 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-06 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-06 138008]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-12 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-10-11 421888]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-09 966656]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"CHotkey"="zHotkey.exe" [2004-12-08 550912]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Finn\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]
.
c:\documents and settings\Temp_for_fix\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BT Broadband Desktop Help.lnk - c:\program files\BT Home Hub\Help\bin\matcli.exe [2009-1-5 217088]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
backup=c:\windows\pss\ATI CATALYST System Tray.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Nintendo Wi-Fi USB Connector Registration Tool.lnk]
backup=c:\windows\pss\Run Nintendo Wi-Fi USB Connector Registration Tool.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Finn^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\svc]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lionhead Studios Ltd\\Black & White\\runblack.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1169214453\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1169214453\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Documents and Settings\\Finn\\Desktop\\eclipse-java-ganymede-SR1-win32\\eclipse\\eclipse.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3 DEMO\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3 DEMO\\RosettaStoneVersion3.exe"=
"c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Ltd Services
"c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Daemon
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone TOTALe\\RosettaStoneTOTALe.exe"=
"%windir%\explorer.exe"= %windir%\explorer.exe
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP"= 9842:TCP:*isabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*isabled:SolidNetworkManager
"57224:TCP"= 57224:TCPando Media Booster
"57224:UDP"= 57224:UDPando Media Booster
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"<NO NAME>"= 
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [1/25/2012 11:16 56208]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [12/15/2011 17:55 228208]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [1/25/2012 11:16 71440]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [1/25/2012 11:16 164112]
R2 HWiNFO32;HWiNFO32 Kernel Driver;c:\documents and settings\Finn\Desktop\hw32_236\HWiNFO32.sys [11/21/2008 10:48 16616]
R2 mple7docserver;Maya 7 PLE Documentation Server;c:\program files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe [1/2/2009 21:39 126976]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [1/25/2012 11:16 931640]
R2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe [5/17/2010 14:45 1615176]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 07:26 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 07:26 135664]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [4/13/2012 19:20 32072]
S3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportIaso.sys [8/7/2011 13:43 21520]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 08:01 2799808]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs REG_MULTI_SZ eapsvcs
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-01-02 12:42]
.
2012-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 06:26]
.
2012-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 06:26]
.
2012-05-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1214440339-725345543-1003Core.job
- c:\documents and settings\Finn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-08 11:57]
.
2012-05-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1214440339-725345543-1003UA.job
- c:\documents and settings\Finn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-08 11:57]
.
2011-02-08 c:\windows\Tasks\Reimage Reminder.job
- c:\program files\Reimage\Reimage Repair\ReimageReminder.exe [2011-02-03 13:09]
.
.
------- Supplementary Scan -------
.
mStart Page = about:blank
mSearch Bar = 
TCP: DhcpNameServer = 192.168.1.254
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Temp_for_fix\Application Data\Mozilla\Firefox\Profiles\54adpbq5.default\
FF - Ext: Click to call with Skype: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-16 05:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(8424)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\progra~1\BTHOME~1\Help\SMARTB~1\SBHook.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\documents and settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\apache\apache.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.exe
c:\program files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
c:\windows\system32\dllhost.exe
c:\documents and settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\apache\apache.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\zHotkey.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\BT Home Hub\Help\bin\mpbtn.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2012-05-16 05:12:33 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-16 04:12
ComboFix2.txt 2012-03-28 03:07
ComboFix3.txt 2012-03-26 23:42
ComboFix4.txt 2012-03-23 19:13
ComboFix5.txt 2012-04-17 21:47
.
Pre-Run: 9,504,378,880 bytes free
Post-Run: 9,518,100,480 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
.
- - End Of File - - 39B84464CBBFD676848EEBD8659FB159


----------



## eddie5659 (Mar 19, 2001)

Sorry, I was going to ask about the Windows Update, then posted and forgot to include it 

Which update is it? It should have a kb number, or if not, what is the actual title?

As for the uninstalling of Netserver, its up to you. Reinstalling it may solve that part of the error message, as it points towards a corrupt file or two. However, uninstalling should also stop the message, as they wouldn't be there.

When you ran Combofix, did it still say it was infected with ZeroAccess, as well as the Recovery Console not installed?

eddie


----------



## Justletmepost (Mar 11, 2012)

Windows Update: Um. To be clear, I'm referring to, when I go to Turn Off Computer, it saying "click turn off to install important updates and turn off yoru computer. Click here to turn off without installing updates.", in which I've been selecting the latter. Where would I see a kb number or title?

And yes, Combofix still said it was infected with ZeroAccess, as well as the Recovery Console not installed.

And now, aswmbr!

============================
*ASWMBR log*
===========================
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-05-16 09:54:10
-----------------------------
09:54:10.234 OS Version: Windows 5.1.2600 Service Pack 3
09:54:10.234 Number of processors: 2 586 0x1706
09:54:10.234 ComputerName: FINN-GE6QC5 UserName: Finn
09:54:19.125 Initialize success
09:58:06.875 AVAST engine defs: 12051501
09:59:21.437 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
09:59:21.437 Disk 0 Vendor: ST3160815AS 4.AAA Size: 152627MB BusType: 3
09:59:21.437 Disk 0 MBR read successfully
09:59:21.437 Disk 0 MBR scan
09:59:21.500 Disk 0 Windows XP default MBR code
09:59:21.500 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 131061 MB offset 63
09:59:21.515 Disk 0 scanning sectors +268414020
09:59:21.656 Disk 0 scanning C:\WINDOWS\system32\drivers
09:59:43.062 Service scanning
10:00:41.312 Modules scanning
10:01:05.328 Disk 0 trace - called modules:
10:01:05.343 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys 
10:01:05.343 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a735ab8]
10:01:05.359 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\000000a2[0x8a7a29e8]
10:01:05.359 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a7e6d98]
10:01:06.765 AVAST engine scan C:\WINDOWS
10:01:36.343 AVAST engine scan C:\WINDOWS\system32
10:10:51.296 AVAST engine scan C:\WINDOWS\system32\drivers
10:11:15.343 AVAST engine scan C:\Documents and Settings\Finn
12:06:09.359 AVAST engine scan C:\Documents and Settings\All Users
14:36:46.921 Scan finished successfully
19:29:22.015 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Finn\Desktop\MBR.dat"
19:29:22.031 The log file has been saved successfully to "C:\Documents and Settings\Finn\Desktop\aswMBR_may_16.txt"


----------



## eddie5659 (Mar 19, 2001)

Looks like the aswMBR is nice and clean, just wanted to check them, as there were some files that were suspect before.

I'll find out about the Windows Update for you, as I'm not sure myself. In the meantime, can you do this for me:

Start, Run, eventvwr.msc, OK to bring up the Event Viewer. Right click on System and Clear All Events, No (we don't want to save the old log), OK. Repeat for Application.

Reboot.

1. Please download the Event Viewer Tool by Vino Rosso

http://images.malwareremoval.com/vino/VEW.exe

and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning

Then use the 'Number of events' as follows:

1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.

Please post the Output log in your next reply then repeat but select Application.

eddie


----------



## Justletmepost (Mar 11, 2012)

Oh, I forgot to mention - in the ASWMBR scan I selected Quickscan for the Avast part, rather than a full C drive scan. I hope that's fine?

=============================
*VEW log - system*
============================

Vino's Event Viewer v01c run on Windows XP in English
Report run at 5/19/2012 2:46:39 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 5/19/2012 2:34:52 PM
Type: error Category: 0
Event: 7022 Source: Service Control Manager
The Apache service hung on starting.

Log: 'System' Date/Time: 5/19/2012 2:33:01 PM
Type: error Category: 0
Event: 7024 Source: Service Control Manager
The Media Center Extender Service service terminated with service-specific error 2147500037 (0x80004005).

Log: 'System' Date/Time: 5/19/2012 2:33:01 PM
Type: error Category: 0
Event: 7024 Source: Service Control Manager
The SQL Server (SQLEXPRESS) service terminated with service-specific error 17058 (0x42A2).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========================================
*VEW log - application*
==========================================
Vino's Event Viewer v01c run on Windows XP in English
Report run at 5/19/2012 2:48:50 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 5/19/2012 2:32:51 PM
Type: error Category: 0
Event: 36864 Source: Media Center Extender Services
ERROR: Device Service Initialization - Unable to create or initialize Device Table. Error code 0x80004005.

Log: 'Application' Date/Time: 5/19/2012 2:32:50 PM
Type: error Category: 2
Event: 17053 Source: MSSQL$SQLEXPRESS
UpdateUptimeRegKey: Operating system error 5(Access is denied.) encountered.

Log: 'Application' Date/Time: 5/19/2012 2:32:50 PM
Type: error Category: 2
Event: 17058 Source: MSSQL$SQLEXPRESS
initerrlog: Could not open error log file 'c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'. Operating system error = 5(Access is denied.).

Log: 'Application' Date/Time: 5/19/2012 2:32:49 PM
Type: error Category: 2
Event: 17058 Source: MSSQL$SQLEXPRESS
initerrlog: Could not open error log file 'c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'. Operating system error = 5(Access is denied.).

Log: 'Application' Date/Time: 5/19/2012 2:32:49 PM
Type: error Category: 2
Event: 17058 Source: MSSQL$SQLEXPRESS
initerrlog: Could not open error log file 'c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'. Operating system error = 5(Access is denied.).

Log: 'Application' Date/Time: 5/19/2012 2:32:49 PM
Type: error Category: 2
Event: 17058 Source: MSSQL$SQLEXPRESS
initerrlog: Could not open error log file 'c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'. Operating system error = 5(Access is denied.).

Log: 'Application' Date/Time: 5/19/2012 2:32:48 PM
Type: error Category: 2
Event: 17058 Source: MSSQL$SQLEXPRESS
initerrlog: Could not open error log file 'c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'. Operating system error = 5(Access is denied.).

Log: 'Application' Date/Time: 5/19/2012 2:32:48 PM
Type: error Category: 2
Event: 17058 Source: MSSQL$SQLEXPRESS
initerrlog: Could not open error log file 'c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'. Operating system error = 5(Access is denied.).

Log: 'Application' Date/Time: 5/19/2012 2:32:48 PM
Type: error Category: 2
Event: 17058 Source: MSSQL$SQLEXPRESS
initerrlog: Could not open error log file 'c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'. Operating system error = 5(Access is denied.).

Log: 'Application' Date/Time: 5/19/2012 2:32:47 PM
Type: error Category: 2
Event: 17058 Source: MSSQL$SQLEXPRESS
initerrlog: Could not open error log file 'c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'. Operating system error = 5(Access is denied.).

Log: 'Application' Date/Time: 5/19/2012 2:32:47 PM
Type: error Category: 2
Event: 17058 Source: MSSQL$SQLEXPRESS
initerrlog: Could not open error log file 'c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'. Operating system error = 5(Access is denied.).

Log: 'Application' Date/Time: 5/19/2012 2:32:47 PM
Type: error Category: 2
Event: 17058 Source: MSSQL$SQLEXPRESS
initerrlog: Could not open error log file 'c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'. Operating system error = 5(Access is denied.).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


----------



## eddie5659 (Mar 19, 2001)

It should be okay for the quickscan. I'll have a look at the Event Viewer now, but in the meantime, lets see if reseting the winsock and tcpip will help.

So, go to Start | Run and type

*cmd*

and press OK.

Now, in the command prompt, type the following:

*netsh winsock show catalog*

and press Enter, and then type this:

*netsh int ip reset \reset.log*

And press Enter. Now, close the command screen by pressing the X as normal, reboot, and copy and paste the contents of *C:\reset.log* here.

eddie


----------



## Justletmepost (Mar 11, 2012)

reset log:

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{181C96D6-4236-4D37-AC39-BC1F447B9DA2}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{181C96D6-4236-4D37-AC39-BC1F447B9DA2}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{181C96D6-4236-4D37-AC39-BC1F447B9DA2}\IpAutoconfigurationSeed
added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer
<completed>


----------



## eddie5659 (Mar 19, 2001)

Thanks 

Download SubInACL.exe

http://www.microsoft.com/downloads/...56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en

By default it installs the tool in C:\Program Files\Windows Resource Kits\Tools\

Please allow it to do so.

Download and Save the attached file, reset.zip, right click on it and Extract all and copy the reset.cmd file to C:\Program Files\Windows Resource Kits\Tools\.
Start, Run, cmd, OK Type with an Enter after each line:


```
cd  "\Program Files\Windows Resource Kits\Tools"

reset.cmd
```
----------

Please download GrantPerms.zip

http://download.bleepingcomputer.com/farbar/GrantPerms.zip

and save it to your desktop.
Unzip the file and depending on the system run GrantPerms.exe or GrantPerms64.exe (as you're on 32-bit XP, run GrantPerms.exe)

Copy and paste the following in the edit box:

*c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG*

Click Unlock. When it is done click "OK".
Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.

When done try clearing the event logs again and reboot and run VEW again and see if you still get the errors.

eddie


----------



## Justletmepost (Mar 11, 2012)

...download WHAT attached file? In my posts where I've attached something, there's a box at the bottom of the post labeled "attached files". Not so in your post.


----------



## eddie5659 (Mar 19, 2001)

Nuts, forgot it. Hang on....

Here it is 

-------

Also, can you re-open the cmd again, and type this in and press Enter:

*netsh winsock reset catalog*

and reboot.


----------



## Justletmepost (Mar 11, 2012)

I assumed you wanted me to reset the winsock catalog BEFORE doing the other things, so I did.
Here's the Perms. New VEW results in my next post.

===========================
*Perms.txt*
===========================
GrantPerms by Farbar 
Ran by Finn (administrator) at 2012-05-20 20:00:03

===============================================
\\?\c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (I)
BUILTIN\Power Users change ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)


----------



## Justletmepost (Mar 11, 2012)

....huh!
After rebooting, upon logging into Finn again, my background's changed to the default background. And I got a popup saying "setting up personal settings for" various thigns, such as Outlook Express.
And my start menu stuff is back!
I was paranoid that it was just doing that "profile corrupt, creating a temporary profile" thign again without me noticing, so I logged out of Finn and back in again, but nope, Start menu's still fixed! Though this time, oddly, I got a minimized window called zhotkey on the taskbar, which couldn't be restored - if I tried to, I got the "window being restored from the taskbar" animation, but no actual window appeared. Strange. Closed it from the taskbar.

Now to make the new VEW log...ha! C drive isn't set to "hidden" anymore!
*runs VEW*

=======================
*VEW log - system*
=======================
Vino's Event Viewer v01c run on Windows XP in English
Report run at 5/20/2012 8:19:59 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 5/20/2012 8:08:35 PM
Type: error Category: 0
Event: 7024 Source: Service Control Manager
The SQL Server (SQLEXPRESS) service terminated with service-specific error 17058 (0x42A2).

Log: 'System' Date/Time: 5/20/2012 8:08:29 PM
Type: error Category: 0
Event: 7024 Source: Service Control Manager
The Media Center Extender Service service terminated with service-specific error 2147500037 (0x80004005).

Log: 'System' Date/Time: 5/20/2012 8:06:17 PM
Type: error Category: 0
Event: 7024 Source: Service Control Manager
The Apache service terminated with service-specific error 1 (0x1).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

=================================
*VEW log - application*
=================================
Vino's Event Viewer v01c run on Windows XP in English
Report run at 5/20/2012 8:21:04 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 5/20/2012 8:12:32 PM
Type: error Category: 0
Event: 1505 Source: Userenv
Windows cannot load the user's profile but has logged you on with the default profile for the system. DETAIL - Access is denied.

Log: 'Application' Date/Time: 5/20/2012 8:10:25 PM
Type: error Category: 0
Event: 1505 Source: Userenv
Windows cannot load the user's profile but has logged you on with the default profile for the system. DETAIL - Access is denied.

Log: 'Application' Date/Time: 5/20/2012 8:08:31 PM
Type: error Category: 2
Event: 17053 Source: MSSQL$SQLEXPRESS
UpdateUptimeRegKey: Operating system error 5(Access is denied.) encountered.

Log: 'Application' Date/Time: 5/20/2012 8:08:30 PM
Type: error Category: 2
Event: 17058 Source: MSSQL$SQLEXPRESS
initerrlog: Could not open error log file 'c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'. Operating system error = 5(Access is denied.).

Log: 'Application' Date/Time: 5/20/2012 8:08:30 PM
Type: error Category: 2
Event: 17058 Source: MSSQL$SQLEXPRESS
initerrlog: Could not open error log file 'c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'. Operating system error = 5(Access is denied.).

Log: 'Application' Date/Time: 5/20/2012 8:08:30 PM
Type: error Category: 2
Event: 17058 Source: MSSQL$SQLEXPRESS
initerrlog: Could not open error log file 'c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'. Operating system error = 5(Access is denied.).

Log: 'Application' Date/Time: 5/20/2012 8:08:29 PM
Type: error Category: 2
Event: 17058 Source: MSSQL$SQLEXPRESS
initerrlog: Could not open error log file 'c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'. Operating system error = 5(Access is denied.).

Log: 'Application' Date/Time: 5/20/2012 8:08:29 PM
Type: error Category: 2
Event: 17058 Source: MSSQL$SQLEXPRESS
initerrlog: Could not open error log file 'c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'. Operating system error = 5(Access is denied.).

Log: 'Application' Date/Time: 5/20/2012 8:08:29 PM
Type: error Category: 2
Event: 17058 Source: MSSQL$SQLEXPRESS
initerrlog: Could not open error log file 'c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'. Operating system error = 5(Access is denied.).

Log: 'Application' Date/Time: 5/20/2012 8:08:29 PM
Type: error Category: 0
Event: 36864 Source: Media Center Extender Services
ERROR: Device Service Initialization - Unable to create or initialize Device Table. Error code 0x80004005.

Log: 'Application' Date/Time: 5/20/2012 8:08:28 PM
Type: error Category: 2
Event: 17058 Source: MSSQL$SQLEXPRESS
initerrlog: Could not open error log file 'c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'. Operating system error = 5(Access is denied.).

Log: 'Application' Date/Time: 5/20/2012 8:08:28 PM
Type: error Category: 2
Event: 17058 Source: MSSQL$SQLEXPRESS
initerrlog: Could not open error log file 'c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'. Operating system error = 5(Access is denied.).

Log: 'Application' Date/Time: 5/20/2012 8:08:28 PM
Type: error Category: 2
Event: 17058 Source: MSSQL$SQLEXPRESS
initerrlog: Could not open error log file 'c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'. Operating system error = 5(Access is denied.).

Log: 'Application' Date/Time: 5/20/2012 8:08:27 PM
Type: error Category: 2
Event: 17058 Source: MSSQL$SQLEXPRESS
initerrlog: Could not open error log file 'c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'. Operating system error = 5(Access is denied.).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


----------



## eddie5659 (Mar 19, 2001)

Excellent news :up:

Still getting the error's though, but we'll look at them in a bit. Can you run RogueKiller again, and post the log as I want to see if its still showing as denied 

http://forums.techguy.org/8338541-post67.html

No need to attach the Physicaldrive0_User file this time


----------



## Justletmepost (Mar 11, 2012)

=================
*Roguekiller*
=================
RogueKiller V7.4.5 [05/18/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Finn [Admin rights]
Mode: Scan -- Date: 05/20/2012 23:46:15

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 1 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤
SSDT[53] : NtCreateThread @ 0x805D1018 -> HOOKED (\??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys @ 0xAF9445E0)

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3160815AS +++++
--- User ---
[MBR] 6444df522286b7b10541b09ef82cdadf
[BSP] f981b19202d8d17c2f2b6169412be07b : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 131061 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt


----------



## eddie5659 (Mar 19, 2001)

Okay, lets see if we can sort the rest of the problems out.

Open HijackThis, click Config, click Misc Tools
Click "*Open Uninstall Manager*"
Click "Save List" (generates *uninstall_list.txt*)
Click Save, copy and paste the results in your next post.

-----------

Also, can you re-run Combofix and see if it still comes up with the Rootkit.ZeroAccess message. Can you also post the log, just in case anything new has surfaced after getting the shortcuts back.

---------

Can you run SystemLook but with the following code, and copy/paste the log:


```
:dir
C:\Documents and Settings\All Users\Application Data
:filefind
*jau38uj*
*F4D55F17000073230120E1C3D151FC4E*
:folderfind
*jau38uj*
*F4D55F17000073230120E1C3D151FC4E*
:reg
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
:regfind
F4D55F17000073230120E1C3D151FC4E
F4D55
```
-------------------
And there is an updated version of OTL, so can you just delete the one you have and run the new one as follows. Only one notepad may open, which is fine 

Download *OTL* to your Desktop 

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. 
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long. 
When the scan completes, it will open two notepad windows. *OTL.Txt* and *Extras.Txt*. These are saved in the same location as OTL. 
Please copy *(Edit->Select All, Edit->Copy)* the contents of these files, one at a time and post them in your topic 


eddie


----------



## Justletmepost (Mar 11, 2012)

Here's the uninstall list, while I work on the other things. When you said to re-run combofix, did you mean by dragging that most recent script onto it again, or by executing it normally?

==============================
*uninstall_list.txt*
==============================
7-Zip 4.42
Ad-Aware SE Personal
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
Adobe Shockwave Player 11.5
Alarm
Alias DirectConnect 2.0
Allegro Common Lisp 8.1 Free Express Edition
AML Free Registry Cleaner 4.20
AOL Uninstaller (Choose which Products to Remove)
Apple Software Update
Audacity 1.2.6
Azureus
Black and White
Blender (remove only)
BT Broadband Desktop Help
BT Home Hub
BT Wireless Connection Manager
BT Yahoo! Applications
CamStudio
CamStudio Lossless Codec v1.4
Click to Call with Skype
Combined Community Codec Pack 2008-01-24
Developer Express DXCore for Visual Studio .NET
Developer Express Refactor! for C++
DH Driver Cleaner Professional Edition
Digital Media Reader
DivX Setup
DivX Web Player
doxygen 1.3.6
ERUNT 1.1j
ESET Online Scanner v3
Fable - The Lost Chapters
Façade
FileZilla Client 3.5.3
FlashDevelop 4.0.0
Fraps (remove only)
GCFScape 1.7.0
GIMP 2.6.11
GlassFish V2.1
GlassFish v3 Prelude
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
Graphviz
GTK+ 2.8.18-1 runtime environment
Hamachi 1.0.3.0
Hotfix for Microsoft .NET Framework 3.5 (KB2418240)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Deskjet 3900 series
HP Image Zone Express
HP Imaging Device Functions 5.0
HP Software Update
HP Solution Center & Imaging Support Tools 5.0
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections 12.1.12.0
Japanese Language Support
Java DB 10.2.2.0
JDiskReport 1.4.0
KAG 0.90A
KingsTools
LAME v3.99.3 (for Windows)
LMMS 0.4.13
Local Website Archive 2.1.1
Logitech QuickCam
Logitech QuickCam Driver Package
Logitech Updater
Malwarebytes Anti-Malware version 1.61.0.1400
Maya 7.0 Personal Learning Edition
Microsoft .NET Framework 1.0 Hotfix (KB2572066)
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5
Microsoft Device Emulator version 1.0 - ENU
Microsoft DirectX SDK (December 2006)
Microsoft Document Explorer 2005
Microsoft Document Explorer 2005
Microsoft Document Explorer 2008
Microsoft Document Explorer 2008
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Platform SDK (R2) (3790.2075)
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ Compilers 2008 Standard Edition - enu - x86
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual Studio 2005 Professional Edition - ENU
Microsoft Visual Studio 2005 Professional Edition - ENU Service Pack 1 (KB926601)
Microsoft Windows SDK for Windows Server 2008 (6001.18000.367)
Microsoft XNA Framework Redistributable 3.1
Mozilla Firefox (3.6.28)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
Multimedia Keyboard Driver
Nero BurnRights
Nero OEM
NetBattle
NetBeans IDE 6.5.1
Nintendo Wi-Fi USB Connector Registration Tool
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA PhysX
OpenAL
OpenOffice.org 2.0
OpenOffice.org 3.0
Pando Media Booster
Pcsx2 0.9.6
Pdf995
Perfect Uninstaller v6.3.3.3
Portal© GT-D for Windows
PowerDVD
ppFonter 2.2
Proxem.Antelope
Proxifier version 2.7
Python 2.4.4
QuickTime
Rapport
Rapport
Realtek AC'97 Audio
Realtek High Definition Audio Driver
Reimage Repair
Revo Uninstaller 1.93
RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
ROM CHECK FAIL 1.0
Rosetta Stone Ltd Services
Rosetta Stone TOTALe
Rosetta Stone TOTALe
Rosetta Stone TOTALe
Rosetta Stone V3 DEMO
ScummVM 0.13.1a
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB925674)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB937060)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2497640)
Security Update for Windows Internet Explorer 7 (KB2544521)
Security Update for Windows Internet Explorer 7 (KB2559049)
Security Update for Windows Internet Explorer 7 (KB2618444)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Skype 5.5
Soft Data Fax Modem with SmartCP
Solid State ION Internet Explorer Plugin
Sonic Encoders
SPORE Creature Creator Trial Edition
Spybot - Search & Destroy 1.5.2.20
SSH Secure Shell
SUPER © v2011.build.49 (July 1st, 2011) version v2011.build.49
System Requirements Lab
TeamSpeak 2 RC2
TextPad 5
Trillian
Unicode Phonetic Keyboard 1.02 and SIL Fonts
Unity
Unity Web Player
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2641690)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
VC80CRTRedist - 8.0.50727.4053
VideoLAN VLC media player 0.8.5
Vulture's Eye
Vuze
Windows Frotz (remove only)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player Firefox Plugin
Windows Resource Kit Tools - SubInAcl.exe
Windows XP Media Center Edition 2005 KB2502898
Windows XP Media Center Edition 2005 KB2619340
Windows XP Media Center Edition 2005 KB2628259
Windows XP Media Center Edition 2005 KB908250
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
Wings 3D 0.98.35
WinPcap 4.0.1
WordNet 2.1
World Machine 2.2 Basic Edition
World of Warcraft
Xbox 360 Controller for Windows
Xfire (remove only)
XviD MPEG-4 Video Codec


----------



## Justletmepost (Mar 11, 2012)

Doublepost for systemlook log (still waiting for your answer on combofix):

=======================
*Systemlook log*
=======================
SystemLook 30.07.11 by jpshortstuff
Log created at 20:24 on 21/05/2012 by Finn
Administrator - Elevation successful

========== dir ==========

C:\Documents and Settings\All Users\Application Data - Parameters: "(none)"

---Files---
desktop.ini --ahs-- 62 bytes [16:06 01/01/2009] [21:58 05/01/2009]
hpzinstall.log --a---- 1738 bytes [16:06 01/01/2009] [08:10 03/07/2011]
QTSBandwidthCache --a---- 1365 bytes [16:06 01/01/2009] [23:52 18/03/2007]

---Folders---
Adobe d------ [12:37 30/08/2011]
AOL d------ [22:12 04/01/2009]
AVAST Software d------ [23:20 08/03/2012]
AVG2012 d------ [22:13 08/03/2012]
Azureus d------ [18:05 30/12/2009]
Blizzard d------ [04:01 01/01/2010]
Blizzard Entertainment d------ [00:08 02/01/2010]
BullGuard d------ [22:12 04/01/2009]
Common Files d------ [22:03 08/03/2012]
CyberLink d------ [10:41 26/02/2009]
DAEMON Tools Lite d------ [12:03 06/01/2009]
DivX d------ [13:33 01/08/2010]
FLEXnet d------ [16:40 31/07/2011]
Google d------ [23:52 05/01/2009]
HP d------ [08:36 26/02/2009]
LogiShrd d------ [15:37 11/12/2009]
Malwarebytes d------ [06:47 11/04/2012]
McAfee d------ [16:15 15/07/2010]
MFAData d------ [22:02 08/03/2012]
Microsoft d-a---- [21:27 04/01/2009]
Microsoft Help d------ [02:16 05/01/2009]
Motive d------ [22:12 04/01/2009]
NOS d------ [16:07 01/01/2009]
NVIDIA Corporation d------ [22:58 29/08/2009]
PACE Anti-Piracy d------ [21:19 11/10/2010]
pdf995 d------ [09:38 12/02/2009]
PMB Files d------ [02:46 20/05/2009]
PreEmptive Solutions d------ [18:55 06/01/2009]
Prism Deploy d------ [16:07 01/01/2009]
QuickTime d------ [16:07 01/01/2009]
Rosetta Stone d------ [12:38 30/08/2011]
Rosetta Stone DEMO d------ [13:45 31/07/2011]
RosettaStoneLtdServices d------ [12:37 30/08/2011]
Skype d------ [16:07 01/01/2009]
Skype Extras d------ [17:49 16/05/2011]
Spybot - Search & Destroy d------ [16:06 01/01/2009]
Sun d------ [01:05 02/08/2010]
Trusteer d------ [02:31 15/04/2011]
Windows Genuine Advantage d------ [16:06 01/01/2009]
yahoo! d------ [16:06 01/01/2009]
Yahoo! Companion d------ [16:06 01/01/2009]

========== filefind ==========

Searching for "*jau38uj*"
No files found.

Searching for "*F4D55F17000073230120E1C3D151FC4E*"
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E\F4D55F17000073230120E1C3D151FC4E.vir --a---- 328 bytes [20:37 07/03/2012] [22:24 08/03/2012] F3B426D1AAB722C30FD76398419996B8

========== folderfind ==========

Searching for "*jau38uj*"
C:\Qoobox\Quarantine\C\jau38uj.bin d------ [19:31 21/03/2012]
C:\Qoobox\Quarantine\C\jau38uj.bin\jau38uj.bin d------ [12:00 23/08/2001]

Searching for "*F4D55F17000073230120E1C3D151FC4E*"
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E d------ [22:42 17/04/2012]

========== reg ==========

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"=""C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe""

========== regfind ==========

Searching for "F4D55F17000073230120E1C3D151FC4E"
[HKEY_CURRENT_USER\Software\Classes\F4D55\shell\open\command]
@=""C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E\F4D55F17000073230120E1C3D151FC4E.exe" -s "%1" %*"
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003\Software\Classes\F4D55\shell\open\command]
@=""C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E\F4D55F17000073230120E1C3D151FC4E.exe" -s "%1" %*"
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003_Classes\F4D55\shell\open\command]
@=""C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E\F4D55F17000073230120E1C3D151FC4E.exe" -s "%1" %*"

Searching for "F4D55"
[HKEY_CURRENT_USER\Software\Classes\%s]
@="F4D55"
[HKEY_CURRENT_USER\Software\Classes\F4D55]
[HKEY_CURRENT_USER\Software\Classes\F4D55\shell\open\command]
@=""C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E\F4D55F17000073230120E1C3D151FC4E.exe" -s "%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\153B2ABF4D55F155CACF811C82ADEE8B]
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003\Software\Classes\%s]
@="F4D55"
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003\Software\Classes\F4D55]
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003\Software\Classes\F4D55\shell\open\command]
@=""C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E\F4D55F17000073230120E1C3D151FC4E.exe" -s "%1" %*"
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003_Classes\%s]
@="F4D55"
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003_Classes\F4D55]
[HKEY_USERS\S-1-5-21-1606980848-1214440339-725345543-1003_Classes\F4D55\shell\open\command]
@=""C:\Documents and Settings\All Users\Application Data\F4D55F17000073230120E1C3D151FC4E\F4D55F17000073230120E1C3D151FC4E.exe" -s "%1" %*"

-= EOF =-


----------



## Justletmepost (Mar 11, 2012)

Triplepost for OTL quickscan log - no extras.txt was generated. (again, still waiting on your answer for combofix)

==========================
*OTL.txt*
==========================
OTL logfile created on: 21/05/2012 20:46:02 - Run 3
OTL by OldTimer - Version 3.2.43.1 Folder = C:\Documents and Settings\Finn\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: | Country: | Language: | Date Format:

1.98 Gb Total Physical Memory | 1.27 Gb Available Physical Memory | 63.87% Memory free
3.83 Gb Paging File | 3.36 Gb Available in Paging File | 87.62% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 127.99 Gb Total Space | 8.54 Gb Free Space | 6.67% Space Free | Partition Type: NTFS

Computer Name: FINN-GE6QC5 | User Name: Finn | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/05/21 20:45:06 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Finn\Desktop\OTL.exe
PRC - [2012/01/25 11:16:28 | 000,931,640 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
PRC - [2010/06/03 01:50:58 | 001,144,104 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2010/05/17 14:45:32 | 001,615,176 | ---- | M] (Rosetta Stone Ltd.) -- C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe
PRC - [2008/12/20 08:50:34 | 002,656,528 | ---- | M] () -- C:\Program Files\Logitech\QuickCam\Quickcam.exe
PRC - [2008/12/20 08:46:58 | 000,558,864 | ---- | M] () -- C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
PRC - [2008/12/16 22:59:50 | 000,150,040 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
PRC - [2008/09/30 18:46:18 | 007,418,368 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2008/09/30 18:46:12 | 007,424,000 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/12/08 07:45:41 | 000,543,232 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\btbb_wcm\McciTrayApp.exe
PRC - [2006/11/07 15:49:50 | 001,121,280 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SpamKiller\MSKDetct.exe
PRC - [2006/07/21 17:19:46 | 000,129,536 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\browser\ybrwicon.exe
PRC - [2006/05/24 12:15:50 | 000,050,760 | ---- | M] (America Online, Inc.) -- C:\Program Files\Common Files\AOL\1169214453\ee\aolsoftware.exe
PRC - [2006/03/03 14:18:10 | 000,200,704 | ---- | M] (Yahoo!, Inc.) -- C:\Program Files\Yahoo!\browser\ycommon.exe
PRC - [2006/02/06 19:52:10 | 000,462,935 | ---- | M] (Motive) -- C:\Program Files\BT Home Hub\Help\SmartBridge\BTHelpNotifier.exe
PRC - [2006/02/06 12:55:42 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
PRC - [2005/04/27 00:37:56 | 000,020,537 | ---- | M] (Apache Software Foundation) -- C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\apache\Apache.exe
PRC - [2005/04/02 02:51:48 | 000,217,600 | ---- | M] (Rocket Division Software) -- C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
PRC - [2004/12/08 18:57:36 | 000,550,912 | ---- | M] () -- C:\WINDOWS\zHotkey.exe
PRC - [2004/11/15 16:04:32 | 000,135,168 | ---- | M] (Alcor Micro, Corp.) -- C:\Program Files\Digital Media Reader\shwiconEM.exe
PRC - [2004/08/04 06:31:59 | 000,208,952 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ime\imjp8_1\imjpmig.exe
PRC - [2004/07/16 22:26:44 | 000,126,976 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe
PRC - [2004/05/07 09:20:52 | 000,024,681 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.exe

========== Modules (No Company Name) ==========

MOD - [2011/11/03 16:28:36 | 001,292,288 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll
MOD - [2011/08/07 13:43:07 | 000,516,368 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportMS.dll
MOD - [2011/02/04 18:48:30 | 000,291,840 | ---- | M] () -- C:\WINDOWS\system32\sbe.dll
MOD - [2010/06/03 01:51:08 | 000,095,528 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll
MOD - [2010/06/03 01:50:58 | 001,144,104 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
MOD - [2009/05/01 00:31:06 | 000,466,944 | ---- | M] () -- C:\WINDOWS\system32\nvshell.dll
MOD - [2009/02/12 10:38:25 | 000,051,716 | ---- | M] () -- C:\WINDOWS\system32\pdf995mon.dll
MOD - [2008/12/20 08:50:34 | 002,656,528 | ---- | M] () -- C:\Program Files\Logitech\QuickCam\Quickcam.exe
MOD - [2008/12/20 08:46:58 | 000,558,864 | ---- | M] () -- C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
MOD - [2008/09/30 18:43:40 | 000,139,264 | ---- | M] () -- C:\Program Files\OpenOffice.org 3\Basis\program\nsldap32v50.dll
MOD - [2008/07/29 15:59:22 | 000,165,376 | ---- | M] () -- C:\Program Files\OpenOffice.org 3\Basis\program\libxslt.dll
MOD - [2008/07/29 15:55:14 | 000,969,728 | ---- | M] () -- C:\Program Files\OpenOffice.org 3\program\libxml2.dll
MOD - [2008/04/14 01:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/14 01:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2006/02/23 17:13:02 | 000,038,912 | ---- | M] () -- C:\Program Files\Yahoo!\browser\YCommonPS.dll
MOD - [2005/07/11 16:26:52 | 000,671,744 | ---- | M] () -- C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\php4\extensions\php_pdf.dll
MOD - [2005/07/11 16:26:52 | 000,040,960 | ---- | M] () -- C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\php4\extensions\php_sockets.dll
MOD - [2005/07/11 16:26:52 | 000,028,672 | ---- | M] () -- C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\php4\php4apache2.dll
MOD - [2005/07/11 16:26:50 | 001,531,904 | ---- | M] () -- C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\php4\extensions\php_mbstring.dll
MOD - [2005/07/11 16:26:50 | 000,794,624 | ---- | M] () -- C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\php4\extensions\php_gd2.dll
MOD - [2005/07/11 16:26:44 | 000,061,440 | ---- | M] () -- C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\php4\extensions\php_bz2.dll
MOD - [2004/12/08 18:57:36 | 000,550,912 | ---- | M] () -- C:\WINDOWS\zHotkey.exe
MOD - [2004/09/29 09:16:30 | 000,118,867 | ---- | M] () -- C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\apache\modules\mod_perl.so
MOD - [2004/07/16 22:26:44 | 000,126,976 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe
MOD - [2004/07/16 22:26:44 | 000,065,536 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\lib\wrapper.dll
MOD - [2004/05/07 09:20:54 | 000,057,455 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\net.dll
MOD - [2004/05/07 09:20:54 | 000,057,453 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\verify.dll
MOD - [2004/05/07 09:20:54 | 000,053,364 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\zip.dll
MOD - [2004/05/07 09:20:52 | 000,102,515 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.dll
MOD - [2004/05/07 09:20:52 | 000,028,791 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\hpi.dll
MOD - [2004/05/07 09:20:52 | 000,024,681 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.exe
MOD - [2004/05/07 09:20:50 | 001,212,546 | ---- | M] () -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\client\jvm.dll
MOD - [2003/05/16 21:09:32 | 000,011,776 | ---- | M] () -- C:\WINDOWS\HIDMNT.dll
MOD - [2001/07/02 21:36:30 | 000,024,576 | ---- | M] () -- C:\WINDOWS\HKNTDLL.dll

========== Win32 Services (SafeList) ==========

SRV - [2012/01/25 11:16:28 | 000,931,640 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2011/08/30 13:39:52 | 001,045,256 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/05/17 14:45:32 | 001,615,176 | ---- | M] (Rosetta Stone Ltd.) [Auto | Running] -- C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe -- (RosettaStoneDaemon)
SRV - [2008/12/16 22:59:50 | 000,150,040 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2006/02/06 12:55:42 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) [Auto | Running] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [2005/09/23 08:01:16 | 002,799,808 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe -- (msvsmon80)
SRV - [2005/04/27 00:37:56 | 000,020,537 | ---- | M] (Apache Software Foundation) [Auto | Running] -- C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\apache\Apache.exe -- (Apache)
SRV - [2005/04/02 02:51:48 | 000,217,600 | ---- | M] (Rocket Division Software) [Auto | Running] -- C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe -- (StarWindService)
SRV - [2004/07/16 22:26:44 | 000,126,976 | ---- | M] () [Auto | Running] -- C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe -- (mple7docserver)
SRV - [2003/05/19 17:07:38 | 000,086,016 | ---- | M] (Yahoo! Inc.) [On_Demand | Stopped] -- C:\WINDOWS\system32\YPcservice.exe -- (YPCService)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Finn101112\catchme.sys -- (catchme)
DRV - [2012/04/13 19:20:39 | 000,032,072 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamchameleon.sys -- (mbamchameleon)
DRV - [2012/01/25 11:16:44 | 000,164,112 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - [2012/01/25 11:16:44 | 000,071,440 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys -- (RapportEI)
DRV - [2012/01/25 11:16:44 | 000,056,208 | ---- | M] (Trusteer Ltd.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\RapportKELL.sys -- (RapportKELL)
DRV - [2011/12/15 17:55:49 | 000,228,208 | ---- | M] () [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys -- (RapportCerberus_34302)
DRV - [2011/08/07 13:43:07 | 000,021,520 | ---- | M] (Trusteer Ltd.) [Kernel | On_Demand | Stopped] -- c:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportIaso.sys -- (RapportIaso)
DRV - [2009/08/22 19:25:00 | 000,009,088 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner32.sys -- (RivaTuner32)
DRV - [2009/01/08 03:19:41 | 000,025,280 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2008/12/17 07:02:08 | 000,023,832 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvcflt.sys -- (FilterService)
DRV - [2008/12/17 07:01:44 | 006,364,440 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvc.sys -- (LVUVC) Logitech QuickCam Pro 9000(UVC)
DRV - [2008/12/17 07:01:22 | 000,041,752 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2008/12/17 07:00:14 | 000,768,024 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvrs.sys -- (LVRS)
DRV - [2008/12/16 22:58:54 | 000,025,624 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2008/11/21 10:48:56 | 000,016,616 | ---- | M] (REALiX(tm)) [Kernel | Auto | Running] -- C:\Documents and Settings\Finn\Desktop\hw32_236\HWiNFO32.sys -- (HWiNFO32)
DRV - [2008/04/13 19:53:09 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2008/04/13 19:45:34 | 000,046,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\irbus.sys -- (IrBus)
DRV - [2007/06/22 19:14:40 | 004,432,384 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/03/24 17:53:07 | 000,018,003 | ---- | M] (Motive, Inc.) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Motive\MRENDIS5.sys -- (MRENDIS5)
DRV - [2005/12/14 21:46:58 | 000,160,256 | ---- | M] (Hauppauge Computer Works, Inc.) [23|25|26]xxx) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hcwPP2.sys -- (hcwPP2)
DRV - [2005/10/25 00:17:40 | 000,162,816 | ---- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt25usbap.sys -- (RT25USBAP)
DRV - [2005/09/26 16:07:00 | 003,644,800 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/03/17 17:51:16 | 001,033,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/03/17 17:50:36 | 000,221,440 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2005/03/17 17:50:32 | 000,705,280 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/11/15 18:41:54 | 000,036,804 | ---- | M] (Alcor Micro Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Sunkfilt.sys -- (SunkFilt)
DRV - [2004/04/14 05:14:12 | 000,070,144 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Wikipedia (en)"
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.startup.homepage: "http://www.hyrulianwar.com/"
FF - prefs.js..extensions.enabledItems: [email protected]:0.0.3
FF - prefs.js..extensions.enabledItems: {60520222-6bbf-45dd-b547-3641ea9cd9cb}:0.4.1
FF - prefs.js..extensions.enabledItems: {ba14329e-9550-4989-b3f2-9732e92d17cc}:2.7.1.3
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.7
FF - prefs.js..extensions.enabledItems: [email protected]:0.2.5
FF - prefs.js..network.proxy.backup.ftp: "131.179.50.72"
FF - prefs.js..network.proxy.backup.ftp_port: 6588
FF - prefs.js..network.proxy.backup.gopher: "131.179.50.72"
FF - prefs.js..network.proxy.backup.gopher_port: 6588
FF - prefs.js..network.proxy.backup.socks: "131.179.50.72"
FF - prefs.js..network.proxy.backup.socks_port: 6588
FF - prefs.js..network.proxy.backup.ssl: "131.179.50.72"
FF - prefs.js..network.proxy.backup.ssl_port: 6588
FF - prefs.js..network.proxy.ftp: "131.179.50.72"
FF - prefs.js..network.proxy.ftp_port: 3128
FF - prefs.js..network.proxy.gopher: "131.179.50.72"
FF - prefs.js..network.proxy.gopher_port: 3128
FF - prefs.js..network.proxy.http: "131.179.50.72"
FF - prefs.js..network.proxy.http_port: 3128
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "131.179.50.72"
FF - prefs.js..network.proxy.socks_port: 3128
FF - prefs.js..network.proxy.ssl: "131.179.50.72"
FF - prefs.js..network.proxy.ssl_port: 3128
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@bittorrent.com/BitTorrentDNA: C:\Program Files\DNA\plugins\npbtdna.dll (BitTorrent, Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.1: C:\Program Files\Yahoo!\Shared\npYState.dll ( )
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@unity3d.com/UnityPlayer: C:\Program Files\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.28\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/05/16 03:44:05 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.28\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/05/01 06:16:13 | 000,000,000 | ---D | M]

[2009/01/02 16:59:33 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Finn\Application Data\Mozilla\Extensions
[2012/04/29 04:38:26 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\47edvphp.default\extensions
[2010/07/15 17:10:51 | 000,000,000 | ---D | M] (Tabloc) -- C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\47edvphp.default\extensions\{60520222-6bbf-45dd-b547-3641ea9cd9cb}
[2010/08/12 22:11:53 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\47edvphp.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/01/02 02:38:41 | 000,000,000 | ---D | M] ("Pennypacker") -- C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\47edvphp.default\extensions\{638b0aea-a87f-4b7e-bbd9-e5c272af3ff6}
[2010/07/02 22:47:50 | 000,000,000 | ---D | M] (Vuze Remote Toolbar) -- C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\47edvphp.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}
[2009/01/02 02:38:41 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus(R))) -- C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\47edvphp.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
[2011/05/15 20:29:39 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\47edvphp.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2011/05/15 20:29:36 | 000,000,000 | ---D | M] (Adblock Plus Pop-up Addon) -- C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\47edvphp.default\extensions\[email protected]
[2010/02/26 04:02:25 | 000,000,000 | ---D | M] (Google Wave Add-on for Firefox) -- C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\47edvphp.default\extensions\[email protected]
[2011/02/13 13:37:37 | 000,000,000 | ---D | M] (Illimitux) -- C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\47edvphp.default\extensions\[email protected]
[2010/07/02 22:47:50 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\r0v8pfpr.default\extensions
[2010/07/02 22:47:51 | 000,000,000 | ---D | M] (Vuze Remote Toolbar) -- C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\r0v8pfpr.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}
[2008/12/05 23:12:14 | 000,002,921 | ---- | M] () -- C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\47edvphp.default\searchplugins\daemon-search.xml
[2012/05/21 20:01:16 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/09/06 00:06:16 | 000,000,000 | ---D | M] (Click to call with Skype) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2011/07/20 01:59:31 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2009/05/20 03:46:27 | 000,239,432 | ---- | M] (Pando Networks) -- C:\Program Files\mozilla firefox\plugins\npPandoWebInst.dll
[2012/05/01 06:15:54 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2012/05/01 06:15:54 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2012/05/01 06:15:54 | 000,000,769 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2012/05/01 06:15:54 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{googleriginalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Disabled) = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Chrome\User Data\PepperFlash\11.1.31.203\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Chrome\Application\17.0.963.66\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Chrome\Application\17.0.963.66\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Chrome\Application\17.0.963.66\pdf.dll
CHR - plugin: Skype Toolbars (Enabled) = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.6.0.8153_0\npSkypeChromePlugin.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Acrobat 7.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.260.3 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java(TM) Platform SE 6 U26 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Microsoft\u00AE Windows Media Player Firefox Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
CHR - plugin: DivX\u00AE Web Player (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npdivx32.dll
CHR - plugin: Windows Genuine Advantage (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
CHR - plugin: Pando Web Installer (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll
CHR - plugin: QuickTime Plug-in 7.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: AOL Media Playback Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npunagi2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Update\1.3.21.99\npGoogleUpdate3.dll
CHR - plugin: Unity Player (Enabled) = C:\Documents and Settings\Finn\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
CHR - plugin: DNA Plug-in (Enabled) = C:\Program Files\DNA\plugins\npbtdna.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.3_0\
CHR - Extension: Google Search = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.17_0\
CHR - Extension: Click to call with Skype = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.6.0.8153_0\
CHR - Extension: Gmail = C:\Documents and Settings\Finn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/05/16 05:05:10 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O2 - BHO: (SidebarAutoLaunch Class) - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll (Yahoo! Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe (Motive Communications, Inc.)
O4 - HKLM..\Run: [CHotkey] C:\WINDOWS\zHotkey.exe ()
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\AOL\1169214453\ee\aolsoftware.exe (America Online, Inc.)
O4 - HKLM..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\imekrmig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe (America Online, Inc.)
O4 - HKLM..\Run: [LogitechQuickCamRibbon] C:\Program Files\Logitech\QuickCam\Quickcam.exe ()
O4 - HKLM..\Run: [Motive SmartBridge] C:\Program Files\BT Home Hub\Help\SmartBridge\BTHelpNotifier.exe (Motive)
O4 - HKLM..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [Reminder] C:\WINDOWS\creator\remind_xp.exe (SoftThinks)
O4 - HKLM..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconEM.exe (Alcor Micro, Corp.)
O4 - HKLM..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\StartUp\BT Broadband Desktop Help.lnk = C:\Program Files\BT Home Hub\Help\bin\matcli.exe (Motive Communications, Inc.)
O4 - Startup: C:\Documents and Settings\Finn\Start Menu\Programs\StartUp\OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O9 - Extra Button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra Button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Plugin Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4d68-a152-f7252adaa4f2/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1231200248818 (WUWebControl Class)
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} http://www.acclaim.com/cabs/acclaim_v6.cab (GameLauncher Control)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} http://www.crucial.com/controls/cpcScanner.cab (Crucial cpcScan)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} http://cdn1.acclaimdownloads.com/solidstateion.cab (CSolidBrowserObj Object)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object)
O16 - DPF: Microsoft XML Parser for Java Reg Error: Value error. (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{181C96D6-4236-4D37-AC39-BC1F447B9DA2}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Finn\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Finn\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/01 01:41:41 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/05/20 19:58:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Finn\Desktop\GrantPerms
[2012/05/20 19:46:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Finn\Desktop\reset
[2012/05/20 19:10:51 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Resource Kits
[2012/05/16 09:53:27 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Finn\Desktop\aswMBR.exe
[2012/05/16 04:54:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/05/16 04:00:47 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/05/16 03:50:32 | 004,494,423 | R--- | C] (Swearware) -- C:\Documents and Settings\Finn\Desktop\Finn101112.exe
[2012/05/02 13:51:59 | 000,000,000 | ---D | C] -- C:\Program Files\Lame For Audacity
[2012/04/30 00:13:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Finn\Desktop\RK_Quarantine
[2012/04/23 21:49:29 | 000,000,000 | ---D | C] -- C:\Program Files\ESET

========== Files - Modified Within 30 Days ==========

[2012/05/21 20:45:06 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Finn\Desktop\OTL.exe
[2012/05/21 20:38:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1214440339-725345543-1003UA.job
[2012/05/21 20:38:00 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1214440339-725345543-1003Core.job
[2012/05/21 20:27:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/05/21 19:27:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/05/21 19:19:14 | 000,249,324 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2012/05/21 19:18:51 | 000,012,654 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/05/21 19:02:11 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/05/20 23:44:13 | 001,454,080 | ---- | M] () -- C:\Documents and Settings\Finn\Desktop\RogueKiller.exe
[2012/05/20 20:09:53 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Finn\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/05/20 20:09:33 | 000,001,478 | ---- | M] () -- C:\Documents and Settings\Finn\Application Data\Microsoft\Internet Explorer\Quick Launch\Media Center.lnk
[2012/05/20 20:07:56 | 000,143,624 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/05/20 19:58:33 | 000,450,985 | ---- | M] () -- C:\Documents and Settings\Finn\Desktop\GrantPerms.zip
[2012/05/20 19:45:59 | 000,000,297 | ---- | M] () -- C:\Documents and Settings\Finn\Desktop\reset.zip
[2012/05/20 19:09:28 | 000,379,392 | ---- | M] () -- C:\Documents and Settings\Finn\Desktop\subinacl.msi
[2012/05/20 12:27:03 | 000,000,060 | ---- | M] () -- C:\WINDOWS\wpd99.drv
[2012/05/19 14:44:56 | 000,061,440 | ---- | M] ( ) -- C:\Documents and Settings\Finn\Desktop\VEW.exe
[2012/05/16 19:29:22 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Finn\Desktop\MBR.dat
[2012/05/16 09:53:41 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Finn\Desktop\aswMBR.exe
[2012/05/16 05:05:10 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/05/16 04:00:56 | 000,000,420 | RHS- | M] () -- C:\boot.ini
[2012/05/16 03:50:46 | 004,494,423 | R--- | M] (Swearware) -- C:\Documents and Settings\Finn\Desktop\Finn101112.exe
[2012/05/14 07:44:12 | 2129,838,080 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2012/05/12 19:17:08 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\lvuvc.hs
[2012/05/12 19:17:03 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\logiflt.iad
[2012/05/11 07:40:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/05/01 10:18:22 | 000,001,736 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Windows Live Messenger.lnk
[2012/04/29 02:45:42 | 000,001,805 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Logitech QuickCam.lnk
[2012/04/29 02:25:37 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2012/04/23 01:27:57 | 000,139,264 | ---- | M] () -- C:\Documents and Settings\Finn\Desktop\RKUnhookerLE.EXE

========== Files Created - No Company Name ==========

[2012/05/20 23:44:13 | 001,454,080 | ---- | C] () -- C:\Documents and Settings\Finn\Desktop\RogueKiller.exe
[2012/05/20 20:09:52 | 000,000,803 | ---- | C] () -- C:\Documents and Settings\Finn\Start Menu\Programs\Internet Explorer.lnk
[2012/05/20 19:58:33 | 000,450,985 | ---- | C] () -- C:\Documents and Settings\Finn\Desktop\GrantPerms.zip
[2012/05/20 19:45:58 | 000,000,297 | ---- | C] () -- C:\Documents and Settings\Finn\Desktop\reset.zip
[2012/05/20 19:09:28 | 000,379,392 | ---- | C] () -- C:\Documents and Settings\Finn\Desktop\subinacl.msi
[2012/05/19 14:44:55 | 000,061,440 | ---- | C] ( ) -- C:\Documents and Settings\Finn\Desktop\VEW.exe
[2012/04/23 01:28:17 | 000,139,264 | ---- | C] () -- C:\Documents and Settings\Finn\Desktop\RKUnhookerLE.EXE
[2012/04/17 22:47:34 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/04/17 22:47:34 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/04/17 22:47:34 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/04/17 22:47:34 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/04/17 22:47:34 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/04/13 19:20:39 | 000,032,072 | ---- | C] () -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2012/01/13 01:50:00 | 000,088,992 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/12/04 23:02:18 | 000,001,117 | ---- | C] () -- C:\WINDOWS\unins001.dat
[2011/07/16 20:22:24 | 000,032,256 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2011/07/16 20:18:45 | 000,107,520 | RHS- | C] () -- C:\WINDOWS\System32\TAKDSDecoder.dll
[2011/02/09 00:11:51 | 000,000,286 | ---- | C] () -- C:\WINDOWS\reimage.ini
[2011/02/02 08:10:58 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Finn\Local Settings\Application Data\PUTTY.RND
[2010/08/01 15:18:37 | 000,000,038 | ---- | C] () -- C:\WINDOWS\camcodec100.ini
[2010/08/01 15:17:49 | 000,695,578 | ---- | C] () -- C:\WINDOWS\System32\unins000.exe
[2010/08/01 15:17:49 | 000,001,074 | ---- | C] () -- C:\WINDOWS\System32\unins000.dat
[2010/06/03 08:44:44 | 000,000,760 | ---- | C] () -- C:\Documents and Settings\Finn\Application Data\setup_ldm.iss

========== LOP Check ==========

[2012/03/09 17:43:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2012/03/09 00:08:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[2009/12/30 19:05:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
[2012/02/13 12:18:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BullGuard
[2012/03/08 23:03:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2009/01/06 13:03:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2012/03/09 00:06:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2010/10/11 22:27:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PACE Anti-Piracy
[2012/05/20 12:27:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2009/05/20 15:03:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2009/01/06 19:55:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PreEmptive Solutions
[2011/08/30 14:40:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Rosetta Stone
[2011/07/31 22:32:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Rosetta Stone DEMO
[2011/08/30 13:37:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RosettaStoneLtdServices
[2011/04/15 03:31:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Trusteer
[2010/12/13 12:30:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\.minecraft
[2009/01/02 02:43:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\acccore
[2009/01/02 02:43:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\aignes
[2009/01/02 02:43:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\Armagetron
[2012/03/08 23:15:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\AVG2012
[2010/12/02 06:30:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\Azureus
[2009/08/24 21:22:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\BullGuard
[2011/01/22 18:01:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\Bundysoft
[2010/10/12 23:42:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\cmc
[2009/03/31 20:27:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\CodeRush for VS .NET
[2009/01/06 13:03:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\DAEMON Tools
[2009/01/06 13:03:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\DAEMON Tools Lite
[2009/01/06 13:03:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\DAEMON Tools Pro
[2009/01/02 02:39:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\Dev-Cpp
[2012/03/09 17:43:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\DNA
[2012/03/01 17:01:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\FileZilla
[2012/03/07 21:24:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\gtk-2.0
[2009/01/02 02:39:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\Helios
[2012/01/21 15:25:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\JGoodies
[2009/12/11 17:05:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\Leadertech
[2009/01/02 02:38:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\Nexon
[2009/06/06 03:50:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\Night Squad 2
[2009/01/02 02:38:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\NwDocx
[2009/01/24 22:58:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\OpenOffice.org
[2010/10/11 22:27:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\PACE Anti-Piracy
[2009/02/12 10:40:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\pdf995
[2012/03/07 21:37:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\Qerayw
[2009/01/02 02:38:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\SampleView
[2009/09/07 17:12:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\ScummVM
[2011/08/22 17:31:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\SPORE Creature Creator
[2009/01/02 02:37:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\SSH
[2009/01/24 18:45:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\SystemRequirementsLab
[2009/09/13 02:40:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\Trillian
[2011/04/15 03:34:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\Trusteer
[2012/03/07 21:37:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\Tuyzynv
[2010/10/11 22:32:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\Unity
[2010/03/25 04:23:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\Vultures
[2009/01/02 02:36:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\Wings3D
[2011/01/21 16:02:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\World Machine 2.2 Basic
[2009/01/02 02:36:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Finn\Application Data\yoclient
[2011/02/09 00:11:52 | 000,000,224 | ---- | M] () -- C:\WINDOWS\Tasks\Reimage Reminder.job

========== Purity Check ==========

< End of report >


----------



## Justletmepost (Mar 11, 2012)

In the end I went with just running combofix normally.
It still claims I don't have the recovery console...but I didn't need to log into Temp_for_fix for it to finish the scan after reboot!
Unfortunately I had to leave the computer during the scan so I don't know if it reported ZeroAccess specifically or not...but it did say it had detected rootkit activity and needed to reboot.

===================================
*Combofix log*
===================================
ComboFix 12-05-21.05 - Finn 05/22/2012 3:18.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2031.1630 [GMT 1:00]
Running from: c:\documents and settings\Finn\Desktop\Finn101112.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\MEMORY.DMP
c:\windows\system32\avisynth.dll
c:\windows\system32\devil.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-04-22 to 2012-05-22 )))))))))))))))))))))))))))))))
.
.
2012-05-20 18:10 . 2012-05-20 18:10 -------- d-----w- c:\program files\Windows Resource Kits
2012-05-20 11:26 . 2012-05-20 11:26 -------- d-----w- c:\documents and settings\Temp_for_fix\Application Data\pdf995
2012-05-04 08:07 . 2012-05-04 08:07 -------- d-----w- c:\documents and settings\Temp_for_fix\Application Data\OpenOffice.org
2012-05-02 12:51 . 2012-05-02 12:51 -------- d-----w- c:\program files\Lame For Audacity
2012-05-02 11:22 . 2012-05-02 11:22 -------- d-----w- c:\documents and settings\Temp_for_fix\Application Data\DivX
2012-05-01 09:18 . 2012-05-01 09:18 -------- d-----w- c:\documents and settings\Temp_for_fix\Contacts
2012-04-28 23:39 . 2012-04-29 01:33 -------- d-----w- c:\documents and settings\Temp_for_fix\Local Settings\Application Data\WMTools Downloaded Files
2012-04-28 23:18 . 2012-04-28 23:19 -------- d-----w- c:\documents and settings\Temp_for_fix\Local Settings\Application Data\ApplicationHistory
2012-04-28 07:02 . 2012-04-28 07:02 -------- d-----w- c:\documents and settings\Temp_for_fix\Application Data\vlc
2012-04-23 20:49 . 2012-04-23 20:49 -------- d-----w- c:\program files\ESET
2012-04-23 20:48 . 2012-04-23 20:48 -------- d-----r- c:\documents and settings\Temp_for_fix\Application Data\yahoo!
2012-04-23 20:46 . 2012-04-23 20:47 -------- d-----w- c:\documents and settings\Temp_for_fix\Local Settings\Application Data\Google
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-13 18:20 . 2012-04-13 18:20 32072 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-04-11 06:08 . 2012-04-11 06:19 883616 ----a-w- C:\FixExec.com
2012-04-04 14:56 . 2012-04-11 07:24 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-19 00:32 . 2012-03-18 23:40 2617176 ----a-w- C:\revosetup.exe
2006-05-03 11:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 12:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 14:30 216064 --sha-r- c:\windows\system32\nbDX.dll
2010-01-06 23:00 107520 --sha-r- c:\windows\system32\TAKDSDecoder.dll
.
.
((((((((((((((((((((((((((((( [email protected]_19.36.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-05-22 02:52 . 2012-05-22 02:52 53248 c:\windows\temp\catchme.dll
+ 2001-08-23 12:00 . 2012-03-26 10:24 60180 c:\windows\system32\perfc009.dat
- 2001-08-23 12:00 . 2012-01-13 00:50 60180 c:\windows\system32\perfc009.dat
- 2009-01-01 00:42 . 2012-02-24 18:22 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-01 00:42 . 2012-03-28 20:47 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2012-04-13 18:22 . 2012-04-13 18:22 22016 c:\windows\Installer\5866577.msi
- 2009-12-11 15:38 . 2009-12-11 15:38 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\QuickCamStartMenuS_65895B9BA1A04BCBAB7BF5673B44A0E4.exe
+ 2009-12-11 15:38 . 2012-04-29 01:45 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\QuickCamStartMenuS_65895B9BA1A04BCBAB7BF5673B44A0E4.exe
+ 2009-12-11 15:38 . 2012-04-29 01:45 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\QuickCamDesktopSho_C0678C37AA5341A4BE4781BAF94DE0CC.exe
- 2009-12-11 15:38 . 2009-12-11 15:38 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\QuickCamDesktopSho_C0678C37AA5341A4BE4781BAF94DE0CC.exe
- 2009-12-11 15:38 . 2009-12-11 15:38 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\ARPPRODUCTICON.exe
+ 2009-12-11 15:38 . 2012-04-29 01:45 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\ARPPRODUCTICON.exe
+ 2012-05-01 09:18 . 2012-05-01 09:18 29926 c:\windows\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
- 2009-02-04 22:07 . 2009-02-04 22:07 29926 c:\windows\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
+ 2012-04-17 21:39 . 2012-04-17 21:39 61440 c:\windows\ERDNT\17-04-2012\Users\00000001\ntuser.dat
+ 2009-01-05 02:04 . 2012-03-28 01:52 5536 c:\windows\system32\d3d9caps.dat
- 2009-01-05 02:04 . 2012-03-18 21:21 5536 c:\windows\system32\d3d9caps.dat
+ 2001-08-23 12:00 . 2012-03-26 10:24 377306 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2012-01-13 00:50 377306 c:\windows\system32\perfh009.dat
+ 2008-12-31 23:35 . 2012-05-20 19:07 143624 c:\windows\system32\FNTCACHE.DAT
- 2008-12-31 23:35 . 2012-02-03 16:48 143624 c:\windows\system32\FNTCACHE.DAT
+ 2012-05-20 18:10 . 2012-05-20 18:10 279040 c:\windows\Installer\aa9216.msi
- 2011-09-05 23:06 . 2011-09-05 23:06 371272 c:\windows\Installer\{AA59DDE4-B672-4621-A016-4C248204957A}\SkypeIcon.exe
+ 2012-04-13 14:26 . 2012-04-13 14:26 371272 c:\windows\Installer\{AA59DDE4-B672-4621-A016-4C248204957A}\SkypeIcon.exe
+ 2012-04-17 21:39 . 2012-04-17 21:39 262144 c:\windows\ERDNT\17-04-2012\Users\00000002\UsrClass.dat
+ 2012-04-17 21:39 . 2005-10-20 11:02 163328 c:\windows\ERDNT\17-04-2012\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-06 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2006-12-08 543232]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"HostManager"="c:\program files\Common Files\AOL\1169214453\ee\AOLSoftware.exe" [2006-05-24 50760]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"Motive SmartBridge"="c:\progra~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 462935]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 16377344]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-06 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-06 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-06 138008]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-12 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-10-11 421888]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-09 966656]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"CHotkey"="zHotkey.exe" [2004-12-08 550912]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Finn\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]
.
c:\documents and settings\Temp_for_fix\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BT Broadband Desktop Help.lnk - c:\program files\BT Home Hub\Help\bin\matcli.exe [2009-1-5 217088]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
backup=c:\windows\pss\ATI CATALYST System Tray.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Nintendo Wi-Fi USB Connector Registration Tool.lnk]
backup=c:\windows\pss\Run Nintendo Wi-Fi USB Connector Registration Tool.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Finn^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\svc]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lionhead Studios Ltd\\Black & White\\runblack.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1169214453\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1169214453\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Documents and Settings\\Finn\\Desktop\\eclipse-java-ganymede-SR1-win32\\eclipse\\eclipse.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3 DEMO\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3 DEMO\\RosettaStoneVersion3.exe"=
"c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Ltd Services
"c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Daemon
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone TOTALe\\RosettaStoneTOTALe.exe"=
"%windir%\explorer.exe"= %windir%\explorer.exe
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP"= 9842:TCP:*isabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*isabled:SolidNetworkManager
"57224:TCP"= 57224:TCPando Media Booster
"57224:UDP"= 57224:UDPando Media Booster
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"<NO NAME>"= 
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [1/25/2012 11:16 AM 56208]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [12/15/2011 5:55 PM 228208]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [1/25/2012 11:16 AM 71440]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [1/25/2012 11:16 AM 164112]
R2 HWiNFO32;HWiNFO32 Kernel Driver;c:\documents and settings\Finn\Desktop\hw32_236\HWiNFO32.sys [11/21/2008 10:48 AM 16616]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [1/25/2012 11:16 AM 931640]
R2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe [5/17/2010 2:45 PM 1615176]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 7:26 AM 135664]
S2 mple7docserver;Maya 7 PLE Documentation Server;c:\program files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe [1/2/2009 9:39 PM 126976]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 7:26 AM 135664]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [4/13/2012 7:20 PM 32072]
S3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportIaso.sys [8/7/2011 1:43 PM 21520]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 8:01 AM 2799808]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs REG_MULTI_SZ eapsvcs
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-01-02 12:42]
.
2012-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 06:26]
.
2012-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 06:26]
.
2012-05-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1214440339-725345543-1003Core.job
- c:\documents and settings\Finn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-08 11:57]
.
2012-05-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1214440339-725345543-1003UA.job
- c:\documents and settings\Finn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-08 11:57]
.
2011-02-08 c:\windows\Tasks\Reimage Reminder.job
- c:\program files\Reimage\Reimage Repair\ReimageReminder.exe [2011-02-03 13:09]
.
.
------- Supplementary Scan -------
.
mStart Page = about:blank
mSearch Bar = 
TCP: DhcpNameServer = 192.168.1.254
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Temp_for_fix\Application Data\Mozilla\Firefox\Profiles\54adpbq5.default\
FF - Ext: Click to call with Skype: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-22 03:52
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-05-22 03:55:58
ComboFix-quarantined-files.txt 2012-05-22 02:55
ComboFix2.txt 2012-05-16 04:12
ComboFix3.txt 2012-03-28 03:07
ComboFix4.txt 2012-03-26 23:42
ComboFix5.txt 2012-05-21 22:11
.
Pre-Run: 9,104,773,120 bytes free
Post-Run: 9,161,424,896 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
.
- - End Of File - - 3178A80DD9888CE5E70FF8559A9D0194


----------



## eddie5659 (Mar 19, 2001)

Sorry for not coming back sooner about the ComboFix, as I'm on call this week, and an alarm went off, so had to go out 

However, you were correct in how you ran it :up:

Okay, firstly you mentioned having zHotkey in your taskbar. This is actually related to Chicony Electronics Co. Enables special keys on Chicony keyboards. Special combinations include Internet, E-mail, vol , vol-, mute, etc. Only required for extended features. I'm assuming you have one of these keyboards.

-----

Now, as we're finally able to run in your main account, I think we can now see where the rootkit activity may be, so lets sort that out first:

Run OTL 

Under the *Custom Scans/Fixes* box at the bottom, paste in the following 

```
:OTL
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Finn101112\catchme.sys -- (catchme)
FF - prefs.js..extensions.enabledItems: {ba14329e-9550-4989-b3f2-9732e92d17cc}:2.7.1.3
FF - prefs.js..network.proxy.backup.ftp: "131.179.50.72"
FF - prefs.js..network.proxy.backup.ftp_port: 6588
FF - prefs.js..network.proxy.backup.gopher: "131.179.50.72"
FF - prefs.js..network.proxy.backup.gopher_port: 6588
FF - prefs.js..network.proxy.backup.socks: "131.179.50.72"
FF - prefs.js..network.proxy.backup.socks_port: 6588
FF - prefs.js..network.proxy.backup.ssl: "131.179.50.72"
FF - prefs.js..network.proxy.backup.ssl_port: 6588
FF - prefs.js..network.proxy.ftp: "131.179.50.72"
FF - prefs.js..network.proxy.ftp_port: 3128
FF - prefs.js..network.proxy.gopher: "131.179.50.72"
FF - prefs.js..network.proxy.gopher_port: 3128
FF - prefs.js..network.proxy.http: "131.179.50.72"
FF - prefs.js..network.proxy.http_port: 3128
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "131.179.50.72"
FF - prefs.js..network.proxy.socks_port: 3128
FF - prefs.js..network.proxy.ssl: "131.179.50.72"
FF - prefs.js..network.proxy.ssl_port: 3128
FF - user.js - File not found
[2010/07/02 22:47:50 | 000,000,000 | ---D | M] (Vuze Remote Toolbar) -- C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\47edvphp.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}
[2010/07/02 22:47:51 | 000,000,000 | ---D | M] (Vuze Remote Toolbar) -- C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\r0v8pfpr.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: Microsoft XML Parser for Java Reg Error: Value error. (Reg Error: Key error.)
:Files
ipconfig /flushdns /c
:Commands 
[purity] 
[resethosts] 
[emptytemp] 
[emptyjava]
[EMPTYFLASH] 
[CREATERESTOREPOINT] 
[Reboot]
```

Then click the *Run Fix* button at the top 
Click OK.
OTL may ask to reboot the machine. Please do so if asked.

The report should appear in Notepad after the reboot. Copy/Paste the report in your next reply.

-------------------

Then, after doing that, can you delete any copies of CFScript, and down the new one as attached, doing the old 'drag and drop' as you did before, and post the log. Also, is it possible for you to watch it, as I'm curious about the rootkit/ZeroAccess appearing again.

As for the Recovery Console, Combofix isn't flagging it up in the log as missing, as it would normally do, so I'll ask the developer about that message. Is it saying that at the very beginning?

Lastly, I can see no signs of Java in your Uninstall list. I know we originally had problems with the Java, which is why I asked for the list.

Can you go here after doing the above, and tell me if it detects any:

http://www.java.com/en/download/testjava.jsp

eddie


----------



## Justletmepost (Mar 11, 2012)

Here's the OTL log, combofix in next post.
Oddly, after I rebooting when OTL asked, 50% of my cpu is being taken up by imjpmig.exe, which is apparently related to the Microsoft Input Method Editor...strange.
EDIT: ...yep, after rebooting a second time imjpmig.exe is still being run on startup and hogging 50% of the cpu. At least killing the process doesn't seem to have any ill effects.

=======================
*OTL log*
=======================
All processes killed
========== OTL ==========
Service PCIDump stopped successfully!
Service PCIDump deleted successfully!
Service catchme stopped successfully!
Service catchme deleted successfully!
File C:\Finn101112\catchme.sys not found.
Prefs.js: {ba14329e-9550-4989-b3f2-9732e92d17cc}:2.7.1.3 removed from extensions.enabledItems
Prefs.js: "131.179.50.72" removed from network.proxy.backup.ftp
Prefs.js: 6588 removed from network.proxy.backup.ftp_port
Prefs.js: "131.179.50.72" removed from network.proxy.backup.gopher
Prefs.js: 6588 removed from network.proxy.backup.gopher_port
Prefs.js: "131.179.50.72" removed from network.proxy.backup.socks
Prefs.js: 6588 removed from network.proxy.backup.socks_port
Prefs.js: "131.179.50.72" removed from network.proxy.backup.ssl
Prefs.js: 6588 removed from network.proxy.backup.ssl_port
Prefs.js: "131.179.50.72" removed from network.proxy.ftp
Prefs.js: 3128 removed from network.proxy.ftp_port
Prefs.js: "131.179.50.72" removed from network.proxy.gopher
Prefs.js: 3128 removed from network.proxy.gopher_port
Prefs.js: "131.179.50.72" removed from network.proxy.http
Prefs.js: 3128 removed from network.proxy.http_port
Prefs.js: true removed from network.proxy.share_proxy_settings
Prefs.js: "131.179.50.72" removed from network.proxy.socks
Prefs.js: 3128 removed from network.proxy.socks_port
Prefs.js: "131.179.50.72" removed from network.proxy.ssl
Prefs.js: 3128 removed from network.proxy.ssl_port
C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\47edvphp.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\searchplugin folder moved successfully.
C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\47edvphp.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\META-INF folder moved successfully.
C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\47edvphp.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\lib folder moved successfully.
C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\47edvphp.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\defaults folder moved successfully.
C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\47edvphp.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components folder moved successfully.
C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\47edvphp.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\chrome folder moved successfully.
C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\47edvphp.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc} folder moved successfully.
C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\r0v8pfpr.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\searchplugin folder moved successfully.
C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\r0v8pfpr.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\META-INF folder moved successfully.
C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\r0v8pfpr.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\lib folder moved successfully.
C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\r0v8pfpr.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\defaults folder moved successfully.
C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\r0v8pfpr.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components folder moved successfully.
C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\r0v8pfpr.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\chrome folder moved successfully.
C:\Documents and Settings\Finn\Application Data\Mozilla\Firefox\Profiles\r0v8pfpr.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc} folder moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Starting removal of ActiveX control Microsoft XML Parser for Java Reg Error: Value error.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java Reg Error: Value error.\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java Reg Error: Value error.\ not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Finn\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Finn\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 56873 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56468 bytes

User: f6062011

User: Finn
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 53731620 bytes
->Java cache emptied: 50037296 bytes
->FireFox cache emptied: 80636768 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 7876777 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes

User: MyDocumentsFromOtherComputer

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 1546 bytes

User: publicversionofMyDocuments_see_other_HD

User: Temp_for_fix
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->FireFox cache emptied: 79087133 bytes
->Flash cache emptied: 57451 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 66016 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 259.00 mb

[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: f6062011

User: Finn
->Java cache emptied: 0 bytes

User: LocalService

User: MyDocumentsFromOtherComputer

User: NetworkService

User: publicversionofMyDocuments_see_other_HD

User: Temp_for_fix

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: f6062011

User: Finn
->Flash cache emptied: 0 bytes

User: LocalService

User: MyDocumentsFromOtherComputer

User: NetworkService
->Flash cache emptied: 0 bytes

User: publicversionofMyDocuments_see_other_HD

User: Temp_for_fix
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.43.1 log created on 05242012_091407

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


----------



## Justletmepost (Mar 11, 2012)

Yes, combofix asks about the recovery console at the very beginning.
The first time I ran this scan, I had to leave the computer, and when I got back, for some reason it had hung and it froze computer for over an hour - I had to do a hard reboot.
But the second time, no problems. And yep, it still reports Rootkit.ZeroAccess.
EDIT: And finally, no, that webpage doesn't pick up any java. "No working Java was detected on your system.", it says.

==================================
*Combofix log*
==================================
ComboFix 12-05-24.02 - Finn 05/24/2012 16:30:36.8.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2031.1633 [GMT 1:00]
Running from: c:\documents and settings\Finn\Desktop\Finn101112.exe
Command switches used :: c:\documents and settings\Finn\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2012-04-24 to 2012-05-24 )))))))))))))))))))))))))))))))
.
.
2012-05-20 18:10 . 2012-05-20 18:10 -------- d-----w- c:\program files\Windows Resource Kits
2012-05-20 11:26 . 2012-05-20 11:26 -------- d-----w- c:\documents and settings\Temp_for_fix\Application Data\pdf995
2012-05-04 08:07 . 2012-05-04 08:07 -------- d-----w- c:\documents and settings\Temp_for_fix\Application Data\OpenOffice.org
2012-05-02 12:51 . 2012-05-02 12:51 -------- d-----w- c:\program files\Lame For Audacity
2012-05-02 11:22 . 2012-05-02 11:22 -------- d-----w- c:\documents and settings\Temp_for_fix\Application Data\DivX
2012-05-01 09:18 . 2012-05-01 09:18 -------- d-----w- c:\documents and settings\Temp_for_fix\Contacts
2012-04-28 23:39 . 2012-04-29 01:33  -------- d-----w- c:\documents and settings\Temp_for_fix\Local Settings\Application Data\WMTools Downloaded Files
2012-04-28 23:18 . 2012-04-28 23:19 -------- d-----w- c:\documents and settings\Temp_for_fix\Local Settings\Application Data\ApplicationHistory
2012-04-28 07:02 . 2012-04-28 07:02 -------- d-----w- c:\documents and settings\Temp_for_fix\Application Data\vlc
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-13 18:20 . 2012-04-13 18:20 32072 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-04-11 06:08 . 2012-04-11 06:19 883616 ----a-w- C:\FixExec.com
2012-04-04 14:56 . 2012-04-11 07:24 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-19 00:32 . 2012-03-18 23:40 2617176 ----a-w- C:\revosetup.exe
2006-05-03 11:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 12:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 14:30 216064 --sha-r- c:\windows\system32\nbDX.dll
2010-01-06 23:00 107520 --sha-r- c:\windows\system32\TAKDSDecoder.dll
.
.
((((((((((((((((((((((((((((( [email protected]_19.36.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-05-24 15:49 . 2012-05-24 15:49 53248 c:\windows\temp\catchme.dll
+ 2001-08-23 12:00 . 2012-03-26 10:24 60180 c:\windows\system32\perfc009.dat
- 2001-08-23 12:00 . 2012-01-13 00:50 60180 c:\windows\system32\perfc009.dat
- 2009-01-01 00:42 . 2012-02-24 18:22 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-01 00:42 . 2012-03-28 20:47 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2012-04-13 18:22 . 2012-04-13 18:22 22016 c:\windows\Installer\5866577.msi
- 2009-12-11 15:38 . 2009-12-11 15:38 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\QuickCamStartMenuS_65895B9BA1A04BCBAB7BF5673B44A0E4.exe
+ 2009-12-11 15:38 . 2012-04-29 01:45 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\QuickCamStartMenuS_65895B9BA1A04BCBAB7BF5673B44A0E4.exe
+ 2009-12-11 15:38 . 2012-04-29 01:45 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\QuickCamDesktopSho_C0678C37AA5341A4BE4781BAF94DE0CC.exe
- 2009-12-11 15:38 . 2009-12-11 15:38 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\QuickCamDesktopSho_C0678C37AA5341A4BE4781BAF94DE0CC.exe
- 2009-12-11 15:38 . 2009-12-11 15:38 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\ARPPRODUCTICON.exe
+ 2009-12-11 15:38 . 2012-04-29 01:45 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\ARPPRODUCTICON.exe
+ 2012-05-01 09:18 . 2012-05-01 09:18  29926 c:\windows\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
- 2009-02-04 22:07 . 2009-02-04 22:07 29926 c:\windows\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
+ 2012-04-17 21:39 . 2012-04-17 21:39 61440 c:\windows\ERDNT\17-04-2012\Users\00000001\ntuser.dat
+ 2009-01-05 02:04 . 2012-03-28 01:52 5536 c:\windows\system32\d3d9caps.dat
- 2009-01-05 02:04 . 2012-03-18 21:21 5536 c:\windows\system32\d3d9caps.dat
+ 2001-08-23 12:00 . 2012-03-26 10:24 377306 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2012-01-13 00:50 377306 c:\windows\system32\perfh009.dat
+ 2008-12-31 23:35 . 2012-05-20 19:07 143624 c:\windows\system32\FNTCACHE.DAT
- 2008-12-31 23:35 . 2012-02-03 16:48 143624 c:\windows\system32\FNTCACHE.DAT
+ 2012-05-20 18:10 . 2012-05-20 18:10 279040 c:\windows\Installer\aa9216.msi
- 2011-09-05 23:06 . 2011-09-05 23:06 371272 c:\windows\Installer\{AA59DDE4-B672-4621-A016-4C248204957A}\SkypeIcon.exe
+ 2012-04-13 14:26 . 2012-04-13 14:26 371272 c:\windows\Installer\{AA59DDE4-B672-4621-A016-4C248204957A}\SkypeIcon.exe
+ 2012-04-17 21:39 . 2012-04-17 21:39 262144 c:\windows\ERDNT\17-04-2012\Users\00000002\UsrClass.dat
+ 2012-04-17 21:39 . 2005-10-20 11:02 163328 c:\windows\ERDNT\17-04-2012\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-06 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2006-12-08 543232]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"HostManager"="c:\program files\Common Files\AOL\1169214453\ee\AOLSoftware.exe" [2006-05-24 50760]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"Motive SmartBridge"="c:\progra~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 462935]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 16377344]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-06 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-06 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-06 138008]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-12 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-10-11 421888]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-09 966656]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"CHotkey"="zHotkey.exe" [2004-12-08 550912]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Finn\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]
.
c:\documents and settings\Temp_for_fix\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BT Broadband Desktop Help.lnk - c:\program files\BT Home Hub\Help\bin\matcli.exe [2009-1-5 217088]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
backup=c:\windows\pss\ATI CATALYST System Tray.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Nintendo Wi-Fi USB Connector Registration Tool.lnk]
backup=c:\windows\pss\Run Nintendo Wi-Fi USB Connector Registration Tool.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Finn^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\svc]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lionhead Studios Ltd\\Black & White\\runblack.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1169214453\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1169214453\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Documents and Settings\\Finn\\Desktop\\eclipse-java-ganymede-SR1-win32\\eclipse\\eclipse.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3 DEMO\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3 DEMO\\RosettaStoneVersion3.exe"=
"c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Ltd Services
"c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Daemon
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone TOTALe\\RosettaStoneTOTALe.exe"=
"%windir%\explorer.exe"= %windir%\explorer.exe
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP"= 9842:TCP:*isabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*isabled:SolidNetworkManager
"57224:TCP"= 57224:TCPando Media Booster
"57224:UDP"= 57224:UDPando Media Booster
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"<NO NAME>"= 
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [1/25/2012 11:16 AM 56208]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [12/15/2011 5:55 PM 228208]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [1/25/2012 11:16 AM 71440]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [1/25/2012 11:16 AM 164112]
R2 HWiNFO32;HWiNFO32 Kernel Driver;c:\documents and settings\Finn\Desktop\hw32_236\HWiNFO32.sys [11/21/2008 10:48 AM 16616]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [1/25/2012 11:16 AM 931640]
R2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe [5/17/2010 2:45 PM 1615176]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 7:26 AM 135664]
S2 mple7docserver;Maya 7 PLE Documentation Server;c:\program files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe [1/2/2009 9:39 PM 126976]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 7:26 AM 135664]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [4/13/2012 7:20 PM 32072]
S3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportIaso.sys [8/7/2011 1:43 PM 21520]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 8:01 AM 2799808]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs REG_MULTI_SZ eapsvcs
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-01-02 12:42]
.
2012-05-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 06:26]
.
2012-05-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 06:26]
.
2012-05-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1214440339-725345543-1003Core.job
- c:\documents and settings\Finn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-08 11:57]
.
2012-05-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1214440339-725345543-1003UA.job
- c:\documents and settings\Finn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-08 11:57]
.
2011-02-08 c:\windows\Tasks\Reimage Reminder.job
- c:\program files\Reimage\Reimage Repair\ReimageReminder.exe [2011-02-03 13:09]
.
.
------- Supplementary Scan -------
.
mStart Page = about:blank
mSearch Bar = 
TCP: DhcpNameServer = 192.168.1.254
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Temp_for_fix\Application Data\Mozilla\Firefox\Profiles\54adpbq5.default\
FF - Ext: Click to call with Skype: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-24 16:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-05-24 16:52:02
ComboFix-quarantined-files.txt 2012-05-24 15:52
ComboFix2.txt 2012-05-22 02:55
ComboFix3.txt 2012-05-16 04:12
ComboFix4.txt 2012-03-28 03:07
ComboFix5.txt 2012-05-24 09:03
.
Pre-Run: 9,278,246,912 bytes free
Post-Run: 9,264,029,696 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
.
- - End Of File - - 0BCE982A1D66A40A2606ECFCF8AB7921


----------



## eddie5659 (Mar 19, 2001)

Okay, lets see if its hiding, as it must be on there somewhere:

Please download *MBRCheck.exe* to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:



> Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Type *N* and press *Enter*. A report will be produced on the desktop. Post that report in your next reply.

eddi


----------



## Justletmepost (Mar 11, 2012)

No infection found.

=====================
*MBRcheck log*
=====================
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line: 
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000d

Kernel Drivers (total 128):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xB85A8000 \WINDOWS\system32\KDCOM.DLL
0xB84B8000 \WINDOWS\system32\BOOTVID.dll
0xB80A8000 ohci1394.sys
0xB85AA000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xB80B8000 \WINDOWS\System32\DRIVERS\1394BUS.SYS
0xB7F79000 ACPI.sys
0xB7F68000 pci.sys
0xB80C8000 isapnp.sys
0xB8670000 pciide.sys
0xB8328000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xB80D8000 MountMgr.sys
0xB7F49000 ftdisk.sys
0xB85AC000 dmload.sys
0xB7F23000 dmio.sys
0xB8330000 PartMgr.sys
0xB80E8000 VolSnap.sys
0xB7F0B000 atapi.sys
0xB84BC000 cbidf2k.sys
0xB7EF3000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xB80F8000 disk.sys
0xB8108000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xB7ED3000 fltmgr.sys
0xB7EC1000 sr.sys
0xB8338000 PxHelp20.sys
0xB7EAA000 KSecDD.sys
0xB7E1D000 Ntfs.sys
0xB7DF0000 NDIS.sys
0xB8118000 viaagp.sys
0xB8128000 sisagp.sys
0xB8138000 RapportKELL.sys
0xB7DD6000 Mup.sys
0xB8148000 amdagp.sys
0xB8158000 alim1541.sys
0xB8168000 agpCPQ.sys
0xB8178000 agp440.sys
0xB81F8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB6DEB000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB6DD7000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB6D96000 \SystemRoot\System32\DRIVERS\e1e5132.sys
0xB83D8000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xB6D72000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xB83E0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB6D4A000 \SystemRoot\System32\DRIVERS\HDAudBus.sys
0xB8228000 \SystemRoot\System32\DRIVERS\nic1394.sys
0xB8238000 \SystemRoot\System32\DRIVERS\serial.sys
0xB7D96000 \SystemRoot\System32\DRIVERS\serenum.sys
0xB6D36000 \SystemRoot\System32\DRIVERS\parport.sys
0xB8248000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xB83E8000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xB83F0000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xB83F8000 \SystemRoot\System32\DRIVERS\fdc.sys
0xB8258000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB8268000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xB8278000 \SystemRoot\System32\DRIVERS\redbook.sys
0xB6D13000 \SystemRoot\System32\DRIVERS\ks.sys
0xB868F000 \SystemRoot\System32\DRIVERS\audstub.sys
0xB82B8000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xB859C000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xB41B3000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xB756B000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xB7A3E000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xB8448000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xB41A2000 \SystemRoot\System32\DRIVERS\psched.sys
0xB82C8000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xB8430000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xB4172000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xB8318000 \SystemRoot\System32\DRIVERS\termdd.sys
0xB85CE000 \SystemRoot\System32\DRIVERS\swenum.sys
0xB4114000 \SystemRoot\System32\DRIVERS\update.sys
0xB7D9A000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB75AB000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB79EE000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xB85BC000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xAF9C2000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xAF99E000 \SystemRoot\system32\drivers\portcls.sys
0xB41EA000 \SystemRoot\system32\drivers\drmk.sys
0xAFE29000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xB76A0000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xAF968000 \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys
0xB85E2000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB8753000 \SystemRoot\System32\Drivers\Null.SYS
0xB85E4000 \SystemRoot\System32\Drivers\Beep.SYS
0xB83A8000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB5686000 \SystemRoot\System32\drivers\vga.sys
0xB85EE000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xB85D0000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB0E21000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB10B2000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB8588000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xAF935000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAF8DC000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xAF8B4000 \SystemRoot\System32\DRIVERS\netbt.sys
0xAF88E000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xB0F80000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xB30AC000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xAF86C000 \SystemRoot\System32\drivers\afd.sys
0xB82A8000 \SystemRoot\System32\DRIVERS\netbios.sys
0xB0F70000 \SystemRoot\System32\DRIVERS\arp1394.sys
0xAF841000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xAF81B000 \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
0xB79BE000 \??\C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys
0xAF7AB000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xB420A000 \SystemRoot\System32\Drivers\Fips.SYS
0xB10A2000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xB0FD0000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xAF793000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xB8618000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB855C000 \SystemRoot\System32\drivers\Dxapi.sys
0xB0E39000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xB10CE000 \SystemRoot\System32\drivers\dxgthk.sys
0xBD012000 \SystemRoot\System32\nv4_disp.dll
0xBD5A6000 \SystemRoot\System32\ATMFD.DLL
0xAEB8C000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xAE98F000 \SystemRoot\system32\drivers\wdmaud.sys
0xB0F90000 \SystemRoot\system32\drivers\sysaudio.sys
0xAE84C000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xB8626000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xAE71B000 \SystemRoot\System32\Drivers\HTTP.sys
0xAEAB4000 \??\C:\Documents and Settings\Finn\Desktop\hw32_236\HWiNFO32.SYS
0xAE69B000 \SystemRoot\System32\DRIVERS\srv.sys
0xAE828000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xB8348000 \SystemRoot\system32\DRIVERS\LVPr2Mon.sys
0xB567E000 \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 59):
0 System Idle Process
4 System
460 C:\WINDOWS\system32\smss.exe
516 csrss.exe
544 C:\WINDOWS\system32\winlogon.exe
588 C:\WINDOWS\system32\services.exe
600 C:\WINDOWS\system32\lsass.exe
792 C:\WINDOWS\system32\nvsvc32.exe
820 C:\WINDOWS\system32\svchost.exe
872 svchost.exe
940 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
1028 C:\WINDOWS\system32\svchost.exe
1108 svchost.exe
1212 svchost.exe
1316 C:\WINDOWS\system32\spoolsv.exe
1528 C:\WINDOWS\explorer.exe
1660 svchost.exe
1692 C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\apache\Apache.exe
1724 C:\WINDOWS\ehome\ehrecvr.exe
1736 C:\WINDOWS\ehome\ehSched.exe
1884 C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
1996 C:\Program Files\Google\Update\GoogleUpdate.exe
2024 C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe
352 C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
404 C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe
496 C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.exe
1348 C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\apache\Apache.exe
1424 C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
1496 C:\WINDOWS\system32\svchost.exe
3112 C:\WINDOWS\system32\wuauclt.exe
3380 C:\WINDOWS\system32\wscntfy.exe
3636 C:\Program Files\btbb_wcm\McciTrayApp.exe
3668 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
3708 C:\Program Files\Common Files\AOL\1169214453\ee\aolsoftware.exe
3736 C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
3764 C:\WINDOWS\RTHDCPL.exe
3820 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
3844 C:\WINDOWS\system32\rundll32.exe
3852 C:\Program Files\Logitech\QuickCam\Quickcam.exe
3888 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
3908 C:\Program Files\Digital Media Reader\shwiconEM.exe
3916 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
3944 C:\Program Files\McAfee\SpamKiller\MSKDetct.exe
4080 C:\PROGRA~1\Yahoo!\browser\ycommon.exe
372 C:\WINDOWS\system32\dllhost.exe
3900 C:\WINDOWS\ehome\ehtray.exe
3452 C:\WINDOWS\zHotkey.exe
1668 C:\WINDOWS\ehome\ehmsas.exe
2004 alg.exe
3328 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
336 C:\Program Files\OpenOffice.org 3\program\soffice.exe
500 C:\Program Files\OpenOffice.org 3\program\soffice.bin
1448 C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
3952 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
1384 C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
4308 <unknown>
4564 C:\WINDOWS\system32\taskmgr.exe
4652 C:\WINDOWS\system32\wuauclt.exe
4908 C:\Documents and Settings\Finn\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: ST3160815AS, Rev: 4.AAA

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!


----------



## eddie5659 (Mar 19, 2001)

Okay, just looking back thru the previous ComboFix log, and it appears you have two copies of Windows XP running:



> multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
> multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect


When you boot up, does it give you an option to select which one you want?

Also, can you do this, as this is a legit file and I need to put it back, as ComboFix removed it 

So, delete the copy of CFScript that you have, and do the drag/drop with the updated one attached here and post the log.

eddie


----------



## Justletmepost (Mar 11, 2012)

No time to do the combofix thing right now, but yes, I have two copies of windows XP on disc. I installed it twice by accident somehow when I reformatted the computer ages ago. I just ignore the second copy.


----------



## Justletmepost (Mar 11, 2012)

==========================
*Combofix log*
==========================
ComboFix 12-05-26.02 - Finn 05/27/2012 4:40.9.2 - x86
Running from: c:\documents and settings\Finn\Desktop\Finn101112.exe
Command switches used :: c:\documents and settings\Finn\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Finn\Recent\[email protected]
.
.
((((((((((((((((((((((((( Files Created from 2012-04-27 to 2012-05-27 )))))))))))))))))))))))))))))))
.
.
2012-05-20 18:10 . 2012-05-20 18:10 -------- d-----w- c:\program files\Windows Resource Kits
2012-05-20 11:26 . 2012-05-20 11:26 -------- d-----w- c:\documents and settings\Temp_for_fix\Application Data\pdf995
2012-05-04 08:07 . 2012-05-04 08:07 -------- d-----w- c:\documents and settings\Temp_for_fix\Application Data\OpenOffice.org
2012-05-02 12:51 . 2012-05-02 12:51 -------- d-----w- c:\program files\Lame For Audacity
2012-05-02 11:22 . 2012-05-02 11:22 -------- d-----w- c:\documents and settings\Temp_for_fix\Application Data\DivX
2012-05-01 09:18 . 2012-05-01 09:18 -------- d-----w- c:\documents and settings\Temp_for_fix\Contacts
2012-04-28 23:39 . 2012-04-29 01:33 -------- d-----w- c:\documents and settings\Temp_for_fix\Local Settings\Application Data\WMTools Downloaded Files
2012-04-28 23:18 . 2012-04-28 23:19 -------- d-----w- c:\documents and settings\Temp_for_fix\Local Settings\Application Data\ApplicationHistory
2012-04-28 07:02 . 2012-04-28 07:02 -------- d-----w- c:\documents and settings\Temp_for_fix\Application Data\vlc
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-13 18:20 . 2012-04-13 18:20 32072 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-04-11 06:08 . 2012-04-11 06:19 883616 ----a-w- C:\FixExec.com
2012-04-04 14:56 . 2012-04-11 07:24 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-19 00:32 . 2012-03-18 23:40 2617176 ----a-w- C:\revosetup.exe
2006-05-03 11:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 12:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 14:30 216064 --sha-r- c:\windows\system32\nbDX.dll
2010-01-06 23:00 107520 --sha-r- c:\windows\system32\TAKDSDecoder.dll
.
.
((((((((((((((((((((((((((((( [email protected]_19.36.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-05-27 04:00 . 2012-05-27 04:00 53248 c:\windows\temp\catchme.dll
+ 2001-08-23 12:00 . 2012-03-26 10:24 60180 c:\windows\system32\perfc009.dat
- 2001-08-23 12:00 . 2012-01-13 00:50 60180 c:\windows\system32\perfc009.dat
- 2009-01-01 00:42 . 2012-02-24 18:22 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-01 00:42 . 2012-03-28 20:47 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2012-04-13 18:22 . 2012-04-13 18:22 22016 c:\windows\Installer\5866577.msi
- 2009-12-11 15:38 . 2009-12-11 15:38 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\QuickCamStartMenuS_65895B9BA1A04BCBAB7BF5673B44A0E4.exe
+ 2009-12-11 15:38 . 2012-04-29 01:45 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\QuickCamStartMenuS_65895B9BA1A04BCBAB7BF5673B44A0E4.exe
+ 2009-12-11 15:38 . 2012-04-29 01:45 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\QuickCamDesktopSho_C0678C37AA5341A4BE4781BAF94DE0CC.exe
- 2009-12-11 15:38 . 2009-12-11 15:38 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\QuickCamDesktopSho_C0678C37AA5341A4BE4781BAF94DE0CC.exe
- 2009-12-11 15:38 . 2009-12-11 15:38 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\ARPPRODUCTICON.exe
+ 2009-12-11 15:38 . 2012-04-29 01:45 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\ARPPRODUCTICON.exe
+ 2012-05-01 09:18 . 2012-05-01 09:18 29926 c:\windows\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
- 2009-02-04 22:07 . 2009-02-04 22:07 29926 c:\windows\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
+ 2012-04-17 21:39 . 2012-04-17 21:39 61440 c:\windows\ERDNT\17-04-2012\Users\00000001\ntuser.dat
+ 2009-01-05 02:04 . 2012-03-28 01:52 5536 c:\windows\system32\d3d9caps.dat
- 2009-01-05 02:04 . 2012-03-18 21:21 5536 c:\windows\system32\d3d9caps.dat
+ 2001-08-23 12:00 . 2012-03-26 10:24 377306 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2012-01-13 00:50 377306 c:\windows\system32\perfh009.dat
+ 2008-12-31 23:35 . 2012-05-20 19:07 143624 c:\windows\system32\FNTCACHE.DAT
- 2008-12-31 23:35 . 2012-02-03 16:48 143624 c:\windows\system32\FNTCACHE.DAT
+ 2012-05-20 18:10 . 2012-05-20 18:10 279040 c:\windows\Installer\aa9216.msi
- 2011-09-05 23:06 . 2011-09-05 23:06 371272 c:\windows\Installer\{AA59DDE4-B672-4621-A016-4C248204957A}\SkypeIcon.exe
+ 2012-04-13 14:26 . 2012-04-13 14:26 371272 c:\windows\Installer\{AA59DDE4-B672-4621-A016-4C248204957A}\SkypeIcon.exe
+ 2012-04-17 21:39 . 2012-04-17 21:39 262144 c:\windows\ERDNT\17-04-2012\Users\00000002\UsrClass.dat
+ 2012-04-17 21:39 . 2005-10-20 11:02 163328 c:\windows\ERDNT\17-04-2012\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-06 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2006-12-08 543232]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"HostManager"="c:\program files\Common Files\AOL\1169214453\ee\AOLSoftware.exe" [2006-05-24 50760]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"Motive SmartBridge"="c:\progra~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 462935]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 16377344]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-06 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-06 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-06 138008]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-12 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-10-11 421888]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-09 966656]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"CHotkey"="zHotkey.exe" [2004-12-08 550912]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Finn\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]
.
c:\documents and settings\Temp_for_fix\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BT Broadband Desktop Help.lnk - c:\program files\BT Home Hub\Help\bin\matcli.exe [2009-1-5 217088]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
backup=c:\windows\pss\ATI CATALYST System Tray.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Nintendo Wi-Fi USB Connector Registration Tool.lnk]
backup=c:\windows\pss\Run Nintendo Wi-Fi USB Connector Registration Tool.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Finn^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\svc]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lionhead Studios Ltd\\Black & White\\runblack.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1169214453\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1169214453\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Documents and Settings\\Finn\\Desktop\\eclipse-java-ganymede-SR1-win32\\eclipse\\eclipse.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3 DEMO\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3 DEMO\\RosettaStoneVersion3.exe"=
"c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Ltd Services
"c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Daemon
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone TOTALe\\RosettaStoneTOTALe.exe"=
"%windir%\explorer.exe"= %windir%\explorer.exe
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP"= 9842:TCP:*isabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*isabled:SolidNetworkManager
"57224:TCP"= 57224:TCPando Media Booster
"57224:UDP"= 57224:UDPando Media Booster
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"<NO NAME>"= 
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 135664]
R2 mple7docserver;Maya 7 PLE Documentation Server;c:\program files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe [2004-07-16 126976]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 135664]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-04-13 32072]
R3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\28896\rapportiaso.sys [2011-08-07 21520]
R4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
S0 RapportKELL;RapportKELL;c:\windows\System32\Drivers\RapportKELL.sys [2012-01-25 56208]
S1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [2011-12-15 228208]
S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [2012-01-25 71440]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2012-01-25 164112]
S2 HWiNFO32;HWiNFO32 Kernel Driver;c:\documents and settings\Finn\Desktop\hw32_236\HWiNFO32.SYS [2008-11-21 16616]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2012-01-25 931640]
S2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe [2010-05-17 1615176]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs REG_MULTI_SZ eapsvcs
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-01-02 12:42]
.
2012-05-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 06:26]
.
2012-05-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 06:26]
.
2012-05-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1214440339-725345543-1003Core.job
- c:\documents and settings\Finn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-08 11:57]
.
2012-05-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1214440339-725345543-1003UA.job
- c:\documents and settings\Finn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-08 11:57]
.
2011-02-08 c:\windows\Tasks\Reimage Reminder.job
- c:\program files\Reimage\Reimage Repair\ReimageReminder.exe [2011-02-03 13:09]
.
.
------- Supplementary Scan -------
.
mStart Page = about:blank
mSearch Bar = 
TCP: DhcpNameServer = 192.168.1.254
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Finn\Application Data\Mozilla\Firefox\Profiles\58w0as7u.temptemptemp\
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-27 05:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-05-27 05:03:46
ComboFix-quarantined-files.txt 2012-05-27 04:03
ComboFix2.txt 2012-05-24 15:52
ComboFix3.txt 2012-05-22 02:55
ComboFix4.txt 2012-05-16 04:12
ComboFix5.txt 2012-05-27 02:52
.
Pre-Run: 9,164,931,072 bytes free
Post-Run: 9,152,319,488 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
.
- - End Of File - - 01FC3F18867DA7ECD6404D042D07D28C


----------



## eddie5659 (Mar 19, 2001)

Sorry for not coming back sooner, for the past few days my graphics card has been playing up, so spent a nice 6 hours trying to solve it. So, I'm now waiting for my new card to arrive on Saturday 

Anyhoo, I'm still here 

With regards to the two versions of XP, this may be why the Recovery Console keeps asking to be installed, as its installed on the one you use all the time, not the other one.

Also, am I right in assuming that the temp and Finn account are both run from the same version?

I'm checking something with the developer, will reply as soon as I get an answer


----------



## Justletmepost (Mar 11, 2012)

Ahh, that does make sense about the recover console...

And yes, everything I've done has been from the same WinXP installation. I've never touched the other one at all, not once.


----------



## eddie5659 (Mar 19, 2001)

Okay, been talking about it, and will it be possible for you to log into the other Windows version? 

If you can, see if you can get online to get ComboFix and run a scan (the full one, no CFScript).

Curious what it finds, as that maybe where the ZA infection is. 

If you have no internet with that version, then either download it to a usb stick, and transfer it across, or possibly pop it on the C drive, and see if you have access to it in the other version.

Any problems etc, let me know


----------



## Justletmepost (Mar 11, 2012)

It turns out I can't boot into the other WinXP installation at all.
When I try, I get this error:


> Windows could not start because of a computer disk hardware configuration problem.
> Could not read from the selected boot disk. Check boot path and disk hardware.
> Please check the Windows documentation about hardware disk configuration and your hardware reference manuals for additional information.


Also, I should note that the windows recovery console appears in the same list as the two winxp installations - I can select the recovery console or either of the installations. That suggests to me that it doesn't need to be installed for different windows installations individually. But I could very easily be wrong.


----------



## Justletmepost (Mar 11, 2012)

Oh, and a reminding note: I still don't have sound, just getting a system beep from the tower rather than the speakers when I click the slider in Volume Control. But, again, this is only true on the Finn account - on Temp_for_fix sound works fine, so presumably it isn't a driver problem?

EDIT: ...oh. Huuuuh. That last time I tested for this, sound was actually not working. But now, on further inspection, sound does actually work - apparently it's JUST the Volume Control slider that's behaving strangely. Very odd.


----------



## eddie5659 (Mar 19, 2001)

Well, that is strange. Its not accessable, so that rules that out. Secondly, you can seethe recovery console, but ComboFix still says its not there. I've asked the developer if they know why 

For the audio, I'll remember to look at that after I'm certain the malware is all gone 

-------

Lets see if we can sort the TCPIP out:

Can you have a look and see if you have the following file:

*C:\WINDOWS\inf\nettcpip.inf*

If you do, then back up your Registry as follows:

http://pcsupport.about.com/od/windowsxp/ht/backupxpreg.htm

Then see if you can follow the steps in the *Hardcore method when nothing else is working* section on

http://smokeys.wordpress.com/2008/07/20/how-to-recover-a-really-dead-windows-xp-sp2sp3-tcpip-stack/

If it makes things worse then revert back to your saved registry

Let me know if it works (when you run ComboFix, can you let me know if it mentions ZeroAcess again)

-----------

Can you do the following for me.

Firstly, delete the copy of Combofix you have, and get a new one from here (it updates daily):

Download ComboFix from one of these locations:

*Link 1*
*Link 2*

Then, download the attached script, and run it as before (drag and drop) and post the log.

eddie


----------



## Justletmepost (Mar 11, 2012)

I don't have a "Local Area Connection" in my Network Connections - I have a "Local Area Connection 3". This is probably just an artifact of me messing around with connection settings in the variou houses I've used this computer in, but I may as well mention it.

After following those "hardcore" steps, everything seems to be working fine connectionwise, as before. Granted, I don't have a connection status icon on my taskbar anymore, but I'm guessing that's very easily restored and not important in any case.

Now for Combofix. Report in next post.


----------



## Justletmepost (Mar 11, 2012)

It still report ZeroAccess, I'm afraid =_=. Do you think it would be worth repeating the same process as last time, but this time running combofix in the middle, after uninstalling TCP and before reinstalling it? Because if it reports a rootkit in the tcp/ip stack even when the tcp/ip stack is MISSING, then that could signify...er, something.

================
*Combofix log*
================
ComboFix 12-05-31.02 - Finn 06/01/2012 3:12.10.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2031.1625 [GMT 1:00]
Running from: c:\documents and settings\Finn\Desktop\Finn131415.exe
Command switches used :: c:\documents and settings\Finn\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Finn\Application Data\Qerayw
c:\documents and settings\Finn\Application Data\Tuyzynv
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_usnjsvc
.
.
((((((((((((((((((((((((( Files Created from 2012-05-01 to 2012-06-01 )))))))))))))))))))))))))))))))
.
.
2012-05-20 18:10 . 2012-05-20 18:10 -------- d-----w- c:\program files\Windows Resource Kits
2012-05-20 11:26 . 2012-05-20 11:26 -------- d-----w- c:\documents and settings\Temp_for_fix\Application Data\pdf995
2012-05-04 08:07 . 2012-05-04 08:07 -------- d-----w- c:\documents and settings\Temp_for_fix\Application Data\OpenOffice.org
2012-05-02 12:51 . 2012-05-02 12:51 -------- d-----w- c:\program files\Lame For Audacity
2012-05-02 11:22 . 2012-05-02 11:22 -------- d-----w- c:\documents and settings\Temp_for_fix\Application Data\DivX
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-13 18:20 . 2012-04-13 18:20 32072 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-04-11 06:08 . 2012-04-11 06:19 883616 ----a-w- C:\FixExec.com
2012-04-04 14:56 . 2012-04-11 07:24 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-19 00:32 . 2012-03-18 23:40 2617176 ----a-w- C:\revosetup.exe
2012-03-11 12:48 . 2012-03-11 12:48 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2006-05-03 11:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 12:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 14:30 216064 --sha-r- c:\windows\system32\nbDX.dll
2010-01-06 23:00 107520 --sha-r- c:\windows\system32\TAKDSDecoder.dll
.
.
((((((((((((((((((((((((((((( [email protected]_19.36.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-06-01 10:38 . 2012-06-01 10:38 22253 c:\windows\temp\Turkish.bin
+ 2012-06-01 10:38 . 2012-06-01 10:38 16949 c:\windows\temp\TradChin.bin
+ 2012-06-01 10:38 . 2012-06-01 10:38 21976 c:\windows\temp\Thai.bin
+ 2012-06-01 10:38 . 2012-06-01 10:38 24082 c:\windows\temp\SWEDISH.bin
+ 2012-06-01 10:38 . 2012-06-01 10:38 27753 c:\windows\temp\Spanish.bin
+ 2012-06-01 10:38 . 2012-06-01 10:38 16408 c:\windows\temp\SimChin.bin
+ 2012-06-01 10:38 . 2012-06-01 10:38 26126 c:\windows\temp\Russian.bin
+ 2012-06-01 10:38 . 2012-06-01 10:38 26260 c:\windows\temp\Portuguese.bin
+ 2012-06-01 10:38 . 2012-06-01 10:38 25071 c:\windows\temp\Portuguese(Brazil).bin
+ 2012-06-01 10:38 . 2012-06-01 10:38 24221 c:\windows\temp\Polish.bin
+ 2012-06-01 10:38 . 2012-06-01 10:38 21964 c:\windows\temp\Norwegian.bin
+ 2012-06-01 10:38 . 2012-06-01 10:38 20135 c:\windows\temp\Korean.bin
+ 2012-06-01 10:38 . 2012-06-01 10:38 24297 c:\windows\temp\Japanese.bin
+ 2012-06-01 10:38 . 2012-06-01 10:38 27410 c:\windows\temp\Italian.bin
+ 2012-06-01 10:38 . 2012-06-01 10:38 26080 c:\windows\temp\Hungarian.bin
+ 2012-06-01 10:38 . 2012-06-01 10:38 19553 c:\windows\temp\Hebrew.bin
+ 2012-06-01 10:38 . 2012-06-01 10:38 25082 c:\windows\temp\Greek.bin
+ 2012-06-01 10:38 . 2012-06-01 10:38 25753 c:\windows\temp\German.bin
+ 2012-06-01 10:38 . 2012-06-01 10:38 27235 c:\windows\temp\French.bin
+ 2012-06-01 10:38 . 2012-06-01 10:38 22857 c:\windows\temp\Finnish.bin
+ 2012-06-01 10:38 . 2012-06-01 10:38 21914 c:\windows\temp\English.bin
+ 2012-06-01 10:38 . 2012-06-01 10:38 25747 c:\windows\temp\Dutch.bin
+ 2012-06-01 10:38 . 2012-06-01 10:38 22783 c:\windows\temp\Danish.bin
+ 2012-06-01 10:38 . 2012-06-01 10:38 24312 c:\windows\temp\Czech.bin
+ 2012-06-01 10:38 . 2012-06-01 10:38 20972 c:\windows\temp\Arabic.bin
- 2001-08-23 12:00 . 2012-01-13 00:50 60180 c:\windows\system32\perfc009.dat
+ 2001-08-23 12:00 . 2012-06-01 01:12 60180 c:\windows\system32\perfc009.dat
- 2009-01-01 00:42 . 2012-02-24 18:22 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-01 00:42 . 2012-03-28 20:47 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2012-04-13 18:22 . 2012-04-13 18:22 22016 c:\windows\Installer\5866577.msi
+ 2009-12-11 15:38 . 2012-04-29 01:45 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\QuickCamStartMenuS_65895B9BA1A04BCBAB7BF5673B44A0E4.exe
- 2009-12-11 15:38 . 2009-12-11 15:38 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\QuickCamStartMenuS_65895B9BA1A04BCBAB7BF5673B44A0E4.exe
+ 2009-12-11 15:38 . 2012-04-29 01:45 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\QuickCamDesktopSho_C0678C37AA5341A4BE4781BAF94DE0CC.exe
- 2009-12-11 15:38 . 2009-12-11 15:38 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\QuickCamDesktopSho_C0678C37AA5341A4BE4781BAF94DE0CC.exe
- 2009-12-11 15:38 . 2009-12-11 15:38 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\ARPPRODUCTICON.exe
+ 2009-12-11 15:38 . 2012-04-29 01:45 57344 c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\ARPPRODUCTICON.exe
+ 2012-05-27 22:47 . 2012-05-27 22:47 29926 c:\windows\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
- 2009-02-04 22:07 . 2009-02-04 22:07 29926 c:\windows\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
+ 2012-04-17 21:39 . 2012-04-17 21:39 61440 c:\windows\ERDNT\17-04-2012\Users\00000001\ntuser.dat
- 2009-01-05 02:04 . 2012-03-18 21:21 5536 c:\windows\system32\d3d9caps.dat
+ 2009-01-05 02:04 . 2012-03-28 01:52 5536 c:\windows\system32\d3d9caps.dat
- 2011-04-15 02:35 . 2012-02-03 16:56 5430 c:\windows\Installer\{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}\RapportServiceStopShortcut.exe
+ 2011-04-15 02:35 . 2012-06-01 01:09 5430 c:\windows\Installer\{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}\RapportServiceStopShortcut.exe
+ 2011-04-15 02:35 . 2012-06-01 01:09 5430 c:\windows\Installer\{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}\RapportServiceStartShortcut.exe
- 2011-04-15 02:35 . 2012-02-03 16:56 5430 c:\windows\Installer\{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}\RapportServiceStartShortcut.exe
- 2011-04-15 02:35 . 2012-02-03 16:56 5430 c:\windows\Installer\{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}\RapportServiceConsoleShortcut.exe
+ 2011-04-15 02:35 . 2012-06-01 01:09 5430 c:\windows\Installer\{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}\RapportServiceConsoleShortcut.exe
+ 2012-06-01 02:35 . 2008-12-16 21:59 109080 c:\windows\temp\logishrd\LVPrcInj01.dll
- 2001-08-23 12:00 . 2012-01-13 00:50 377306 c:\windows\system32\perfh009.dat
+ 2001-08-23 12:00 . 2012-06-01 01:12 377306 c:\windows\system32\perfh009.dat
- 2008-12-31 23:35 . 2012-02-03 16:48 143624 c:\windows\system32\FNTCACHE.DAT
+ 2008-12-31 23:35 . 2012-05-20 19:07 143624 c:\windows\system32\FNTCACHE.DAT
+ 2012-05-20 18:10 . 2012-05-20 18:10 279040 c:\windows\Installer\aa9216.msi
+ 2012-04-13 14:26 . 2012-04-13 14:26 371272 c:\windows\Installer\{AA59DDE4-B672-4621-A016-4C248204957A}\SkypeIcon.exe
- 2011-09-05 23:06 . 2011-09-05 23:06 371272 c:\windows\Installer\{AA59DDE4-B672-4621-A016-4C248204957A}\SkypeIcon.exe
+ 2012-04-17 21:39 . 2012-04-17 21:39 262144 c:\windows\ERDNT\17-04-2012\Users\00000002\UsrClass.dat
+ 2012-04-17 21:39 . 2005-10-20 11:02 163328 c:\windows\ERDNT\17-04-2012\ERDNT.EXE
+ 2012-06-01 01:09 . 2012-06-01 01:09 1409536 c:\windows\Installer\42316.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-06 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2006-12-08 543232]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"HostManager"="c:\program files\Common Files\AOL\1169214453\ee\AOLSoftware.exe" [2006-05-24 50760]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"Motive SmartBridge"="c:\progra~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 462935]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 16377344]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-06 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-06 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-06 138008]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-12 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-10-11 421888]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-09 966656]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"CHotkey"="zHotkey.exe" [2004-12-08 550912]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Finn\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]
.
c:\documents and settings\Temp_for_fix\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BT Broadband Desktop Help.lnk - c:\program files\BT Home Hub\Help\bin\matcli.exe [2009-1-5 217088]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
backup=c:\windows\pss\ATI CATALYST System Tray.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Nintendo Wi-Fi USB Connector Registration Tool.lnk]
backup=c:\windows\pss\Run Nintendo Wi-Fi USB Connector Registration Tool.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Finn^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\svc]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lionhead Studios Ltd\\Black & White\\runblack.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1169214453\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1169214453\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Documents and Settings\\Finn\\Desktop\\eclipse-java-ganymede-SR1-win32\\eclipse\\eclipse.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3 DEMO\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3 DEMO\\RosettaStoneVersion3.exe"=
"c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Ltd Services
"c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Daemon
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone TOTALe\\RosettaStoneTOTALe.exe"=
"%windir%\explorer.exe"= %windir%\explorer.exe
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP"= 9842:TCP:*isabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*isabled:SolidNetworkManager
"57224:TCP"= 57224:TCPando Media Booster
"57224:UDP"= 57224:UDPando Media Booster
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"<NO NAME>"= 
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [3/11/2012 1:48 PM 56208]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [12/15/2011 5:55 PM 228208]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [3/11/2012 1:48 PM 71440]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [3/11/2012 1:48 PM 164112]
R2 HWiNFO32;HWiNFO32 Kernel Driver;c:\documents and settings\Finn\Desktop\hw32_236\HWiNFO32.sys [11/21/2008 10:48 AM 16616]
R2 mple7docserver;Maya 7 PLE Documentation Server;c:\program files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe [1/2/2009 9:39 PM 126976]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [3/11/2012 1:48 PM 931640]
R2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe [5/17/2010 2:45 PM 1615176]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 7:26 AM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 7:26 AM 135664]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [4/13/2012 7:20 PM 32072]
S3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportIaso.sys [8/7/2011 1:43 PM 21520]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 8:01 AM 2799808]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs REG_MULTI_SZ eapsvcs
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-01-02 12:42]
.
2012-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 06:26]
.
2012-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 06:26]
.
2012-05-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1214440339-725345543-1003Core.job
- c:\documents and settings\Finn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-08 11:57]
.
2012-06-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1214440339-725345543-1003UA.job
- c:\documents and settings\Finn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-08 11:57]
.
2011-02-08 c:\windows\Tasks\Reimage Reminder.job
- c:\program files\Reimage\Reimage Repair\ReimageReminder.exe [2011-02-03 13:09]
.
.
------- Supplementary Scan -------
.
mStart Page = about:blank
mSearch Bar = 
uInternet Connection Wizard,ShellNext = hxxp://www.youtube.com/watch?v=WrQiWoxbvyk
TCP: DhcpNameServer = 192.168.1.254
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Finn\Application Data\Mozilla\Firefox\Profiles\58w0as7u.temptemptemp\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-01 11:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(8732)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\progra~1\BTHOME~1\Help\SMARTB~1\SBHook.dll
c:\windows\system32\ieframe.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\documents and settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\apache\apache.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
c:\windows\system32\dllhost.exe
c:\documents and settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\apache\apache.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\zHotkey.exe
c:\windows\eHome\ehmsas.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\BT Home Hub\Help\bin\mpbtn.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2012-06-01 11:44:42 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-01 10:44
ComboFix2.txt 2012-05-27 04:03
ComboFix3.txt 2012-05-24 15:52
ComboFix4.txt 2012-05-22 02:55
ComboFix5.txt 2012-06-01 01:50
.
Pre-Run: 8,499,027,968 bytes free
Post-Run: 8,576,282,624 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
.
- - End Of File - - 7590544DFE81278D5EC5B3826B003816


----------



## eddie5659 (Mar 19, 2001)

I have a few things to try yet, but first I just want to clarify something. Have a feeling its fine, but you initially said at the very beginning you made a backup of the computer. Where did you save this? Is it still in the computer, or an external drive?

Also, is this the program you used for the Winsock:

C:\zzzwinsockfix

if so, can you remember where you got it from?


----------



## Justletmepost (Mar 11, 2012)

The backup is on an external drive.

And yes, that program, winsockpfix, is what I used. But I really can't remember where I got it from exactly, it's been three months >_<. Before I found this forum I trie various increasingly (by my standards) desperate measrues, googling for my sumptoms and looking for people's recommendations to people with similair problems. One such result, wherever it was, recommended winsockpfix. And that's all I remember, I'm afraid =/


----------



## eddie5659 (Mar 19, 2001)

Not a problem 

I'm here but in a few mins I have to wait for a parcel for a few hours (my graphic card, as its dying on this pc), so will reply when I can get back to this pc 

It was the zzz in front that made me wonder what it was.

Just need to have a look at a few things, then we can try something else


----------



## eddie5659 (Mar 19, 2001)

Okay, back now with my new card in (had to check it out on the main game I play, and it worked, so forgot the time until 6 hours later  )

On the actual computer, you're running out of space:

*Drive C: | 127.99 Gb Total Space | 8.54 Gb Free Space | 6.67% Space Free | Partition Type: NTFS*

Space on the computer is only less than 7%, which will cause major problems soon. I would suggest uninstalling any programs you never use in AddRemove Programs (if unsure, ask) and clean out the Temp folders:

Download *TFC* to your desktop 

Open the file and close any other windows. 
It *will close all programs itself* when run, make sure to let it run uninterrupted. 
Click the Start button to begin the process. The program should not take long to finish its job 
Once its finished it should *reboot your machine*, if not, do this yourself to ensure a complete clean

Also, its a good idea to keep on top of removing any Temp files etc every month or so. To do this, Windows has a pretty good tool.

Go to Start | Programs | Accessories | System Tools | Disk Cleanup
It should start straight away, but if you have to select a drive, click on the C-drive.
Let it run, and at the end it will give you some boxes to tick. 
All are okay to enable, then press *OK* and then *Yes* to the question after.
It will close after its completed.

-------------
Now, we can have a look at some other folders that you have, to make sure nothing is in there. So, using SystemLook again, can you use the following code, and post the log:


```
:dir
c:\documents and settings\Administrator\Local Settings\Application Data /sub
c:\documents and settings\Finn\Local Settings\Application Data /sub
c:\documents and settings\All Users\Application Data /sub
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data /sub
C:\Windows\Installer /sub
```
It may be a long log, so if that is the case, just split it up over several replies 

Try not to upload it, as in the forum helps my searching easier 

eddie


----------



## Justletmepost (Mar 11, 2012)

...rrrrrgh.

How long should the parts I post my log in be, number-of-characters wise? It doesn't tell me anywhere what this forum's character limit is. I posted the first part of my log (which was itself 500 pages long in Word) over ten minutes ago and it's not showing up, despite the forum not giving me an error message or anything.


----------



## Justletmepost (Mar 11, 2012)

@hard drive space:...I don't personally consider a bit of computer slowdown due to lack of virtual memory to be a "major" problem. Or is that not what you meant?

*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

Oh, twenty-five-page posts work? Hooray. This'll only take two hundred posts, then >_<

*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

30 pages! Even better!

*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

35!

PART 4




*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

40!

PART 5





*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

45! And I already know that 50 pages doesn't work, so 45-page posts from here on. Lovely.

PART 6

*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

PART 7



*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

PART 8



*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

PART 9



*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

PART 10



*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

PART 11





*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

PART 12



*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

PART 13

*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

PART 14



*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

PART 15



*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

PART 16

*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

PART 17



*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

PART 18



*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

PART 19

*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

PART 20



*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

PART 21

*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

PART 22

*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

PART 23

*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

PART 24

*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

...okay, I'm entirely sick of doing this, so stopping here for tonight. I'll resume tomorrow >_<


----------



## eddie5659 (Mar 19, 2001)

Sorry I was away most of the 4 days, as it was the Jubilee here in the UK, we got 2 days off work, and it was a great bit party for the queen.

I'll have a look at this tonight


----------



## Justletmepost (Mar 11, 2012)

Just checking: should I bother posting the rest of this log? I've only posted about a fifth of it so far, and I was rather taken aback by the sheer length of it - I can't help but suspect there may have been a mistake in the systemlook script >_>


----------



## Justletmepost (Mar 11, 2012)

Yesterday I allowed Skype to update itself, and now when it tries to access my webcam (just skype - using my webcam on its own works fine) gives me an error

This page I found on google claims it's a registry problem: http://www.fixya.com/support/t5645989-got_error_dx

Does the fix they link to look legit to you? And if it does, is there any reason (related to the stuff you and I are currently doing with the computer) that I should hold off on doing it?


----------



## Justletmepost (Mar 11, 2012)

PART 25





*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

PART 26

*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

PART 27

*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

PART 28

*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

PART 29

*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

PART 30

*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

PART 31

*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

PART 32

*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

PART 33

*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

PART 34

*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

I just realised something about this...highly swearword-worthy systemlook log.

Like 90% of the entire thing - the middle 90% of the ENTIRE THING - is comprised completely of Rosetta Stone files. 
All of them either in a subfolder or "C:\Documents and Settings\All Users\Application Data\Rosetta Stone", or a subfolder of "C:\Documents and Settings\All Users\Application Data\Rosetta Stone DEMO".

And it seems unlikely that the offending executable would have been planted somewhere so non-universal-among-users as the Rosetta Stone folders, so...for now I'm going to just skip to near the end of the systemlook log, where it stops being Rosetta Stone stuff. I'll label these parts "POST-ROSETTA PART X".
And I can resume posting the Rosetta Stone section later if necessary.


----------



## Justletmepost (Mar 11, 2012)

POST-ROSETTA PART 1

*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

POST-ROSETTA PART 2

*Uploaded as attachment* eddie5659


----------



## Justletmepost (Mar 11, 2012)

POST-ROSETTA PART 3: FINAL PART!

*Uploaded as attachment* eddie5659


----------



## eddie5659 (Mar 19, 2001)

First, the easy part 

After I looked thru each page, of which I came to the same conclusion as you regarding Rosetta (think it was nearly 60% content), I uplaoded each as an attachment. Researching each log was easier when you post them, so after each log, I then uploaded as txt files 

Still looking at some I've spotted, so will reply as soon as I've looked deeper.



> @hard drive space:...I don't personally consider a bit of computer slowdown due to lack of virtual memory to be a "major" problem. Or is that not what you meant?


Nope, not virtual memory. I was talking about disk space on the computer. When this becomes full, or 99% full, certain programs etc may cease to run and updates may not install. This is because, for example, when updating a program, the installer extracts all its files to a temp folder, so that it can run each part without problems. They then, usually, after the installation is complete, removes its temp files.

If there is little space, then it can't extract the files, so no updating will occur 



> Yesterday I allowed Skype to update itself, and now when it tries to access my webcam (just skype - using my webcam on its own works fine) gives me an error
> 
> This page I found on google claims it's a registry problem: http://www.fixya.com/support/t5645989-got_error_dx
> 
> Does the fix they link to look legit to you? And if it does, is there any reason (related to the stuff you and I are currently doing with the computer) that I should hold off on doing it?


Just read the page, and have you seen that the tool spots things, but to repair the registry, you have to pay? Pretty sure we can do it for free, but the Registry is not somewhere to start deleting things, unless you know what you're doing. There is no (are you sure) button's.

As it apepars to be DirectX related, lets look at that. Can you go to Start | run and type DXDIAG and click OK.

Click Yes, if it asks about checking drivers.

Now, click on each tab, and at the bottom it will say if any problems are found.

In the first tab, can you tell me the version of DirectX you have. Also, if it says Page File, what is the amount used and left?

off to finish researching the files/folders I've seen. Back soon


----------



## eddie5659 (Mar 19, 2001)

Okay, a couple stand out. This I am pretty sure is legit, but would prefer to check anyway 

Can you run a scan on the following file as follows:

*Jotti File Submission:*

Please go to  Jotti's malware scan

Copy and paste the following file path into the *"File to upload & scan"*box on the top of the page:

*c:\documents and settings\Finn\Local Settings\Application Data\obDr85xrh3QlqP\U7pQ1MNHj.va_*

 Click on the submit button

 Please post the results in your next reply.

And also do the same with this one:

*c:\documents and settings\All Users\Application Data\PACE Anti-Piracy\OFzt46UobDr85\U7pQ1MNHj.va_*

-----

Now, can you upload these for checking:

Download suspicious file packer from http://www.safer-networking.org/en/tools/index.html (direct download http://www.safer-networking.org/files/sfp.zip )

Unzip it to desktop, open it & paste in the contents of the quote box below, press next & it will create an archive (zip/cab file) on desktop

please upload that to http://www.thespykiller.co.uk/index.php?board=1.0 so we can examine the files

Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, When the file is listed in the windows press send to upload the file



> *
> C:\Windows\Installer\{2B3737F2-2D17-4D61-ABBC-38287C99ADAE}\_2414244DD5FBE0AC956660.exe
> C:\Windows\Installer\{2B3737F2-2D17-4D61-ABBC-38287C99ADAE}\_5A10947442E9DEC783B1E8.exe
> C:\Windows\Installer\{2B3737F2-2D17-4D61-ABBC-38287C99ADAE}\_AF74854567D1B12B7C8BE5.exe
> ...


Let me know when they're uploaded


----------



## Justletmepost (Mar 11, 2012)

No problems reported in any of the dxdiag tabs.

DirectX version is 9.0c (4.09.0000.0904)

Page file: 690MB used, 3233MB available.

Scanlogs in next post.


----------



## Justletmepost (Mar 11, 2012)

results for *c:\documents and settings\Finn\Local Settings\Application Data\obDr85xrh3QlqP\U7pQ1MNHj.va_*:

0 out of 20 scanners reported malware.








2012-06-05 Found nothing







2012-06-09 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing







2012-06-08 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing

results for 
*c:\documents and settings\All Users\Application Data\PACE Anti-Piracy\OFzt46UobDr85\U7pQ1MNHj.va_ :*

0 out of 20 scanners reported malware.








2012-06-05 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing







2012-06-08 Found nothing







2012-06-10 Found nothing







2012-06-10 Found nothing

I'll post again when I've uploaded to thespykiller.


----------



## Justletmepost (Mar 11, 2012)

Uploaded to thespykiller.

http://thespykiller.co.uk/index.php?topic=9947.new#new


----------



## Justletmepost (Mar 11, 2012)

Oh, and another quick question.

On the 21st of June I'll be going on a trip for three weeks and won't have access to my computer. I was thinking of using the freeware Crossloop (http://www.crossloop.com/) to remotely control it (getting my parents to switch it on for me each time by phone) and continue running scans etc. Do you foresee any problems with this?


----------



## eddie5659 (Mar 19, 2001)

I can't see any problems with it, but then I've never remote connected with anyone 

I'll check with others if they have used it, and if its not a bad one


----------



## eddie5659 (Mar 19, 2001)

Just been asking about this, and I'll be looking at your replies tonight before the England match (football), and they can't see any problems with the site, but Logmein is recomended as well. Not sure if its free. I'll ask


----------



## eddie5659 (Mar 19, 2001)

As for the files, I had a look last night and its strange. They're uploaded corectly, but when I extract them, they become different file types.

As they're small, can you attach one here.

To do so, without zipping, do this:

Open Windows Explorer, and at the top, select Tools | Options. In there, under the View tab, make sure *Hide Extensions for known File types* is unticked, apply and ok.

Then, navigate to this:

*C:\Windows\Installer\{2B3737F2-2D17-4D61-ABBC-38287C99ADAE}\_2414244DD5FBE0AC956660.exe*

(if its not there, it may be hidden. In folder Options, select Show Hidden Files/Folders)

Rightclick on it and select Rename. Rename it to

*_2414244DD5FBE0AC956660.txt*

Select Yes if it says about changing file type.

Then, click on the *Go Advanced* button for the uploading options at the bottom of this page (in the picture below  ) [/list]











In there, at the bottom, click on the button *Manage Attachments* (in the picture below  .
A window will appear, and then Browse to *_2414244DD5FBE0AC956660.txt*.
Click Upload, and when uploaded click *Close this Window*
Then, in the previous window, click on *Add Reply*










Then, after that's done, go back to the file, rename it like you did as before, but back to *_2414244DD5FBE0AC956660.exe*

Then, back to Folder Options and hide extensions again (and hide folders if you had to unhide) 

I can then download it and rename it back to exe for looking at fully 

eddie


----------



## eddie5659 (Mar 19, 2001)

Yep, its free and many use it 

https://secure.logmein.com/products/free/


----------



## Justletmepost (Mar 11, 2012)

I have files set to display their extensions by default, actually  I rarely bother to re-hide hidden folders, either. Anyway, here you go.


----------



## Justletmepost (Mar 11, 2012)

...well, while I'm waiting, another question.
Throughout my correspondence with on this forum, I've had no firewall installed/active beyond the basic Windows Firewall. Partly because I knew that would remove the concern of conflicts with whatever scans/tools you get me to run, and partly because I didn't expect this all to take anything like this long.
Shall I continue to put off installing a firewall again until we're all done, or do you think it's worth getting right on that? 
Whenever I do set up a firewall again, I'm not altogether sure what I want to go with. I was always happy with Bullguard before, but after this fiasco...suffice to say, I'm not impressed.
ZoneAlarm seems easy enough to deal with since I installed it on the other computer I've been using...except for its tendency to strangle the computer seemingly at random d uring certain activities, even if they're given full permissions in zonealarm's settings - notably Skype chats. I can be talking for twenty minutes without problems, and then suddenly ZA's vsmon.exe process will snatch 100% of the cpu until I kill it. Blah.


----------



## eddie5659 (Mar 19, 2001)

I try to avoid recomending ZoneAlarm, as it using Checkpoint software, which is partially conduit. This is one of the main things we try and remove from people's systems, so why Zonelabs decided to go into partnership with this, is totally strange 

Saying that, have a look here at some firewalls. I just have Windows firewall, but then I'm on Win7:

http://www.geekstogo.com/forum/topic/38-free-antivirus-and-antispyware-software

Scroll down to firewalls on the link 

------

Now, tried looking at the file, but it comes back all okay, so looks like that route is out 

I'm just asking others about this, and there is one suggestion, but after this, I'm running out of ideas. Due to running low of space, having a partial registry hive transplant that could be causing problems, a format/restore may be the best option 

But, if you want, we can try the other idea first.


----------



## Justletmepost (Mar 11, 2012)

...well, tell me what the other idea IS, at least xD. After taking so long trying to fix it (or rather, for a while now, just to establish whether I even still have a virus or not - I'm starting to suspect that combofix's report of a rootkit may have something to do with my unusual registry) I'm obviously EXTREMELY RELUCTANT to format my computer NOW when I could have done that immediately at the beginning.


----------



## eddie5659 (Mar 19, 2001)

Oki doki, I was hoping you would say that, so when i get home (have to work late tonight, and its our crucial match on Euro), I'll post it up. Just need to double-check what is being posted


----------



## eddie5659 (Mar 19, 2001)

We won, Italy next round 

Okay, back to pc's 

Open Windows Explorer, and see if you can find this file:

*C:\windows\ntbtlog.txt*

If you can, delete it (or move it to another folder) and then do this:

Restart the computer
Just before the XP loading screen starts hit F8 as if going to safe mode.
From the advanced boot menu choose *"enable boot logging"* then hit enter.
Post the following file:

C:\windows\ntbtlog.txt

eddie


----------



## Justletmepost (Mar 11, 2012)

Finally. I'm on my trip, and I couldn't do the boot logging thing remotely because I can't assume control until windows has finished loading. So I had to walk my mother through doing it for me. Not easy 
Also after her first (failed) attempt, when she turned the computer off she allowed windows to install updates, as I've been speifically avoiding doing for so long now. So hopefully it'll turn out not to matter...? >_< (I see it still has more updates to install if I let it, actually)

===========================*
ntbtlog.txt*
===========================

Service Pack 3 6 22 2012 19:02:22.375
Loaded driver \WINDOWS\system32\ntkrnlpa.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL
Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver ohci1394.sys
Loaded driver \WINDOWS\System32\DRIVERS\WMILIB.SYS
Loaded driver \WINDOWS\System32\DRIVERS\1394BUS.SYS
Loaded driver ACPI.sys
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver pciide.sys
Loaded driver \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver dmload.sys
Loaded driver dmio.sys
Loaded driver PartMgr.sys
Loaded driver VolSnap.sys
Loaded driver atapi.sys
Loaded driver cbidf2k.sys
Loaded driver \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
Loaded driver disk.sys
Loaded driver \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Loaded driver fltmgr.sys
Loaded driver sr.sys
Loaded driver PxHelp20.sys
Loaded driver KSecDD.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver viaagp.sys
Loaded driver sisagp.sys
Loaded driver RapportKELL.sys
Loaded driver Mup.sys
Loaded driver amdagp.sys
Loaded driver alim1541.sys
Loaded driver agpCPQ.sys
Loaded driver agp440.sys
Loaded driver \SystemRoot\system32\DRIVERS\intelppm.sys
Loaded driver \SystemRoot\system32\DRIVERS\nv4_mini.sys
Loaded driver \SystemRoot\System32\DRIVERS\e1e5132.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbuhci.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\System32\DRIVERS\HDAudBus.sys
Loaded driver \SystemRoot\System32\DRIVERS\nic1394.sys
Loaded driver \SystemRoot\System32\DRIVERS\serial.sys
Loaded driver \SystemRoot\System32\DRIVERS\serenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\parport.sys
Loaded driver \SystemRoot\System32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\System32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\System32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\system32\DRIVERS\lmimirr.sys
Loaded driver \SystemRoot\system32\DRIVERS\LVUSBSta.sys
Loaded driver \SystemRoot\System32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\system32\DRIVERS\LVUSBSta.sys
Loaded driver \SystemRoot\system32\DRIVERS\LVUSBSta.sys
Loaded driver \SystemRoot\system32\DRIVERS\LVUSBSta.sys
Loaded driver \SystemRoot\system32\DRIVERS\LVUSBSta.sys
Loaded driver \SystemRoot\System32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\System32\DRIVERS\psched.sys
Loaded driver \SystemRoot\System32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\System32\DRIVERS\rdpdr.sys
Loaded driver \SystemRoot\System32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\System32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\update.sys
Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\System32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\system32\DRIVERS\LVUSBSta.sys
Loaded driver \SystemRoot\system32\drivers\RtkHDAud.sys
Loaded driver \SystemRoot\System32\DRIVERS\flpydisk.sys
Loaded driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Loaded driver 
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Did not load driver \SystemRoot\system32\DRIVERS\kbdhid.sys
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\System32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\System32\drivers\ws2ifsl.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\System32\DRIVERS\arp1394.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys
Did not load driver \SystemRoot\System32\DRIVERS\processr.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys
Loaded driver \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
Loaded driver \??\C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\lvuvcflt.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbccgp.sys
Loaded driver \SystemRoot\system32\DRIVERS\LVUSBSta.sys
Loaded driver \SystemRoot\system32\DRIVERS\lvuvc.sys
Loaded driver \SystemRoot\system32\drivers\usbaudio.sys
Loaded driver \SystemRoot\system32\DRIVERS\lvrs.sys
Loaded driver \SystemRoot\system32\DRIVERS\radpms.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndisuio.sys
Did not load driver \SystemRoot\System32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxdav.sys
Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS
Loaded driver \SystemRoot\System32\Drivers\HTTP.sys
Loaded driver \??\C:\Documents and Settings\Finn\Desktop\hw32_236\HWiNFO32.SYS
Loaded driver \SystemRoot\System32\DRIVERS\srv.sys
Loaded driver \??\C:\Program Files\LogMeIn\x86\RaInfo.sys
Loaded driver \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
Loaded driver \SystemRoot\system32\DRIVERS\mdmxsdk.sys
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \SystemRoot\system32\drivers\splitter.sys
Loaded driver \SystemRoot\system32\drivers\aec.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Did not load driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\splitter.sys
Loaded driver \SystemRoot\system32\DRIVERS\LVPr2Mon.sys
Loaded driver \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS


----------



## eddie5659 (Mar 19, 2001)

Okay, looks like its starting from both versions of Windows, so that may be the reason for the conflicting messages coming up 

You may want to do this part when you're home, as if the wrong version of Windows is picked, it may have problems.

What I would suggest at this point, is to backup anything you want to keep (just in case) and then perform a repair of Windows. However, when it boots up and asks which installation to repair, this is when you select the one currently in use (the one with the largest partition) as the other is pointless in repairing.

Now, this may/may not work, and if it doesn't you may have to do a complete reformat and install again, so just letting you know that in advance.

This is how to do the repair:

http://www.geekstogo.com/forum/topic/138-how-to-repair-windows-xp/

Any questions before you start, just ask


----------



## Justletmepost (Mar 11, 2012)

....yes, I'd better wait until I can do that in person myself...on the 13th of july...isn't there ANYTHING else I can do before then...? >_<

Anyway...what would repairing windows (or if that fails, reformatting/reinstalling) be achieving, exactly? Getting rid of the rootkit (if it exists)? Or just fixing the remaining little odd behaviours? I've been putting up with a couple of odd little behaviours ever since the registry transplant - I can put up up with a couple more easily. I'm just looking to esablish whether or not I still have a virus at this point. So long as the computer's functional (which it basically seems to be right now) and I don't have to worry about my data / security details being stolen, I'm happy.

Oh, and as to backing up my stuff in preparation for this...all this time I've been hanging onto the full drive backup from back at the start of this topic. Just in case any of the procedures I go through cause some kind of damage, so I can start over. Is it at all possible that's the case with anything we've done so far (in which case I have nowhere left to backup the current state of my drive to, short of buying a new drive), or is there no reason for me not to overwrite that old backup?


----------



## eddie5659 (Mar 19, 2001)

Hi

Yep, all the repair would do is remove the rootkit message, if it would work as it isn't usual to have two versions of windows, where one works, one doesn't but the one that doesn't is the one that is starting your working version.

However, its entirely up to you 

Apart from the rootkit message that keeps popping up, which its to be assumed its on the 'other Windows', you seem to be fully clear of malware.

As for the backup you already created a while back, that will be infected as we didn't remove anything from there (well, not that I can recall), so I would format that one. But, you may want to make a backup of this current system, just in case something goes screwy in the future.

If you're happy with the computer as it is, then I can remove the tools we've used, and you're good to go 

Again, I'll wait for your reply first 

eddie


----------



## Justletmepost (Mar 11, 2012)

Ah, here's a quesion.

If the rootkit message is on the other windows, the vestigial one...that ought to be on a different partition, so....maybe I could just format that partition, and see if that achieves anything...?


----------



## eddie5659 (Mar 19, 2001)

I've been checking on this issue with a few other's, and we all come to the same conclusion.

As it looks like your computer is booting up using both versions of Windows, removing one by formatting it may cause the whole system to be unbootable.

I must admit, its not a common issue, hence the discussions with others trying to work out the problems, that we've been trying with yourself.

I would advise you to leave the other partition alone, due to this issue. Or, a complete format will solve it all, but that's a route you said you don't want to take.


----------



## Justletmepost (Mar 11, 2012)

*sigh* >_<

For backing up my drive again.... >_<

I was gonig to do a full drive backup to that external drive via a third computer with DriveImageXML again (on the grounds that if I backup directly from this computer while it's turned on it presumably won't be able to backup system files that are currently in use)...but while I was in america, something in that third computer's hardware seems to have got worn out and it's making some funky noises. So I'm concerned about the possibility of that comptuer crashing while it's carrying out the backup. If it did, could it corrupt the data on the drive it's copying from?

If the answer to that is "yes"...there's another computer I could borrow, but I've been avoiding any contact whatsoever between my computer and that computer since this all started because I don't want any risk of that computer getting a virus. Is it possible at this piont that that could happen as a result of that computer copying everything on my computer's hard drive to another hard drive, both connected by USB to that computer?


----------



## Justletmepost (Mar 11, 2012)

...ha. hahaha.

First, a question just to check: If I make a full drive copy using the likes of DriveImage XML, and then later copy that back to original drive, I'll be able to boot up windows from just it just as before the backup. Right? I have no idea why this WOULDN'T be the case, but just making sure.

Now. It turns out I can't find my product key anywhere to do the repair, and upon running KeyFinder, it shows my product key for...windows xp media center edition, which was the OS of the computer before this one, from which I did that partial registry transplant to this one. If I'm right about the nature of the full drive backup in my question above, then I'll just go ahead and try it regardless, but will a product key for XP Media Center (which, as I recall, is an embellished XP Home) work for XP Pro (which is the actual OS installed on this computer - both times)?


----------



## eddie5659 (Mar 19, 2001)

The key that you have for XP Media Centre won't work for XP Home. Now that I know where the registry transplant was from, that may be why some of the issues you were having are from.

For the key, look for either the Windows CD box or the booklet that came with the pc, as that should have the Windows key that you need. Sometimes, some pc's have it stuck to the side of the actual computer case.

As for the backup, I would suggest just the actual files, like media or pictures etc. Backing up the entire system may result in the same thing you're experiencing now.

eddie


----------

