Gemma

Hi Kevin, Yes, my computer is running fine now so you can close out. Thank you very much for your assistance. And thank you for the link re PC security and best practices. I will take the advice. Cheers, Gemma

Hi Kevin, While following your instruction links, I found Vosteran listed as a search engine in Google Chrome so I deleted it. Below is the log and I no longer have Vosteran opening every time I open Chrome Thanks for your help, it's greatly appreciated! Gemma --------------------------------------------------------------------------------------- Microsoft Windows Malicious Software Removal Tool v5.18, November 2014 (build 5.18.10802.0) Started On Fri Nov 28 22:07:25 2014 Engine: 1.1.11104.0 Signatures: 1.187.1116.0 Results Summary: ---------------- No infection found. Microsoft Windows Malicious Software Removal Tool Finished On Fri Nov 28 22:18:29 2014 Return code: 0 (0x0)

I am having so much trouble trying to upload these posts. I keep getting a message that says "Your post was too long. Please go back and shorten it a little". So I have attached the Zoek log. I hope this is ok. And yes Vosteran Search is still opening in the second tab in Google Chrome Cheers, Gemma zoek-results.txt

Hi Kevin, Apparently the post is too long with both logs so I will try (again) to post them, separately this time... Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 28/11/2014 Scan Time: 5:50:58 PM Logfile: Mbam.txt Administrator: Yes Version: 2.00.3.1025 Malware Database: v2014.11.28.03 Rootkit Database: v2014.11.22.01 License: Premium Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Disabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: UNICORN Scan Type: Threat Scan Result: Completed Objects Scanned: 308596 Time Elapsed: 9 min, 11 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end)

Hi, I have recently had to install a new hard drive after my computer took a fall and I've been reinstalling all the software and drivers needed. I noticed two days ago that when I open Google Chrome, a second tab appears with "Vosteran Search". After googling I realised this is Malware. I have tried using Malwarebytes Pro, Bitdefender, Adwcleaner, JT, uninstalled from programs and removed the extension in Google Chrome but I still can't get rid of it!!! Please help! Logs attached. Too long to post in message apparently... Thanks, Gemma FRST.txt Addition.txt

Merry Christmas MrC! I hope you're having a good one I followed your last link with instructions and the following ip address always appears first: 66.223.50.32. When I checked the PID in task manager it is linked to vsserv.exe. I tried to end the process as suggested but I get the message "Operation could not be completed. Access is denied." I realise that vsserv.exe is used by Bitdefender so I tried shutting that down but the exe file still seems to be running and using a fair amount of memory usage still, varying between 2,000kb - 37,000kb. Usually at the higher end. I am not sure what to do now...

It seems to be running ok but I still have this error message appearing in system logs today: Event Type: Warning Event Source: Tcpip Event Category: None Event ID: 4226 Date: 22/12/2012 Time: 7:58:11 AM User: N/A Computer: TONKA Description: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 00 00 00 00 01 00 54 00 ......T. 0008: 00 00 00 00 82 10 00 80 ....

Ok, I found & fixed it. It was something called ROOT\LEGACY\SASKUTIL\0000 which was left behind when I uninstalled SuperAntiSpyware. So I downloaded an uninstall file to remove it from bleepingcomputer.com, rebooted and no more new device wizard!

I followed your instructions and windows update works now. And the last two reboots have been quick as they should be with no system error logs. I do still keep getting the new hardware wizard box appearing every time I reboot and I just select cancel as the hardware listed is "unknown". Windows update didn't show any updates for hardware were required and neither has FileHippo.

Sorry for the multiple posts but I also noticed in the system event list that updates (windows I think) have been terminated many times so I opened internet explorer and tried to check windows updates but I get the following: Files required to use Windows Update are no longer registered or installed on your computer. To continue: Register or reinstall the files for me now (Recommended) Let me read about more steps that might be required to solve the problem It then comes up with this: Download and install the latest updating software Registering: 100%... And then after a 10 seconds or so, I get this: The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem. For self-help options: Frequently Asked Questions Find Solutions Windows Update Newsgroup For assisted support options: Microsoft Online Assisted Support (no-cost for Windows Update issues)

Shortly after I posted the above I had the blue screen of death again. I checked the system errors and I have had this message a few times in the past month. Not sure if it is relevant with my other pc issues! Event Type: Error Event Source: System Error Event Category: (102) Event ID: 1003 Date: 20/12/2012 Time: 8:16:24 PM User: N/A Computer: TONKA Description: Error code 1000008e, parameter1 c0000005, parameter2 bf8488a2, parameter3 b2300ae4, parameter4 00000000. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 53 79 73 74 65 6d 20 45 System E 0008: 72 72 6f 72 20 20 45 72 rror Er 0010: 72 6f 72 20 63 6f 64 65 ror code 0018: 20 31 30 30 30 30 30 38 1000008 0020: 65 20 20 50 61 72 61 6d e Param 0028: 65 74 65 72 73 20 63 30 eters c0 0030: 30 30 30 30 30 35 2c 20 000005, 0038: 62 66 38 34 38 38 61 32 bf8488a2 0040: 2c 20 62 32 33 30 30 61 , b2300a 0048: 65 34 2c 20 30 30 30 30 e4, 0000 0050: 30 30 30 30 0000

My pc is booting up faster than before but I had that new hardware wizard box appear when my user desktop loaded again today. Next to the name of the hardware it says "unknown". I cancelled out again. Latest log is below: ========== OTL ========== Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}\ not found. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3}\ not found. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2ce3e00-f94a-4740-988e-03dc2f38c34f}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d2ce3e00-f94a-4740-988e-03dc2f38c34f}\ not found. Registry value HKEY_USERS\S-1-5-21-1645522239-1993962763-839522115-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}\ not found. Service WDICA stopped successfully! Service WDICA deleted successfully! Service VcommMgr stopped successfully! Service VcommMgr deleted successfully! File System32\Drivers\VcommMgr.sys not found. Service VComm stopped successfully! Service VComm deleted successfully! File system32\DRIVERS\VComm.sys not found. Service PDRFRAME stopped successfully! Service PDRFRAME deleted successfully! Service PDRELI stopped successfully! Service PDRELI deleted successfully! Service PDFRAME stopped successfully! Service PDFRAME deleted successfully! Service PDCOMP stopped successfully! Service PDCOMP deleted successfully! Service PCIDump stopped successfully! Service PCIDump deleted successfully! Service lbrtfdc stopped successfully! Service lbrtfdc deleted successfully! Service i2omgmt stopped successfully! Service i2omgmt deleted successfully! Service Changer stopped successfully! Service Changer deleted successfully! Service catchme stopped successfully! Service catchme deleted successfully! File H:\DOCUME~1\Gemma\LOCALS~1\Temp\catchme.sys not found. Service BTHidMgr stopped successfully! Service BTHidMgr deleted successfully! File System32\Drivers\BTHidMgr.sys not found. Service BTHidEnum stopped successfully! Service BTHidEnum deleted successfully! File system32\DRIVERS\vbtenum.sys not found. Service Btcsrusb stopped successfully! Service Btcsrusb deleted successfully! File System32\Drivers\btcusb.sys not found. Service BT stopped successfully! Service BT deleted successfully! File system32\DRIVERS\btnetdrv.sys not found. Service BlueletSCOAudio stopped successfully! Service BlueletSCOAudio deleted successfully! File system32\DRIVERS\BlueletSCOAudio.sys not found. Service BlueletAudio stopped successfully! Service BlueletAudio deleted successfully! File system32\DRIVERS\blueletaudio.sys not found. OTL by OldTimer - Version 3.2.69.0 log created on 12202012_194500

Ok, I uninstalled Spybot & SuperAntiSpyware and rebooted. On reboot prior to my user desktop appearing, a new hardware wizard box appeared asking me where I wanted to search for install software, I had to select from local (recommended) or disc so I picked local then a box appeared to select cancel so I did. My pc then loaded my user desktop as normal... OTL logfile created on: 20/12/2012 7:58:07 AM - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = H:\Documents and Settings\Gemma\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy 3.25 Gb Total Physical Memory | 2.38 Gb Available Physical Memory | 73.18% Memory free 5.09 Gb Paging File | 4.26 Gb Available in Paging File | 83.76% Paging File free Paging file location(s): H:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = H: | %SystemRoot% = H:\WINDOWS | %ProgramFiles% = H:\Program Files Drive H: | 465.75 Gb Total Space | 360.21 Gb Free Space | 77.34% Space Free | Partition Type: NTFS Drive M: | 931.51 Gb Total Space | 19.98 Gb Free Space | 2.14% Space Free | Partition Type: NTFS Computer Name: TONKA | User Name: Gemma | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012/12/20 07:56:42 | 000,602,112 | ---- | M] (OldTimer Tools) -- H:\Documents and Settings\Gemma\Desktop\OTL.exe PRC - [2012/12/11 19:01:49 | 001,343,032 | ---- | M] (Bitdefender) -- H:\Program Files\Bitdefender\Bitdefender 2013\vsserv.exe PRC - [2012/12/11 19:00:41 | 000,055,544 | ---- | M] (Bitdefender) -- H:\Program Files\Bitdefender\Bitdefender 2013\updatesrv.exe PRC - [2012/12/11 19:00:31 | 001,613,368 | ---- | M] (Bitdefender) -- H:\Program Files\Bitdefender\Bitdefender 2013\bdagent.exe PRC - [2012/12/05 12:15:17 | 001,242,728 | ---- | M] (Google Inc.) -- H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Chrome\Application\chrome.exe PRC - [2012/12/04 02:40:50 | 001,259,880 | ---- | M] (NVIDIA Corporation) -- H:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe PRC - [2012/11/30 13:06:58 | 001,263,512 | ---- | M] () -- H:\Program Files\DivX\DivX Update\DivXUpdate.exe PRC - [2012/11/13 11:21:55 | 000,309,424 | ---- | M] (Bitdefender) -- H:\Program Files\Bitdefender\Bitdefender 2013\downloader.exe PRC - [2012/11/13 11:21:50 | 000,082,824 | ---- | M] (Bitdefender) -- H:\Program Files\Bitdefender\Bitdefender Safebox\safeboxservice.exe PRC - [2012/09/29 19:54:26 | 000,766,536 | ---- | M] (Malwarebytes Corporation) -- H:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe PRC - [2012/09/29 19:54:26 | 000,676,936 | ---- | M] (Malwarebytes Corporation) -- H:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe PRC - [2012/09/29 19:54:26 | 000,399,432 | ---- | M] (Malwarebytes Corporation) -- H:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe PRC - [2012/06/11 17:22:16 | 000,193,616 | ---- | M] (Microsoft Corporation.) -- H:\Program Files\Microsoft\BingBar\7.1.391.0\BBSvc.EXE PRC - [2011/09/16 12:08:18 | 001,804,648 | ---- | M] (Hewlett-Packard Co.) -- H:\Program Files\HP\HP Photosmart 6510 series\Bin\ScanToPCActivationApp.exe PRC - [2009/07/23 18:23:56 | 000,178,720 | ---- | M] () -- H:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe PRC - [2009/07/23 18:23:54 | 000,387,616 | ---- | M] () -- H:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe PRC - [2008/04/14 11:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- H:\WINDOWS\explorer.exe PRC - [2007/08/09 18:27:52 | 000,073,728 | ---- | M] (HP) -- H:\WINDOWS\system32\HPZipm12.exe PRC - [2005/05/12 01:33:52 | 000,479,232 | ---- | M] (Hewlett-Packard Co.) -- H:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe ========== Modules (No Company Name) ========== MOD - [2012/12/19 06:52:47 | 000,521,728 | ---- | M] () -- H:\Program Files\Bitdefender\Bitdefender 2013\otengines_00005_004\ashttpdsp.mdl MOD - [2012/12/19 06:52:46 | 001,959,936 | ---- | M] () -- H:\Program Files\Bitdefender\Bitdefender 2013\otengines_00005_004\ashttpph.mdl MOD - [2012/12/19 06:52:45 | 000,967,680 | ---- | M] () -- H:\Program Files\Bitdefender\Bitdefender 2013\otengines_00005_004\ashttprbl.mdl MOD - [2012/12/19 06:52:44 | 000,644,096 | ---- | M] () -- H:\Program Files\Bitdefender\Bitdefender 2013\otengines_00005_004\ashttpbr.mdl MOD - [2012/12/11 19:01:50 | 000,003,072 | ---- | M] () -- H:\Program Files\Bitdefender\Bitdefender 2013\ui\accessl.ui MOD - [2012/12/11 19:01:39 | 000,099,304 | ---- | M] () -- H:\Program Files\Bitdefender\Bitdefender 2013\imsecurityal.dll MOD - [2012/12/11 19:01:37 | 000,004,608 | ---- | M] () -- H:\Program Files\Bitdefender\Bitdefender 2013\ui\imsecurityal.ui MOD - [2012/12/11 19:00:28 | 000,092,600 | ---- | M] () -- H:\Program Files\Bitdefender\Bitdefender 2013\bdmetrics.dll MOD - [2012/12/11 18:58:18 | 000,203,840 | ---- | M] () -- H:\Program Files\Bitdefender\Bitdefender 2013\txmlutil.dll MOD - [2012/12/05 12:15:15 | 000,460,904 | ---- | M] () -- H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Chrome\Application\23.0.1271.97\ppgooglenaclpluginchrome.dll MOD - [2012/12/05 12:15:14 | 004,008,040 | ---- | M] () -- H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Chrome\Application\23.0.1271.97\pdf.dll MOD - [2012/12/05 12:14:29 | 000,587,880 | ---- | M] () -- H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Chrome\Application\23.0.1271.97\libglesv2.dll MOD - [2012/12/05 12:14:28 | 000,124,520 | ---- | M] () -- H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Chrome\Application\23.0.1271.97\libegl.dll MOD - [2012/12/05 12:14:21 | 000,157,304 | ---- | M] () -- H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Chrome\Application\23.0.1271.97\avutil-51.dll MOD - [2012/12/05 12:14:20 | 000,275,576 | ---- | M] () -- H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Chrome\Application\23.0.1271.97\avformat-54.dll MOD - [2012/12/05 12:14:19 | 002,168,952 | ---- | M] () -- H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Chrome\Application\23.0.1271.97\avcodec-54.dll MOD - [2012/12/04 02:40:50 | 000,357,224 | ---- | M] () -- H:\Program Files\NVIDIA Corporation\nView\nvShell.dll MOD - [2012/11/30 13:07:48 | 000,100,248 | ---- | M] () -- H:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll MOD - [2012/11/30 13:06:58 | 001,263,512 | ---- | M] () -- H:\Program Files\DivX\DivX Update\DivXUpdate.exe MOD - [2012/11/18 11:55:37 | 000,627,200 | ---- | M] () -- H:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Transactions\43b92a8dac90d1d6426274274abb69a6\System.Transactions.ni.dll MOD - [2012/11/18 11:55:23 | 000,627,712 | ---- | M] () -- H:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\18a9c594469dc027497b448fb945aaca\System.EnterpriseServices.ni.dll MOD - [2012/11/18 11:54:22 | 000,971,264 | ---- | M] () -- H:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\41cac4885974d07de06f0b4fec9883f0\System.Configuration.ni.dll MOD - [2012/11/18 11:51:16 | 005,450,752 | ---- | M] () -- H:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\d35b50eb6bb7b1bfb6592419d9feba47\System.Xml.ni.dll MOD - [2012/11/18 11:51:11 | 012,433,920 | ---- | M] () -- H:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\6585a5fcaaa1b49b9a1bd9ca5c5c306e\System.Windows.Forms.ni.dll MOD - [2012/11/18 11:50:59 | 001,592,320 | ---- | M] () -- H:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\da4bcb702feb770ce40cf1371b0c4d02\System.Drawing.ni.dll MOD - [2012/11/18 11:50:47 | 006,616,576 | ---- | M] () -- H:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data\d309c7e5107b3aed78e097659f94543b\System.Data.ni.dll MOD - [2012/11/18 11:49:58 | 007,977,472 | ---- | M] () -- H:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\90ad0c96693527ae685ff40019bb33b0\System.ni.dll MOD - [2012/11/18 11:49:52 | 011,492,352 | ---- | M] () -- H:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\3add69b075f3da012fb97ce00cd795c0\mscorlib.ni.dll MOD - [2012/11/18 11:49:01 | 002,933,248 | ---- | M] () -- H:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll MOD - [2012/11/18 11:48:47 | 000,303,104 | ---- | M] () -- H:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll MOD - [2012/11/18 11:48:45 | 000,261,632 | ---- | M] () -- H:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll MOD - [2012/11/18 11:28:19 | 003,391,488 | ---- | M] () -- h:\windows\assembly\nativeimages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_63d9324c\mscorlib.dll MOD - [2012/11/18 11:28:17 | 000,843,776 | ---- | M] () -- h:\windows\assembly\nativeimages1_v1.1.4322\system.drawing\1.0.5000.0__b03f5f7f11d50a3a_66a01e83\system.drawing.dll MOD - [2012/11/18 11:28:13 | 002,088,960 | ---- | M] () -- h:\windows\assembly\nativeimages1_v1.1.4322\system.xml\1.0.5000.0__b77a5c561934e089_b5ca47f3\system.xml.dll MOD - [2012/11/18 11:28:10 | 003,035,136 | ---- | M] () -- h:\windows\assembly\nativeimages1_v1.1.4322\system.windows.forms\1.0.5000.0__b77a5c561934e089_02546ef7\system.windows.forms.dll MOD - [2012/11/18 11:28:03 | 001,966,080 | ---- | M] () -- h:\windows\assembly\nativeimages1_v1.1.4322\system\1.0.5000.0__b77a5c561934e089_f0478446\system.dll MOD - [2012/11/18 11:27:57 | 002,064,384 | ---- | M] () -- h:\windows\assembly\gac\system.windows.forms\1.0.5000.0__b77a5c561934e089\system.windows.forms.dll MOD - [2012/11/18 11:27:55 | 001,232,896 | ---- | M] () -- h:\windows\assembly\gac\system\1.0.5000.0__b77a5c561934e089\system.dll MOD - [2012/11/13 11:21:48 | 000,918,696 | ---- | M] () -- H:\Program Files\Bitdefender\Bitdefender Safebox\system.data.sqlite.dll MOD - [2012/11/13 11:20:59 | 000,394,408 | ---- | M] () -- \\?\H:\Program Files\Common Files\Bitdefender\Bitdefender Threat Scanner\trufos.dll MOD - [2012/06/16 08:58:14 | 000,471,040 | ---- | M] () -- h:\windows\assembly\gac\system.drawing\1.0.5000.0__b03f5f7f11d50a3a\system.drawing.dll MOD - [2012/03/11 15:55:40 | 000,088,656 | ---- | M] () -- H:\WINDOWS\system32\cpwmon2k.dll MOD - [2011/11/14 21:17:06 | 000,132,176 | ---- | M] () -- H:\Program Files\Bitdefender\Bitdefender 2013\bdfwcore.dll MOD - [2011/10/03 19:26:03 | 001,339,392 | ---- | M] () -- h:\windows\assembly\gac\system.xml\1.0.5000.0__b77a5c561934e089\system.xml.dll MOD - [2011/09/25 13:55:15 | 000,774,144 | ---- | M] () -- h:\windows\assembly\gac\hpqbakup\3.0.0.0__a53cf5803f4c3827\hpqbakup.dll MOD - [2011/09/18 17:10:18 | 000,065,536 | ---- | M] () -- h:\windows\assembly\gac\hpqisrtb\4.0.0.0__a53cf5803f4c3827\hpqisrtb.dll MOD - [2011/09/18 17:10:13 | 000,380,928 | ---- | M] () -- h:\windows\assembly\gac\hpqcprsc\3.0.0.0__a53cf5803f4c3827\hpqcprsc.dll MOD - [2011/09/18 17:10:02 | 001,032,192 | ---- | M] () -- h:\windows\assembly\gac\hpqedit\3.0.0.0__a53cf5803f4c3827\hpqedit.dll MOD - [2011/09/18 17:10:02 | 000,004,096 | ---- | M] () -- h:\windows\assembly\gac\interop.hprblog\3.0.0.0__a53cf5803f4c3827\interop.hprblog.dll MOD - [2011/09/18 17:10:01 | 000,163,840 | ---- | M] () -- h:\windows\assembly\gac\hpqvideo\3.0.0.0__a53cf5803f4c3827\hpqvideo.dll MOD - [2011/09/18 17:10:00 | 000,053,248 | ---- | M] () -- h:\windows\assembly\gac\hpqovskn\3.0.0.0__a53cf5803f4c3827\hpqovskn.dll MOD - [2011/09/18 17:09:59 | 000,512,000 | ---- | M] () -- h:\windows\assembly\gac\hpqimvlt\3.0.0.0__a53cf5803f4c3827\hpqimvlt.dll MOD - [2011/09/18 17:09:59 | 000,015,360 | ---- | M] () -- h:\windows\assembly\gac\interop.hpqvideo\3.0.0.0__a53cf5803f4c3827\interop.hpqvideo.dll MOD - [2011/09/18 17:09:59 | 000,010,752 | ---- | M] () -- h:\windows\assembly\gac\interop.hpqimgr\3.0.0.0__a53cf5803f4c3827\interop.hpqimgr.dll MOD - [2011/09/18 17:09:58 | 000,364,544 | ---- | M] () -- h:\windows\assembly\gac\hpqtray\4.0.0.0__a53cf5803f4c3827\hpqtray.dll MOD - [2011/09/18 17:09:58 | 000,188,416 | ---- | M] () -- h:\windows\assembly\gac\hpqimgrc\4.0.0.0__a53cf5803f4c3827\hpqimgrc.dll MOD - [2011/09/18 17:09:58 | 000,069,632 | ---- | M] () -- h:\windows\assembly\gac\hpqglutl\4.0.0.0__a53cf5803f4c3827\hpqglutl.dll MOD - [2011/09/18 17:09:58 | 000,057,344 | ---- | M] () -- h:\windows\assembly\gac\hpqimlib\3.0.0.0__a53cf5803f4c3827\hpqimlib.dll MOD - [2011/09/18 17:09:58 | 000,045,056 | ---- | M] () -- h:\windows\assembly\gac\hpqthumb\3.0.0.0__a53cf5803f4c3827\hpqthumb.dll MOD - [2011/09/18 17:09:58 | 000,036,864 | ---- | M] () -- h:\windows\assembly\gac\hpqfmrsc\4.0.0.0__a53cf5803f4c3827\hpqfmrsc.dll MOD - [2011/09/18 17:09:58 | 000,020,480 | ---- | M] () -- h:\windows\assembly\gac\hpqiface\4.0.0.0__a53cf5803f4c3827\hpqiface.dll MOD - [2011/09/18 17:09:57 | 000,589,824 | ---- | M] () -- h:\windows\assembly\gac\hpqcc2\3.0.0.0__a53cf5803f4c3827\hpqcc2.dll MOD - [2011/09/18 17:09:57 | 000,024,576 | ---- | M] () -- h:\windows\assembly\gac\hpqasset\4.0.0.0__a53cf5803f4c3827\hpqasset.dll MOD - [2011/09/18 17:08:16 | 000,065,536 | ---- | M] () -- h:\windows\assembly\gac\hpqmdmr\4.0.0.0__a53cf5803f4c3827\hpqmdmr.dll MOD - [2011/09/18 17:08:16 | 000,057,344 | ---- | M] () -- h:\windows\assembly\gac\hpqprrsc\4.0.0.0__a53cf5803f4c3827\hpqprrsc.dll MOD - [2011/09/18 17:08:15 | 000,430,080 | ---- | M] () -- h:\windows\assembly\gac\lead.wrapper\13.0.0.113__9cf889f53ea9b907\lead.wrapper.dll MOD - [2011/09/18 17:08:15 | 000,090,112 | ---- | M] () -- h:\windows\assembly\gac\lead.drawing.imaging.imageprocessing\13.0.0.113__9cf889f53ea9b907\lead.drawing.imaging.imageprocessing.dll MOD - [2011/09/18 17:08:15 | 000,086,016 | ---- | M] () -- h:\windows\assembly\gac\lead.drawing\13.0.0.113__9cf889f53ea9b907\lead.drawing.dll MOD - [2011/09/18 17:08:15 | 000,077,824 | ---- | M] () -- h:\windows\assembly\gac\lead\13.0.0.113__9cf889f53ea9b907\lead.dll MOD - [2011/09/18 17:08:15 | 000,069,632 | ---- | M] () -- h:\windows\assembly\gac\lead.windows.forms.drawingcontainer\13.0.0.113__9cf889f53ea9b907\lead.windows.forms.drawingcontainer.dll MOD - [2011/09/18 17:08:15 | 000,040,960 | ---- | M] () -- h:\windows\assembly\gac\lead.windows.forms\13.0.0.113__9cf889f53ea9b907\lead.windows.forms.dll MOD - [2011/09/18 17:08:14 | 000,225,280 | ---- | M] () -- h:\windows\assembly\gac\hpqutils\4.0.0.0__a53cf5803f4c3827\hpqutils.dll MOD - [2011/09/18 17:08:14 | 000,069,632 | ---- | M] () -- h:\windows\assembly\gac\hpqntrop\4.0.0.0__a53cf5803f4c3827\hpqntrop.dll MOD - [2011/09/18 17:08:14 | 000,036,864 | ---- | M] () -- h:\windows\assembly\gac\interop.hpqcxm08\3.0.0.0__a53cf5803f4c3827\interop.hpqcxm08.dll MOD - [2011/09/18 17:06:04 | 000,007,680 | ---- | M] () -- h:\windows\assembly\gac\accessibility\1.0.5000.0__b03f5f7f11d50a3a\accessibility.dll MOD - [2011/06/24 22:56:36 | 000,087,328 | ---- | M] () -- H:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll MOD - [2011/06/24 22:56:14 | 001,241,888 | ---- | M] () -- H:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll MOD - [2009/07/23 18:23:56 | 000,178,720 | ---- | M] () -- H:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe MOD - [2009/07/23 18:23:54 | 000,387,616 | ---- | M] () -- H:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe MOD - [2009/07/23 18:23:48 | 000,436,768 | ---- | M] () -- H:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\SpecialCase.dll MOD - [2009/07/23 18:23:08 | 000,068,128 | ---- | M] () -- H:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nv_common.dll ========== Services (SafeList) ========== SRV - File not found [Auto | Stopped] -- C:\WINDOWS\system32\wuauserv.dll -- (wuauserv) SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ) SRV - File not found [Auto | Stopped] -- C:\WINDOWS\system32\qmgr.dll -- (BITS) SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt) SRV - [2012/12/16 17:53:50 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- H:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2012/12/11 19:01:49 | 001,343,032 | ---- | M] (Bitdefender) [Auto | Running] -- H:\Program Files\Bitdefender\Bitdefender 2013\vsserv.exe -- (VSSERV) SRV - [2012/12/11 19:00:41 | 000,055,544 | ---- | M] (Bitdefender) [Auto | Running] -- H:\Program Files\Bitdefender\Bitdefender 2013\updatesrv.exe -- (UPDATESRV) SRV - [2012/12/11 18:58:00 | 000,061,736 | ---- | M] (Bitdefender) [Disabled | Stopped] -- H:\Program Files\Bitdefender\Bitdefender 2013\bdparentalservice.exe -- (BdDesktopParental) SRV - [2012/12/04 02:40:50 | 001,259,880 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- H:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -- (nvUpdatusService) SRV - [2012/11/13 11:21:50 | 000,082,824 | ---- | M] (Bitdefender) [Auto | Running] -- H:\Program Files\Bitdefender\Bitdefender Safebox\safeboxservice.exe -- (SafeBox) SRV - [2012/09/29 19:54:26 | 000,676,936 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- H:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService) SRV - [2012/09/29 19:54:26 | 000,399,432 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- H:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler) SRV - [2012/06/11 17:22:16 | 000,240,208 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- H:\Program Files\Microsoft\BingBar\7.1.391.0\SeaPort.EXE -- (BBUpdate) SRV - [2012/06/11 17:22:16 | 000,193,616 | ---- | M] (Microsoft Corporation.) [Auto | Running] -- H:\Program Files\Microsoft\BingBar\7.1.391.0\BBSvc.EXE -- (BBSvc) SRV - [2009/07/23 18:23:56 | 000,178,720 | ---- | M] () [Auto | Running] -- H:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe -- (nSvcIp) SRV - [2009/07/23 18:23:54 | 000,387,616 | ---- | M] () [Auto | Running] -- H:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe -- (ForceWare Intelligent Application Manager (IAM) SRV - [2007/08/09 18:27:52 | 000,073,728 | ---- | M] (HP) [Auto | Running] -- H:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA) DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\VcommMgr.sys -- (VcommMgr) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\VComm.sys -- (VComm) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP) DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump) DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc) DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt) DRV - File not found [Kernel | System | Stopped] -- -- (Changer) DRV - File not found [Kernel | On_Demand | Stopped] -- H:\DOCUME~1\Gemma\LOCALS~1\Temp\catchme.sys -- (catchme) DRV - File not found [Kernel | Boot | Stopped] -- System32\Drivers\BTHidMgr.sys -- (BTHidMgr) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\vbtenum.sys -- (BTHidEnum) DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\btcusb.sys -- (Btcsrusb) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\btnetdrv.sys -- (BT) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\BlueletSCOAudio.sys -- (BlueletSCOAudio) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\blueletaudio.sys -- (BlueletAudio) DRV - [2012/12/19 19:37:43 | 000,035,144 | ---- | M] () [File_System | On_Demand | Stopped] -- H:\WINDOWS\system32\drivers\mbamchameleon.sys -- (mbamchameleon) DRV - [2012/12/11 19:00:56 | 000,242,504 | ---- | M] (BitDefender) [Kernel | On_Demand | Running] -- H:\WINDOWS\system32\drivers\avchv.sys -- (avchv) DRV - [2012/11/13 11:21:14 | 000,343,456 | ---- | M] (BitDefender S.R.L.) [File_System | Boot | Running] -- H:\WINDOWS\system32\drivers\trufos.sys -- (trufos) DRV - [2012/10/26 19:30:02 | 000,622,616 | ---- | M] (BitDefender) [File_System | Boot | Running] -- H:\WINDOWS\system32\drivers\avc3.sys -- (avc3) DRV - [2012/10/26 19:28:52 | 000,134,136 | ---- | M] (BitDefender LLC) [Kernel | System | Running] -- H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys -- (bdselfpr) DRV - [2012/10/26 19:28:24 | 000,481,464 | ---- | M] (BitDefender) [File_System | On_Demand | Running] -- H:\WINDOWS\system32\drivers\avckf.sys -- (avckf) DRV - [2012/10/26 19:28:21 | 000,066,392 | ---- | M] (BitDefender SRL) [File_System | On_Demand | Stopped] -- H:\WINDOWS\system32\drivers\bdsandbox.sys -- (BDSandBox) DRV - [2012/10/01 15:24:16 | 000,161,312 | ---- | M] (BitDefender LLC) [File_System | Boot | Running] -- H:\WINDOWS\system32\drivers\gzflt.sys -- (gzflt) DRV - [2012/09/29 19:54:26 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- H:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector) DRV - [2012/07/06 16:13:08 | 000,116,248 | ---- | M] (BitDefender LLC) [Kernel | On_Demand | Running] -- H:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfndisf.sys -- (Bdfndisf) DRV - [2012/04/17 15:40:22 | 000,072,704 | ---- | M] (BitDefender) [Kernel | System | Running] -- H:\WINDOWS\system32\drivers\bdvedisk.sys -- (BDVEDISK) DRV - [2011/11/14 21:16:26 | 000,130,640 | ---- | M] (BitDefender LLC) [Kernel | System | Running] -- H:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdftdif.sys -- (bdftdif) DRV - [2009/07/01 12:53:34 | 000,013,824 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- H:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus) DRV - [2009/07/01 12:53:30 | 000,066,688 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- H:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD) DRV - [2009/02/11 13:40:40 | 005,028,352 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- H:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) DRV - [2008/05/06 16:06:00 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- H:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-1645522239-1993962763-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = about:windows update [binary data] IE - HKU\S-1-5-21-1645522239-1993962763-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank IE - HKU\S-1-5-21-1645522239-1993962763-839522115-1004\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKU\S-1-5-21-1645522239-1993962763-839522115-1004\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC IE - HKU\S-1-5-21-1645522239-1993962763-839522115-1004\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2645238 IE - HKU\S-1-5-21-1645522239-1993962763-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-1645522239-1993962763-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local IE - HKU\S-1-5-21-1645522239-1993962763-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 200.76.23.165:80 ========== FireFox ========== FF - HKLM\Software\MozillaPlugins\@abr.gov.au/KeyMgmtPlugin: H:\Program Files\ABR\Plug-In\bin\npAUSkeyPlugin.dll (Commonwealth Government of Australia) FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: H:\WINDOWS\system32\Adobe\Director\np32dsw_1168638.dll (Adobe Systems, Inc.) FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: H:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: H:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll File not found FF - HKLM\Software\MozillaPlugins\@csi.business.gov.au/CsiPlugin: H:\Program Files\Common-Use Signing Interface\bin\npCsiPlugin.dll (Commonwealth Government of Australia) FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: H:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC) FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: H:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: H:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: H:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\Adobe Reader: H:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.) FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: H:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2012/12/16 19:33:27 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\bdThunderbird@bitdefender.com: H:\Program Files\Bitdefender\Bitdefender 2013\bdtbext [2012/09/06 11:56:29 | 000,000,000 | ---D | M] ========== Chrome ========== CHR - homepage: http://www.google.com CHR - default_search_provider: Google (Enabled) CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding} CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter}, CHR - homepage: http://www.google.com CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer CHR - plugin: Native Client (Enabled) = H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Chrome\Application\23.0.1271.97\ppGoogleNaClPluginChrome.dll CHR - plugin: Chrome PDF Viewer (Enabled) = H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Chrome\Application\23.0.1271.97\pdf.dll CHR - plugin: Shockwave Flash (Enabled) = H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Chrome\Application\23.0.1271.97\gcswf32.dll CHR - plugin: Shockwave Flash (Disabled) = H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Chrome\User Data\PepperFlash\11.2.31.144\pepflashplayer.dll CHR - plugin: Adobe Acrobat (Enabled) = H:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = H:\Program Files\QuickTime\plugins\npqtplugin.dll CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = H:\Program Files\QuickTime\plugins\npqtplugin2.dll CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = H:\Program Files\QuickTime\plugins\npqtplugin3.dll CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = H:\Program Files\QuickTime\plugins\npqtplugin4.dll CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = H:\Program Files\QuickTime\plugins\npqtplugin5.dll CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = H:\Program Files\QuickTime\plugins\npqtplugin6.dll CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = H:\Program Files\QuickTime\plugins\npqtplugin7.dll CHR - plugin: Microsoft\u00AE DRM (Enabled) = H:\Program Files\Windows Media Player\npdrmv2.dll CHR - plugin: Microsoft\u00AE DRM (Enabled) = H:\Program Files\Windows Media Player\npwmsdrm.dll CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = H:\Program Files\Windows Media Player\npdsplay.dll CHR - plugin: ABR_AUSkey Mozilla Plugin (Enabled) = H:\Documents and Settings\Gemma\Local Settings\Application Data\ABR\Plug-In\bin\npAUSkeyPlugin.dll CHR - plugin: Google Update (Enabled) = H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll CHR - plugin: CSI Mozilla Plugin (Enabled) = H:\Program Files\Common-Use Signing Interface\bin\npCsiPlugin.dll CHR - plugin: DivX VOD Helper Plug-in (Enabled) = H:\Program Files\DivX\DivX OVS Helper\npovshelper.dll CHR - plugin: DivX Plus Web Player (Enabled) = H:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll CHR - plugin: iTunes Application Detector (Enabled) = H:\Program Files\iTunes\Mozilla Plugins\npitunes.dll CHR - plugin: Windows Presentation Foundation (Enabled) = H:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll CHR - plugin: Shockwave for Director (Disabled) = H:\WINDOWS\system32\Adobe\Director\np32dsw.dll CHR - Extension: YouTube = H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_1\ CHR - Extension: Google Search = H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_1\ CHR - Extension: DivX Plus Web Player HTML5 \u003Cvideo\u003E = H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nneajnkjbffgblleaoojgaacokifdkhm\2.1.2.145_0\ CHR - Extension: Gmail = H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\ O1 HOSTS File: ([2012/12/19 06:18:11 | 000,444,027 | R--- | M]) - H:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: 127.0.0.1 www.007guard.com O1 - Hosts: 127.0.0.1 007guard.com O1 - Hosts: 127.0.0.1 008i.com O1 - Hosts: 127.0.0.1 www.008k.com O1 - Hosts: 127.0.0.1 008k.com O1 - Hosts: 127.0.0.1 www.00hq.com O1 - Hosts: 127.0.0.1 00hq.com O1 - Hosts: 127.0.0.1 010402.com O1 - Hosts: 127.0.0.1 www.032439.com O1 - Hosts: 127.0.0.1 032439.com O1 - Hosts: 127.0.0.1 www.0scan.com O1 - Hosts: 127.0.0.1 0scan.com O1 - Hosts: 127.0.0.1 www.1000gratisproben.com O1 - Hosts: 127.0.0.1 1000gratisproben.com O1 - Hosts: 127.0.0.1 1001namen.com O1 - Hosts: 127.0.0.1 www.1001namen.com O1 - Hosts: 127.0.0.1 100888290cs.com O1 - Hosts: 127.0.0.1 www.100888290cs.com O1 - Hosts: 127.0.0.1 www.100sexlinks.com O1 - Hosts: 127.0.0.1 100sexlinks.com O1 - Hosts: 127.0.0.1 www.10sek.com O1 - Hosts: 127.0.0.1 10sek.com O1 - Hosts: 127.0.0.1 www.1-2005-search.com O1 - Hosts: 127.0.0.1 1-2005-search.com O1 - Hosts: 15277 more lines... O2 - BHO: (Bing Bar Helper) - {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} - H:\Program Files\Microsoft\BingBar\7.1.391.0\BingExt.dll (Microsoft Corporation.) O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - H:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC) O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (no name) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - No CLSID value found. O2 - BHO: (no name) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - No CLSID value found. O2 - BHO: (no name) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - No CLSID value found. O3 - HKLM\..\Toolbar: (Bing Bar) - {eec0f710-38b5-4aba-99bf-ec87564a4e13} - H:\Program Files\Microsoft\BingBar\7.1.391.0\BingExt.dll (Microsoft Corporation.) O3 - HKU\S-1-5-21-1645522239-1993962763-839522115-1004\..\Toolbar\WebBrowser: (no name) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No CLSID value found. O4 - HKLM..\Run: [APSDaemon] H:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.) O4 - HKLM..\Run: [bdagent] H:\Program Files\Bitdefender\Bitdefender 2013\bdagent.exe (Bitdefender) O4 - HKLM..\Run: [DivXMediaServer] H:\Program Files\DivX\DivX Media Server\DivXMediaServer.exe () O4 - HKLM..\Run: [DivXUpdate] H:\Program Files\DivX\DivX Update\DivXUpdate.exe () O4 - HKLM..\Run: [NvCplDaemon] H:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation) O4 - HKLM..\Run: [NvMediaCenter] H:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation) O4 - HKLM..\Run: [nwiz] H:\Program Files\NVIDIA Corporation\nview\nwiz.exe () O4 - HKU\S-1-5-21-1645522239-1993962763-839522115-1004..\Run: [FileHippo.com] H:\Program Files\FileHippo.com\UpdateChecker.exe (FileHippo.com) O4 - HKU\S-1-5-21-1645522239-1993962763-839522115-1004..\Run: [HP Photosmart 6510 series (NET)] H:\Program Files\HP\HP Photosmart 6510 series\Bin\ScanToPCActivationApp.exe (Hewlett-Packard Co.) O4 - Startup: H:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Co.) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-1645522239-1993962763-839522115-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-1645522239-1993962763-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-21-1645522239-1993962763-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-21-1645522239-1993962763-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\S-1-5-21-1645522239-1993962763-839522115-1010\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-1645522239-1993962763-839522115-1010\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - H:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1353196746656 (WUWebControl Class) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1348748221718 (MUWebControl Class) O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab (GMNRev Class) O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.1.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0D9776FA-00BD-402A-9319-AAA9F5A244A1}: DhcpNameServer = 10.1.1.1 O20 - HKLM Winlogon: Shell - (Explorer.exe) - H:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (H:\WINDOWS\system32\userinit.exe) - H:\WINDOWS\system32\userinit.exe (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2012/12/20 07:56:40 | 000,602,112 | ---- | C] (OldTimer Tools) -- H:\Documents and Settings\Gemma\Desktop\OTL.exe [2012/12/19 21:57:02 | 000,000,000 | ---D | C] -- H:\Program Files\AGEIA Technologies [2012/12/19 18:11:19 | 000,000,000 | ---D | C] -- H:\Documents and Settings\Gemma\Desktop\mbar [2012/12/18 23:44:40 | 000,000,000 | RH-D | C] -- H:\Documents and Settings\Gemma\Recent [2012/12/18 22:31:59 | 000,000,000 | -HSD | C] -- H:\RECYCLER [2012/12/18 22:02:45 | 000,518,144 | ---- | C] (SteelWerX) -- H:\WINDOWS\SWREG.exe [2012/12/18 22:02:45 | 000,406,528 | ---- | C] (SteelWerX) -- H:\WINDOWS\SWSC.exe [2012/12/18 22:02:45 | 000,212,480 | ---- | C] (SteelWerX) -- H:\WINDOWS\SWXCACLS.exe [2012/12/18 22:02:45 | 000,060,416 | ---- | C] (NirSoft) -- H:\WINDOWS\NIRCMD.exe [2012/12/18 22:02:35 | 000,000,000 | ---D | C] -- H:\Qoobox [2012/12/18 21:54:15 | 005,012,571 | R--- | C] (Swearware) -- H:\Documents and Settings\Gemma\Desktop\ComboFix.exe [2012/12/18 21:47:17 | 000,000,000 | ---D | C] -- M:\Gemma's Stuff\ProcAlyzer Dumps [2012/12/18 08:11:05 | 000,000,000 | ---D | C] -- H:\Documents and Settings\All Users\Start Menu\Programs\iTunes [2012/12/18 08:10:32 | 000,000,000 | ---D | C] -- H:\Program Files\iPod [2012/12/18 08:10:26 | 000,000,000 | ---D | C] -- H:\Program Files\iTunes [2012/12/18 08:10:26 | 000,000,000 | ---D | C] -- H:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1 [2012/12/17 19:31:00 | 000,000,000 | ---D | C] -- H:\Documents and Settings\Gemma\Desktop\RK_Quarantine [2012/12/17 10:28:21 | 000,688,992 | R--- | C] (Swearware) -- H:\Documents and Settings\Gemma\Desktop\dds.com [2012/12/16 19:37:27 | 000,000,000 | ---D | C] -- H:\Documents and Settings\Gemma\Application Data\DDMSettings [2012/12/16 19:25:35 | 000,000,000 | ---D | C] -- H:\Documents and Settings\All Users\Start Menu\Programs\CCleaner [2012/12/01 18:57:25 | 000,000,000 | ---D | C] -- H:\Other Videos [2012/11/25 14:17:54 | 000,000,000 | ---D | C] -- H:\Program Files\Spybot - Search & Destroy 2 [2012/11/25 14:10:49 | 000,000,000 | ---D | C] -- H:\Program Files\CCleaner ========== Files - Modified Within 30 Days ========== [2012/12/20 08:01:00 | 000,000,332 | ---- | M] () -- H:\WINDOWS\tasks\HP Photo Creations Messager.job [2012/12/20 07:56:42 | 000,602,112 | ---- | M] (OldTimer Tools) -- H:\Documents and Settings\Gemma\Desktop\OTL.exe [2012/12/20 07:56:37 | 000,484,544 | ---- | M] () -- H:\WINDOWS\System32\perfh009.dat [2012/12/20 07:56:37 | 000,080,814 | ---- | M] () -- H:\WINDOWS\System32\perfc009.dat [2012/12/20 07:53:15 | 000,000,830 | ---- | M] () -- H:\WINDOWS\tasks\Adobe Flash Player Updater.job [2012/12/20 07:52:07 | 000,002,048 | --S- | M] () -- H:\WINDOWS\bootstat.dat [2012/12/19 21:55:28 | 001,070,792 | ---- | M] () -- H:\WINDOWS\System32\nvdrsdb1.bin [2012/12/19 21:55:28 | 000,000,001 | ---- | M] () -- H:\WINDOWS\System32\nvdrssel.bin [2012/12/19 21:55:24 | 001,070,792 | ---- | M] () -- H:\WINDOWS\System32\nvdrsdb0.bin [2012/12/19 21:27:52 | 000,013,646 | ---- | M] () -- H:\WINDOWS\System32\wpa.dbl [2012/12/19 21:27:00 | 000,000,978 | ---- | M] () -- H:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-1993962763-839522115-1004UA.job [2012/12/19 21:26:00 | 000,000,994 | ---- | M] () -- H:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-1993962763-839522115-1005UA.job [2012/12/19 20:40:00 | 000,000,460 | ---- | M] () -- H:\WINDOWS\tasks\At2.job [2012/12/19 19:37:43 | 000,035,144 | ---- | M] () -- H:\WINDOWS\System32\drivers\mbamchameleon.sys [2012/12/19 18:10:55 | 013,485,902 | ---- | M] () -- H:\Documents and Settings\Gemma\Desktop\mbar-1.01.0.1011.zip [2012/12/19 06:18:11 | 000,444,027 | R--- | M] () -- H:\WINDOWS\System32\drivers\etc\hosts [2012/12/19 06:15:44 | 000,444,027 | R--- | M] () -- H:\WINDOWS\System32\drivers\etc\hosts.20121219-061811.backup [2012/12/18 22:43:00 | 000,000,460 | ---- | M] () -- H:\WINDOWS\tasks\At3.job [2012/12/18 22:14:59 | 000,000,027 | ---- | M] () -- H:\WINDOWS\System32\drivers\etc\hosts.20121219-061544.backup [2012/12/18 21:55:06 | 005,012,571 | R--- | M] (Swearware) -- H:\Documents and Settings\Gemma\Desktop\ComboFix.exe [2012/12/18 21:47:12 | 000,000,360 | RHS- | M] () -- H:\boot.ini [2012/12/18 08:11:05 | 000,001,542 | ---- | M] () -- H:\Documents and Settings\All Users\Desktop\iTunes.lnk [2012/12/17 19:20:43 | 000,148,400 | ---- | M] () -- H:\WINDOWS\System32\FNTCACHE.DAT [2012/12/17 10:28:23 | 000,688,992 | R--- | M] (Swearware) -- H:\Documents and Settings\Gemma\Desktop\dds.com [2012/12/16 19:33:29 | 000,001,371 | ---- | M] () -- H:\Documents and Settings\Gemma\Desktop\DivX Movies.lnk [2012/12/16 19:33:17 | 000,000,777 | ---- | M] () -- H:\Documents and Settings\All Users\Desktop\DivX Plus Player.lnk [2012/12/16 19:33:05 | 000,000,817 | ---- | M] () -- H:\Documents and Settings\All Users\Desktop\DivX Plus Converter.lnk [2012/12/16 19:29:52 | 000,002,262 | ---- | M] () -- H:\Documents and Settings\Gemma\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk [2012/12/16 19:29:51 | 000,002,284 | ---- | M] () -- H:\Documents and Settings\Gemma\Desktop\Google Chrome.lnk [2012/12/16 19:25:57 | 000,001,632 | ---- | M] () -- H:\Documents and Settings\Gemma\Desktop\Update Checker.lnk [2012/12/16 19:25:35 | 000,000,682 | ---- | M] () -- H:\Documents and Settings\All Users\Desktop\CCleaner.lnk [2012/12/16 19:00:00 | 000,000,256 | ---- | M] () -- H:\WINDOWS\tasks\Malwarebytes' Anti-Malware.job [2012/12/11 19:00:56 | 000,242,504 | ---- | M] (BitDefender) -- H:\WINDOWS\System32\drivers\avchv.sys [2012/12/04 02:40:50 | 002,283,884 | ---- | M] () -- H:\WINDOWS\System32\nvdata.data [2012/12/04 02:40:50 | 000,012,951 | ---- | M] () -- H:\WINDOWS\System32\nvinfo.pb [2012/12/03 22:24:42 | 000,000,664 | ---- | M] () -- H:\WINDOWS\System32\d3d9caps.dat [2012/12/01 19:00:10 | 000,000,260 | ---- | M] () -- H:\WINDOWS\tasks\Disk Cleanup.job [2012/11/26 16:27:01 | 000,000,926 | ---- | M] () -- H:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-1993962763-839522115-1004Core.job [2012/11/26 14:26:00 | 000,000,942 | ---- | M] () -- H:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-1993962763-839522115-1005Core.job [2012/11/26 14:00:00 | 000,000,460 | ---- | M] () -- H:\WINDOWS\tasks\At4.job [2012/11/25 22:14:21 | 000,000,164 | ---- | M] () -- M:\Gemma's Stuff\cc_20121125_221416.reg [2012/11/25 22:14:00 | 000,000,830 | ---- | M] () -- M:\Gemma's Stuff\cc_20121125_221338.reg [2012/11/25 22:13:21 | 000,213,628 | ---- | M] () -- M:\Gemma's Stuff\cc_20121125_220713.reg [2012/11/25 16:35:44 | 000,444,088 | R--- | M] () -- H:\WINDOWS\System32\drivers\etc\hosts.20121126-153422.backup [2012/11/25 16:35:18 | 000,444,088 | R--- | M] () -- H:\WINDOWS\System32\drivers\etc\hosts.20121125-163544.backup ========== Files Created - No Company Name ========== [2012/12/19 19:37:43 | 000,035,144 | ---- | C] () -- H:\WINDOWS\System32\drivers\mbamchameleon.sys [2012/12/19 07:36:31 | 013,485,902 | ---- | C] () -- H:\Documents and Settings\Gemma\Desktop\mbar-1.01.0.1011.zip [2012/12/18 22:02:45 | 000,256,000 | ---- | C] () -- H:\WINDOWS\PEV.exe [2012/12/18 22:02:45 | 000,208,896 | ---- | C] () -- H:\WINDOWS\MBR.exe [2012/12/18 22:02:45 | 000,098,816 | ---- | C] () -- H:\WINDOWS\sed.exe [2012/12/18 22:02:45 | 000,080,412 | ---- | C] () -- H:\WINDOWS\grep.exe [2012/12/18 22:02:45 | 000,068,096 | ---- | C] () -- H:\WINDOWS\zip.exe [2012/12/18 08:11:05 | 000,001,542 | ---- | C] () -- H:\Documents and Settings\All Users\Desktop\iTunes.lnk [2012/11/25 22:14:18 | 000,000,164 | ---- | C] () -- M:\Gemma's Stuff\cc_20121125_221416.reg [2012/11/25 22:13:42 | 000,000,830 | ---- | C] () -- M:\Gemma's Stuff\cc_20121125_221338.reg [2012/11/25 22:07:22 | 000,213,628 | ---- | C] () -- M:\Gemma's Stuff\cc_20121125_220713.reg [2012/11/25 14:10:50 | 000,000,682 | ---- | C] () -- H:\Documents and Settings\All Users\Desktop\CCleaner.lnk [2012/11/12 13:44:51 | 000,000,385 | ---- | C] () -- H:\Documents and Settings\Gemma\Application Datauser_gensett.xml [2012/09/16 17:22:52 | 002,283,884 | ---- | C] () -- H:\WINDOWS\System32\nvdata.data [2012/09/06 23:41:13 | 000,000,057 | ---- | C] () -- H:\Documents and Settings\All Users\Application Data\Ament.ini [2012/03/18 18:19:36 | 000,047,104 | ---- | C] () -- H:\WINDOWS\AKDeInstall.exe [2012/02/15 18:11:47 | 000,003,072 | ---- | C] () -- H:\WINDOWS\System32\iacenc.dll [2011/11/13 20:02:09 | 000,000,664 | ---- | C] () -- H:\WINDOWS\System32\d3d9caps.dat [2011/09/25 15:59:19 | 000,000,214 | ---- | C] () -- H:\WINDOWS\HP_InstantSHareJPG.ini [2011/09/25 13:55:13 | 000,000,217 | ---- | C] () -- H:\WINDOWS\HP_IZClosingDiscErrorPatch.ini [2011/09/25 12:58:08 | 000,000,227 | ---- | C] () -- H:\WINDOWS\HP_CounterReport_Update_HPSU.ini [2011/09/19 09:20:28 | 000,000,128 | ---- | C] () -- H:\Documents and Settings\Gemma\Local Settings\Application Data\fusioncache.dat [2011/04/09 13:05:17 | 000,000,695 | ---- | C] () -- H:\WINDOWS\MYOBP.INI [2011/04/09 13:05:17 | 000,000,057 | ---- | C] () -- H:\WINDOWS\MYOB.INI [2011/04/09 12:16:48 | 000,000,663 | ---- | C] () -- H:\WINDOWS\openrda.ini [2011/04/09 12:16:38 | 000,000,000 | ---- | C] () -- H:\WINDOWS\drvxl32.INI [2011/04/09 12:16:34 | 000,000,000 | ---- | C] () -- H:\WINDOWS\drvwd32.INI [2011/03/15 18:39:22 | 000,000,214 | ---- | C] () -- H:\WINDOWS\HP_48BitScanUpdatePatch.ini [2010/08/08 23:35:00 | 000,079,872 | ---- | C] () -- H:\Documents and Settings\Gemma\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini ========== ZeroAccess Check ========== [2011/04/09 12:11:25 | 000,000,227 | RHS- | M] () -- H:\WINDOWS\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shdocvw.dll -- [2010/04/17 03:09:07 | 001,509,888 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 23:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/14 11:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both ========== LOP Check ========== [2012/12/03 22:10:19 | 000,000,000 | ---D | M] -- H:\Documents and Settings\Administrator\Application Data\Bitdefender [2012/12/18 08:10:58 | 000,000,000 | ---D | M] -- H:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1 [2012/07/03 22:43:11 | 000,000,000 | ---D | M] -- H:\Documents and Settings\All Users\Application Data\BDLogging [2012/09/06 11:58:18 | 000,000,000 | ---D | M] -- H:\Documents and Settings\All Users\Application Data\Bitdefender [2011/10/15 18:37:19 | 000,000,000 | ---D | M] -- H:\Documents and Settings\All Users\Application Data\CheckPoint [2010/08/08 18:10:04 | 000,000,000 | ---D | M] -- H:\Documents and Settings\All Users\Application Data\Kaspersky SDK [2010/09/12 09:31:06 | 000,000,000 | ---D | M] -- H:\Documents and Settings\All Users\Application Data\NokiaInstallerCache [2010/09/12 09:34:48 | 000,000,000 | ---D | M] -- H:\Documents and Settings\All Users\Application Data\PC Suite [2010/08/08 22:31:41 | 000,000,000 | ---D | M] -- H:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} [2011/07/11 17:43:24 | 000,000,000 | ---D | M] -- H:\Documents and Settings\All Users\Application Data\{4C0DBD62-F011-4A41-B11D-BE5CFA6DEDD7} [2012/10/01 15:21:03 | 000,000,000 | ---D | M] -- H:\Documents and Settings\Elizabeth\Application Data\Bitdefender [2010/09/20 14:06:03 | 000,000,000 | ---D | M] -- H:\Documents and Settings\Elizabeth\Application Data\CheckPoint [2010/09/20 14:06:12 | 000,000,000 | ---D | M] -- H:\Documents and Settings\Elizabeth\Application Data\MailFrontier [2012/11/19 17:26:52 | 000,000,000 | ---D | M] -- H:\Documents and Settings\Gemma\Application Data\AUSkey [2012/09/06 22:11:52 | 000,000,000 | ---D | M] -- H:\Documents and Settings\Gemma\Application Data\Bitdefender [2010/08/08 18:01:39 | 000,000,000 | ---D | M] -- H:\Documents and Settings\Gemma\Application Data\CheckPoint [2012/12/16 19:37:27 | 000,000,000 | ---D | M] -- H:\Documents and Settings\Gemma\Application Data\DDMSettings [2012/01/31 20:21:53 | 000,000,000 | ---D | M] -- H:\Documents and Settings\Gemma\Application Data\Image Zone Express [2011/07/11 15:55:31 | 000,000,000 | ---D | M] -- H:\Documents and Settings\Gemma\Application Data\MailFrontier [2010/09/12 09:34:45 | 000,000,000 | ---D | M] -- H:\Documents and Settings\Gemma\Application Data\PC Suite [2012/07/03 22:38:13 | 000,000,000 | ---D | M] -- H:\Documents and Settings\Gemma\Application Data\QuickScan ========== Purity Check ========== < End of report > OTL Extras logfile created on: 20/12/2012 7:58:07 AM - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = H:\Documents and Settings\Gemma\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy 3.25 Gb Total Physical Memory | 2.38 Gb Available Physical Memory | 73.18% Memory free 5.09 Gb Paging File | 4.26 Gb Available in Paging File | 83.76% Paging File free Paging file location(s): H:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = H: | %SystemRoot% = H:\WINDOWS | %ProgramFiles% = H:\Program Files Drive H: | 465.75 Gb Total Space | 360.21 Gb Free Space | 77.34% Space Free | Partition Type: NTFS Drive M: | 931.51 Gb Total Space | 19.98 Gb Free Space | 2.14% Space Free | Partition Type: NTFS Computer Name: TONKA | User Name: Gemma | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l [HKEY_USERS\S-1-5-21-1645522239-1993962763-839522115-1004\SOFTWARE\Classes\<extension>] .html [@ = ChromeHTML] -- Reg Error: Key error. File not found ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* exefile [open] -- "%1" %* InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 0 "AntiVirusOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] ========== System Restore Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore] "DisableSR" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr] "Start" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService] "Start" = 2 ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DoNotAllowExceptions" = 0 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation) "%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation) "H:\Program Files\Windows Live\Messenger\wlcsdk.exe" = H:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation) "H:\Program Files\Windows Live\Messenger\msnmsgr.exe" = H:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation) "%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation) "H:\Program Files\Bonjour\mDNSResponder.exe" = H:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour Service -- (Apple Inc.) "H:\Program Files\Windows Live\Messenger\wlcsdk.exe" = H:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation) "H:\Program Files\Windows Live\Messenger\msnmsgr.exe" = H:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation) "H:\Program Files\HP\HP Photosmart 6510 series\Bin\DeviceSetup.exe" = H:\Program Files\HP\HP Photosmart 6510 series\Bin\DeviceSetup.exe:LocalSubNet:Enabled:HP Device Setup (HP Photosmart 6510 series) -- (Hewlett-Packard Co.) "H:\Program Files\HP\HP Photosmart 6510 series\Bin\HPNetworkCommunicator.exe" = H:\Program Files\HP\HP Photosmart 6510 series\Bin\HPNetworkCommunicator.exe:LocalSubNet:Enabled:HP Network Communicator (HP Photosmart 6510 series) -- (Hewlett-Packard Co.) "H:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = H:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.) "H:\Program Files\iTunes\iTunes.exe" = H:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.) "H:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe" = H:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe:*:Enabled:Daemonu.exe -- (NVIDIA Corporation) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime "{03B1B42B-F6DE-41d9-8CFF-DC44E895C7A7}" = PhotoGallery "{0611BD4E-4FE4-4a62-B0C0-18A4CC463428}" = CP_Package_Variety1 "{069730C2-755A-485B-A205-27A1AAFA836A}" = InstantShareAlert "{1976B721-8F15-4B86-92D2-725364AF8CE0}" = AUSkey software 1.4.0.3 "{1AE46C09-2AB8-4EE5-88FB-08CD0FF7F2DF}" = Bing Bar "{1C139D7D-9FEA-468d-A9C8-2A6E3BDE564A}" = CP_Package_Variety3 "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool "{21DB3D90-D816-4092-A260-CA3F6B55A6DD}" = Sonic_PrimoSDK "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT "{23A7B376-BBEC-4e76-BBD7-0F155E70D74B}" = CP_Panorama1Config "{2EFA4E4C-7B5F-48F7-A1C0-1AA882B7A9C3}" = HP Update "{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform "{32BDCCB8-9DC8-496d-9DB1-F77510775BDB}" = InstantShareDevices "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{36E47DA1-10E1-45d9-8B19-14D19607CDCF}" = CP_CalendarTemplates1 "{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile "{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant "{459699C3-9430-4381-964B-4248D87B49F9}" = Apple Mobile Device Support "{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials "{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder "{55D5A77E-FAAA-4358-B3E5-6565E024F78B}" = MYOB ODBC Direct v10 AUS "{56EE8B17-8274-418d-89AC-C057C5DB251E}" = RandMap "{56F8AFC3-FA98-4ff1-9673-8A026CBF85BE}" = WebReg "{5A01C58E-B0EC-49b9-AD71-7C0468688087}" = CP_Package_Basic1 "{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM "{66BA8C26-AFE4-4408-807B-43E76B57EF53}" = SkinsHP1 "{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder "{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}" = MSVC80_x86_v2 "{6F340107-F9AA-47C6-B54C-C3A19F11553F}" = Hewlett-Packard ACLM.NET v1.1.0.0 "{710BF966-43C8-4216-A8EC-BC4E169FF7C1}" = MobileMe Control Panel "{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update "{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour "{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}" = NVIDIA ForceWare Network Access Manager "{7E27304E-BAA2-4d90-A34E-76641FAFABB4}" = CP_AtenaShokunin1Config "{8272813D-F806-4AD1-95E0-9F4340F4B329}" = HP Photosmart 6510 series Product Improvement Study "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{8B922CF8-8A6C-41CE-A858-F1755D7F5D29}" = NVIDIA PhysX "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system "{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In "{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003 "{933B4015-4618-4716-A828-5289FC03165F}" = VC80CRTRedist - 8.0.50727.6195 "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting "{99E420FC-372C-4107-BA85-4CC44E265C2A}" = MYOB AccountRight Plus v19 "{A06176AF-7494-4B29-BE74-F01323AD3233}" = MYOB BusinessBasics v1 "{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI "{A2F95F8C-CDA9-4B08-BAD1-CA9656E4EC14}" = HP Photosmart 6510 series Help "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{A436F67F-687E-4736-BD2B-537121A804CF}" = HP Product Detection "{A5BB5365-EFB4-44c3-A7E2-EB59B7EFD23D}" = CueTour "{AC76BA86-7AD7-1033-7B44-AB0000000001}" = Adobe Reader XI "{AF06FEB8-B5BB-44EA-B554-B825A65025EC}" = HP Photosmart 6510 series Basic Device Software "{AF0CE7C0-A3E4-4D73-988B-B29187EC6E9A}" = QuickTime "{AF111648-99A1-453E-81DD-80DBBF6DAD0D}" = MSVC90_x86 "{B0261E53-B6F1-474A-864B-E7C3CBF468E0}" = iTunes "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 310.70 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 310.70 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NView" = NVIDIA nView 136.53 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX System Software 9.12.1031 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.11.3 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components "{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger "{B824B5C9-849F-4b9e-9EA7-6FD8CD8116DA}" = CP_Package_Variety2 "{B96D2269-568B-4CBF-9332-12FAE8B158F7}" = Medieval CUE Splitter "{C078C299-C2C2-4110-A6EF-8D5E66C228DA}" = e-tax 2011 "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2 "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{CCE825DB-347A-4004-A186-5F4A6FDD8547}" = Apple Application Support "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{E3F90083-80D4-4b5a-87C7-E97E12F5516D}" = HPProductAssistant "{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call "{EA103B64-C0E4-4C0E-A506-751590E1653D}" = SolutionCenter "{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver "{FB3BE405-6BF0-490A-84B3-00611385EA0D}" = Common-Use Signing Interface "{FBE569CA-BFEB-4E57-A674-F94D938E1AEF}" = e-tax 2010 "{FE64AE29-0883-4C70-8388-DC026019C900}" = HP Image Zone Express "{FF7DD5BE-42FF-44B8-AF36-4A46CD2C6D42}" = AUSkey software 1.4.0.6 "AC3Filter_is1" = AC3Filter 1.63b "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX "Adobe Shockwave Player" = Adobe Shockwave Player 11.6 "Alt.Binz" = Alt.Binz 0.25.0 "Bitdefender" = Bitdefender Total Security 2013 "CCleaner" = CCleaner "Common-Use Signing Interface" = Common-Use Signing Interface "CutePDF Writer Installation" = CutePDF Writer 3.0 "Direct WAV MP3 Splitter_is1" = Direct WAV MP3 Splitter version 2.6.0.21 "DivX Setup" = DivX Setup "DVD Flick_is1" = DVD Flick 1.3.0.7 "FileHippo.com" = FileHippo.com Update Checker "HP Photo & Imaging" = HP Image Zone 5.3 "HP Photo Creations" = HP Photo Creations "HP Solution Center & Imaging Support Tools" = HP Solution Center & Imaging Support Tools 5.3 "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs "ie8" = Windows Internet Explorer 8 "InstallShield_{55D5A77E-FAAA-4358-B3E5-6565E024F78B}" = MYOB ODBC Direct v10 AUS "InstallShield_{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}" = NVIDIA ForceWare Network Access Manager "InstallShield_{99E420FC-372C-4107-BA85-4CC44E265C2A}" = MYOB AccountRight Plus v19 "InstallShield_{A06176AF-7494-4B29-BE74-F01323AD3233}" = MYOB BusinessBasics v1 "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.65.1.1000 "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1 "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "mpegable DS" = mpegable DS decoder "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs "Non Driver CIO Components" = Non Driver CIO Components "NVIDIA Drivers" = NVIDIA Drivers "NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager "oggcodecs" = oggcodecs 0.71.0946 "Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9 "WET7Cable" = Windows Easy Transfer for Windows 7 "Windows Media Format Runtime" = Windows Media Format 11 runtime "Windows Media Player" = Windows Media Player 11 "Windows XP Service Pack" = Windows XP Service Pack 3 "WinLiveSuite_Wave3" = Windows Live Essentials "WinRAR archiver" = WinRAR 4.20 (32-bit) "WMFDist11" = Windows Media Format 11 runtime "wmp11" = Windows Media Player 11 "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0 "XP Codec Pack" = XP Codec Pack "Xvid_is1" = Xvid 1.1.3 final uninstall ========== HKEY_USERS Uninstall List ========== [HKEY_USERS\S-1-5-21-1645522239-1993962763-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "Google Chrome" = Google Chrome ========== Last 20 Event Log Errors ========== [ Application Events ] Error - 3/12/2012 7:27:54 AM | Computer Name = TONKA | Source = Application Error | ID = 1000 Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting module unknown, version 0.0.0.0, fault address 0x03237e30. Error - 3/12/2012 7:27:59 AM | Computer Name = TONKA | Source = Application Error | ID = 1001 Description = Fault bucket 879003832. [ System Events ] Error - 19/12/2012 4:38:32 PM | Computer Name = TONKA | Source = DCOM | ID = 10010 Description = The server {4991D34B-80A1-4291-83B6-3328366B9097} did not register with DCOM within the required timeout. Error - 19/12/2012 4:48:06 PM | Computer Name = TONKA | Source = Service Control Manager | ID = 7023 Description = The Automatic Updates service terminated with the following error: %%126 Error - 19/12/2012 4:48:36 PM | Computer Name = TONKA | Source = DCOM | ID = 10010 Description = The server {E60687F7-01A1-40AA-86AC-DB1CBF673334} did not register with DCOM within the required timeout. Error - 19/12/2012 4:52:41 PM | Computer Name = TONKA | Source = Service Control Manager | ID = 7023 Description = The BITS service terminated with the following error: %%126 Error - 19/12/2012 4:52:41 PM | Computer Name = TONKA | Source = Service Control Manager | ID = 7023 Description = The Automatic Updates service terminated with the following error: %%126 Error - 19/12/2012 4:53:40 PM | Computer Name = TONKA | Source = Service Control Manager | ID = 7023 Description = The Automatic Updates service terminated with the following error: %%126 Error - 19/12/2012 4:54:10 PM | Computer Name = TONKA | Source = DCOM | ID = 10010 Description = The server {E60687F7-01A1-40AA-86AC-DB1CBF673334} did not register with DCOM within the required timeout. Error - 19/12/2012 4:58:29 PM | Computer Name = TONKA | Source = Service Control Manager | ID = 7023 Description = The BITS service terminated with the following error: %%126 Error - 19/12/2012 4:58:57 PM | Computer Name = TONKA | Source = Service Control Manager | ID = 7023 Description = The Automatic Updates service terminated with the following error: %%126 Error - 19/12/2012 4:58:59 PM | Computer Name = TONKA | Source = DCOM | ID = 10010 Description = The server {4991D34B-80A1-4291-83B6-3328366B9097} did not register with DCOM within the required timeout. < End of report >

Hi MrC It took me 4 goes to get MBar to work (ended up having to run it in safemode first time) as I think Bitdefender, MBam or SpyBot were interfering with it and kept making my pc freeze during the scan. Once run twice it found nothing though! I have attached the logs. I am still experiencing problems on start up (black screen/freeze) when Windows is booting up or screen freezes when loading my user screen and I have to reboot 2 times on average to get it to work. There are several error messages in my system event logs, with entries from 19/11/12 onwards. The first few I don't understand but the more recent ones relate to Spybot update failing on start up (I think) so maybe this is part of my problem. I will try uninstalling it and see if I still have problems. It may be best to just reinstall the OS over the christmas break if it continues. Thanks heaps for your help. I really appreciate it. Cheers, Gemma mbar-log-2012-12-19 (19-28-05).txt mbar-log-2012-12-19 (19-49-31).txt system-log.txt

Ok, here it is below. Also, I think when I had problems downloading RogueKiller the other day it was because Bitdefender thought it was an infected file. ComboFix 12-12-17.02 - Gemma 18/12/2012 22:04:54.2.4 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2485 [GMT 11:00] Running from: h:\documents and settings\Gemma\Desktop\ComboFix.exe AV: Bitdefender Antivirus *Disabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB} FW: Bitdefender Firewall *Enabled* {4055920F-2E99-48A8-A270-4243D2B8F242} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . h:\documents and settings\All Users\Application Data\1341315430.bdinstall.bin h:\documents and settings\All Users\Application Data\1346892345.bdinstall.bin h:\documents and settings\All Users\Application Data\1346892754.bdinstall.bin h:\documents and settings\Gemma\Application Data\HPSU_48BitScanUpdate.log h:\windows\system32\SET4D.tmp h:\windows\system32\SET50.tmp h:\windows\system32\SET54.tmp h:\windows\system32\SET55.tmp h:\windows\system32\SET5C.tmp h:\windows\system32\SET5E.tmp h:\windows\system32\URTTemp h:\windows\system32\URTTemp\regtlib.exe h:\windows\wininit.ini . . ((((((((((((((((((((((((( Files Created from 2012-11-18 to 2012-12-18 ))))))))))))))))))))))))))))))) . . 2012-12-17 21:10 . 2012-12-17 21:10 -------- d-----w- h:\program files\iPod 2012-12-17 21:10 . 2012-12-17 21:10 -------- d-----w- h:\program files\iTunes 2012-12-17 21:10 . 2012-12-17 21:10 -------- d-----w- h:\documents and settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1 2012-12-16 08:37 . 2012-12-16 08:37 -------- d-----w- h:\documents and settings\Gemma\Application Data\DDMSettings 2012-12-03 11:17 . 2012-12-03 11:17 -------- d-----w- h:\documents and settings\Administrator\Local Settings\Application Data\Google 2012-12-03 11:10 . 2012-12-03 11:10 -------- d-----w- h:\documents and settings\Administrator\Application Data\Bitdefender 2012-12-03 10:59 . 2012-12-03 10:59 -------- d-----w- h:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com 2012-12-03 09:49 . 2012-12-03 09:49 -------- d-----w- h:\documents and settings\Administrator\Application Data\Malwarebytes 2012-12-01 07:57 . 2012-12-03 11:16 -------- d-----w- H:\Other Videos 2012-11-25 03:18 . 2009-01-25 01:14 15224 ----a-w- h:\windows\system32\sdnclean.exe 2012-11-25 03:17 . 2012-11-25 03:18 -------- d-----w- h:\program files\Spybot - Search & Destroy 2 2012-11-25 03:10 . 2012-12-16 08:25 -------- d-----w- h:\program files\CCleaner . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-12-16 06:53 . 2012-04-08 10:09 73656 ----a-w- h:\windows\system32\FlashPlayerCPLApp.cpl 2012-12-16 06:53 . 2012-04-08 10:09 697272 ----a-w- h:\windows\system32\FlashPlayerApp.exe 2012-12-11 08:00 . 2012-09-06 00:56 242504 ----a-w- h:\windows\system32\drivers\avchv.sys 2012-11-13 20:29 . 2012-11-13 20:29 354216 ----a-w- h:\windows\system32\DivXControlPanelApplet.cpl 2012-11-13 01:25 . 2004-08-04 12:00 1866368 ----a-w- h:\windows\system32\win32k.sys 2012-11-13 00:21 . 2012-09-06 00:52 343456 ----a-w- h:\windows\system32\drivers\trufos.sys 2012-11-06 00:41 . 2004-08-04 12:00 290560 ----a-w- h:\windows\system32\atmfd.dll 2012-11-02 02:02 . 2004-08-04 12:00 375296 ----a-w- h:\windows\system32\dpnet.dll 2012-11-01 12:17 . 2004-08-04 12:00 916992 ----a-w- h:\windows\system32\wininet.dll 2012-11-01 12:17 . 2004-08-04 12:00 43520 ----a-w- h:\windows\system32\licmgr10.dll 2012-11-01 12:17 . 2004-08-04 12:00 1469440 ----a-w- h:\windows\system32\inetcpl.cpl 2012-11-01 00:35 . 2004-08-04 12:00 385024 ----a-w- h:\windows\system32\html.iec 2012-10-26 08:30 . 2012-10-26 08:30 622616 ----a-w- h:\windows\system32\drivers\avc3.sys 2012-10-26 08:28 . 2012-09-06 00:56 481464 ----a-w- h:\windows\system32\drivers\avckf.sys 2012-10-26 08:28 . 2012-09-06 00:56 66392 ----a-w- h:\windows\system32\drivers\bdsandbox.sys 2012-10-24 16:12 . 2012-10-24 16:12 94208 ----a-w- h:\windows\system32\QuickTimeVR.qtx 2012-10-24 16:12 . 2012-10-24 16:12 69632 ----a-w- h:\windows\system32\QuickTime.qts 2012-10-12 08:42 . 2012-10-12 08:42 249856 ------w- h:\windows\Setup1.exe 2012-10-12 08:42 . 2012-10-12 08:42 73216 ----a-w- h:\windows\ST6UNST.EXE 2012-10-02 18:04 . 2004-08-04 12:00 58368 ----a-w- h:\windows\system32\synceng.dll 2012-10-01 04:24 . 2012-09-06 00:52 161312 ----a-w- h:\windows\system32\drivers\gzflt.sys 2012-09-29 08:54 . 2012-11-09 10:39 22856 ----a-w- h:\windows\system32\drivers\mbam.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1dad3af3-ef2f-4f64-ac4b-11789189fcb6}] 2012-06-11 06:22 1307728 ----a-w- h:\program files\Microsoft\BingBar\7.1.391.0\BingExt.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\__SafeBox1] @="{152C96EB-288E-4EDC-B7C6-D21F8250ADF3}" [HKEY_CLASSES_ROOT\CLSID\{152C96EB-288E-4EDC-B7C6-D21F8250ADF3}] 2012-11-13 00:21 240920 ----a-w- h:\program files\Bitdefender\Bitdefender Safebox\safeboxshell.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\__SafeBox2] @="{342DAA0B-D796-460D-8566-901E08A1CCAD}" [HKEY_CLASSES_ROOT\CLSID\{342DAA0B-D796-460D-8566-901E08A1CCAD}] 2012-11-13 00:21 240920 ----a-w- h:\program files\Bitdefender\Bitdefender Safebox\safeboxshell.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\__SafeBox3] @="{57595DAE-1AE1-4D97-A49E-67CBB53B52DF}" [HKEY_CLASSES_ROOT\CLSID\{57595DAE-1AE1-4D97-A49E-67CBB53B52DF}] 2012-11-13 00:21 240920 ----a-w- h:\program files\Bitdefender\Bitdefender Safebox\safeboxshell.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\__SafeBox4] @="{33816773-98AE-4723-ADE0-EBE54C8B5A67}" [HKEY_CLASSES_ROOT\CLSID\{33816773-98AE-4723-ADE0-EBE54C8B5A67}] 2012-11-13 00:21 240920 ----a-w- h:\program files\Bitdefender\Bitdefender Safebox\safeboxshell.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "FileHippo.com"="h:\program files\FileHippo.com\UpdateChecker.exe" [2012-11-23 307712] "HP Photosmart 6510 series (NET)"="h:\program files\HP\HP Photosmart 6510 series\Bin\ScanToPCActivationApp.exe" [2011-09-16 1804648] "Spybot-S&D Cleaning"="h:\program files\Spybot - Search & Destroy 2\SDCleaner.exe" [2012-11-13 3713032] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2009-02-02 18085888] "AppleSyncNotifier"="h:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-01 59240] "APSDaemon"="h:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280] "HP Software Update"="h:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208] "Bdagent"="h:\program files\Bitdefender\Bitdefender 2013\bdagent.exe" [2012-12-01 1613368] "Adobe ARM"="h:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-09-23 926896] "NvMediaCenter"="h:\windows\system32\NvMcTray.dll" [2012-08-30 108392] "NvCplDaemon"="h:\windows\system32\NvCpl.dll" [2012-08-30 15512424] "QuickTime Task"="h:\program files\QuickTime\QTTask.exe" [2012-10-24 421888] "SDTray"="h:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176] "DivXMediaServer"="h:\program files\DivX\DivX Media Server\DivXMediaServer.exe" [2012-11-13 450560] "DivXUpdate"="h:\program files\DivX\DivX Update\DivXUpdate.exe" [2012-11-30 1263512] "iTunesHelper"="h:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="h:\windows\system32\CTFMON.EXE" [2008-04-14 15360] . h:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Image Zone Fast Start.lnk - h:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "h:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "h:\\Program Files\\Bonjour\\mDNSResponder.exe"= "h:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "h:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "h:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"= "h:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"= "h:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"= "h:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"= "h:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"= "h:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "h:\\Program Files\\iTunes\\iTunes.exe"= . R0 avc3;avc3;h:\windows\system32\drivers\avc3.sys [26/10/2012 7:30 PM 622616] R0 gzflt;gzflt;h:\windows\system32\drivers\gzflt.sys [6/09/2012 11:52 AM 161312] R1 BDVEDISK;BDVEDISK;h:\windows\system32\drivers\bdvedisk.sys [6/09/2012 11:56 AM 72704] R1 SASDIFSV;SASDIFSV;h:\program files\SUPERAntiSpyware\sasdifsv.sys [23/07/2011 3:27 AM 12880] R1 SASKUTIL;SASKUTIL;h:\program files\SUPERAntiSpyware\SASKUTIL.SYS [13/07/2011 8:55 AM 67664] R2 !SASCORE;SAS Core Service;h:\program files\SUPERAntiSpyware\SASCore.exe [12/07/2012 5:54 AM 116608] R2 MBAMScheduler;MBAMScheduler;h:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/11/2012 9:39 PM 399432] R2 SafeBox;SafeBox;h:\program files\Bitdefender\Bitdefender Safebox\safeboxservice.exe [6/09/2012 11:56 AM 82824] R2 SDScannerService;Spybot-S&D 2 Scanner Service;h:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [25/11/2012 2:18 PM 1103392] R2 SDUpdateService;Spybot-S&D 2 Updating Service;h:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [25/11/2012 2:18 PM 1369624] R2 UPDATESRV;Bitdefender Desktop Update Service;h:\program files\Bitdefender\Bitdefender 2013\updatesrv.exe [6/09/2012 11:56 AM 55544] R3 avchv;avchv Function Driver;h:\windows\system32\drivers\avchv.sys [6/09/2012 11:56 AM 242504] R3 BBUpdate;BBUpdate;h:\program files\Microsoft\BingBar\7.1.391.0\SeaPort.EXE [11/06/2012 5:22 PM 240208] R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;h:\program files\Common Files\Bitdefender\Bitdefender Firewall\bdfndisf.sys [6/09/2012 11:56 AM 116248] S2 BBSvc;BingBar Service;h:\program files\Microsoft\BingBar\7.1.391.0\BBSvc.EXE [11/06/2012 5:22 PM 193616] S2 MBAMService;MBAMService;h:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/11/2012 9:39 PM 676936] S2 SDWSCService;Spybot-S&D 2 Security Center Service;h:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [25/11/2012 2:18 PM 168384] S3 avckf;avckf;h:\windows\system32\drivers\avckf.sys [6/09/2012 11:56 AM 481464] S3 BDSandBox;BDSandBox;h:\windows\system32\drivers\bdsandbox.sys [6/09/2012 11:56 AM 66392] S3 MBAMProtector;MBAMProtector;h:\windows\system32\drivers\mbam.sys [9/11/2012 9:39 PM 22856] S3 WDC_SAM;WD SCSI Pass Thru driver;h:\windows\system32\drivers\wdcsam.sys [6/05/2008 4:06 PM 11520] S4 BdDesktopParental;Bitdefender Desktop Parental Control;h:\program files\Bitdefender\Bitdefender 2013\bdparentalservice.exe [6/09/2012 11:56 AM 59152] . Contents of the 'Scheduled Tasks' folder . 2012-12-18 h:\windows\Tasks\Adobe Flash Player Updater.job - h:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 06:53] . 2012-05-30 h:\windows\Tasks\AppleSoftwareUpdate.job - h:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 07:57] . 2012-11-10 h:\windows\Tasks\At1.job - h:\program files\HP\HP Photosmart 6510 series\Bin\HPCustPartic.exe [2011-09-16 01:01] . 2012-12-16 h:\windows\Tasks\At2.job - h:\program files\HP\HP Photosmart 6510 series\Bin\HPCustPartic.exe [2011-09-16 01:01] . 2012-12-16 h:\windows\Tasks\At3.job - h:\program files\HP\HP Photosmart 6510 series\Bin\HPCustPartic.exe [2011-09-16 01:01] . 2012-11-26 h:\windows\Tasks\At4.job - h:\program files\HP\HP Photosmart 6510 series\Bin\HPCustPartic.exe [2011-09-16 01:01] . 2012-12-18 h:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job - h:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2012-11-25 03:08] . 2012-12-01 h:\windows\Tasks\Disk Cleanup.job - h:\windows\system32\cleanmgr.exe [2004-08-04 00:12] . 2012-11-26 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-1993962763-839522115-1004Core.job - h:\documents and settings\Gemma\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-08 10:57] . 2012-12-17 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-1993962763-839522115-1004UA.job - h:\documents and settings\Gemma\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-08 10:57] . 2012-11-26 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-1993962763-839522115-1005Core.job - h:\documents and settings\Elizabeth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-25 04:56] . 2012-12-17 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-1993962763-839522115-1005UA.job - h:\documents and settings\Elizabeth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-25 04:56] . 2012-12-18 h:\windows\Tasks\HP Photo Creations Messager.job - h:\documents and settings\All Users\Application Data\HP Photo Creations\MessageCheck.exe [2011-02-15 10:11] . 2012-12-16 h:\windows\Tasks\Malwarebytes' Anti-Malware.job - h:\progra~1\MALWAR~1\mbam.exe [2012-11-09 08:54] . 2012-11-25 h:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job - h:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2012-11-25 03:07] . 2012-11-25 h:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job - h:\program files\Spybot - Search & Destroy 2\SDScan.exe [2012-11-25 03:07] . 2012-03-19 h:\windows\Tasks\shutdown.job - h:\windows\system32\shutdown.exe [2004-08-04 00:12] . . ------- Supplementary Scan ------- . uStart Page = about:blank mStart Page = about:blank uInternet Settings,ProxyOverride = <local>;*.local uInternet Settings,ProxyServer = 200.76.23.165:80 IE: E&xport to Microsoft Excel - h:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 TCP: DhcpNameServer = 10.1.1.1 . - - - - ORPHANS REMOVED - - - - . SafeBoot-18364662.sys . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-12-18 22:15 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1645522239-1993962763-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{35FF3DB5-B1F9-448B-3FC7-6CED177A7C9C}*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) "oagpihefnphanpfngepnpkplhbkhlj"=hex:64,61,67,6e,69,6e,62,61,00,84 "oakolcohlajajeehcenikdpffabegp"=hex:6a,61,6c,6e,70,6c,66,64,6e,68,6b,67,67,6d, 69,68,69,70,67,68,00,02 "naibbchnamilgnjlfiodjaoenkna"=hex:6a,61,67,6e,6e,6e,6c,63,61,69,62,67,6d,6c, 64,70,68,70,6e,69,00,02 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . Completion time: 2012-12-18 22:26:12 ComboFix-quarantined-files.txt 2012-12-18 11:26 ComboFix2.txt 2011-11-20 04:18 . Pre-Run: 387,294,380,032 bytes free Post-Run: 387,721,732,096 bytes free . - - End Of File - - C9D8FB8810D04FE0CD90D57288070B81

07:43:49.0000 2960 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35 07:43:51.0015 2960 ============================================================ 07:43:51.0015 2960 Current date / time: 2012/12/18 07:43:51.0015 07:43:51.0015 2960 SystemInfo: 07:43:51.0015 2960 07:43:51.0015 2960 OS Version: 5.1.2600 ServicePack: 3.0 07:43:51.0015 2960 Product type: Workstation 07:43:51.0015 2960 ComputerName: TONKA 07:43:51.0015 2960 UserName: Gemma 07:43:51.0015 2960 Windows directory: H:\WINDOWS 07:43:51.0015 2960 System windows directory: H:\WINDOWS 07:43:51.0015 2960 Processor architecture: Intel x86 07:43:51.0015 2960 Number of processors: 4 07:43:51.0015 2960 Page size: 0x1000 07:43:51.0015 2960 Boot type: Normal boot 07:43:51.0015 2960 ============================================================ 07:43:53.0031 2960 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xFC59, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000054 07:43:53.0031 2960 Drive \Device\Harddisk1\DR1 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1F8B1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000054 07:43:53.0093 2960 ============================================================ 07:43:53.0093 2960 \Device\Harddisk0\DR0: 07:43:53.0093 2960 MBR partitions: 07:43:53.0093 2960 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x3A380D41 07:43:53.0093 2960 \Device\Harddisk1\DR1: 07:43:53.0093 2960 MBR partitions: 07:43:53.0093 2960 \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x747055D1 07:43:53.0093 2960 ============================================================ 07:43:53.0125 2960 H: <-> \Device\Harddisk0\DR0\Partition1 07:43:53.0156 2960 M: <-> \Device\Harddisk1\DR1\Partition1 07:43:53.0156 2960 ============================================================ 07:43:53.0156 2960 Initialize success 07:43:53.0156 2960 ============================================================ 07:44:56.0828 1716 Deinitialize success TDSSKiller.2.8.15.0_18.12.2012_07.47.42_log.txt

Ok, I downloaded the software and double clicked to open. It seemed to start scanning straight away and then the opened window disappeared and a file called "RK_Quarantine" appeared on my desktop. Nothing seemed to be happening so I opened Google chrome and went back to the link above to read through your instructions again. When I returned to my desktop the RogueKiller file had disappeared! I tried to download it again and it said I had insufficient rights. I tried again by opening it in a different window and I got it to work. Here is the report: RogueKiller V8.4.0 [Dec 15 2012] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : Gemma [Admin rights] Mode : Scan -- Date : 12/17/2012 19:45:37 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 4 ¤¤¤ [PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (200.76.23.165:80) -> FOUND [HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AC2 -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34DA060) SSDT[19] : NtAssignProcessToJobObject @ 0x805D66A0 -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34DABCA) SSDT[25] : NtClose @ 0x805BC538 -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34DDABA) SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34DC346) SSDT[37] : NtCreateFile @ 0x805790A2 -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34DB894) SSDT[41] : NtCreateKey @ 0x806240F6 -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34DCA3E) SSDT[47] : NtCreateProcess @ 0x805D1250 -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34DAE20) SSDT[48] : NtCreateProcessEx @ 0x805D119A -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34DAED6) SSDT[50] : NtCreateSection @ 0x805AB3D0 -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34DB1BE) SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34D99D0) SSDT[66] : NtDeviceIoControlFile @ 0x80579268 -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34DCBAE) SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34E0F48) SSDT[84] : NtFsControlFile @ 0x8057929C -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34DCE66) SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34DA4D6) SSDT[105] : NtMakeTemporaryObject @ 0x805BC5DC -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34DD862) SSDT[116] : NtOpenFile @ 0x8057A1A0 -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34DB68C) SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34E09A0) SSDT[125] : NtOpenSection @ 0x805AA3F4 -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34DAF90) SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34E0C50) SSDT[137] : NtProtectVirtualMemory @ 0x805B8426 -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34D9EE4) SSDT[180] : NtQueueApcThread @ 0x805D2756 -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34DACF2) SSDT[193] : NtReplaceKey @ 0x806261CA -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34DD6B0) SSDT[199] : NtRequestPort @ 0x805A2A52 -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34DC4B4) SSDT[200] : NtRequestWaitReplyPort @ 0x805A2D7E -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34DBE48) SSDT[204] : NtRestoreKey @ 0x80625AD6 -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34DD73A) SSDT[210] : NtSecureConnectPort @ 0x805A3D6C -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34DC8CE) SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34D9B40) SSDT[237] : NtSetSecurityObject @ 0x805C0636 -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34DD60A) SSDT[240] : NtSetSystemInformation @ 0x8060FD24 -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34DA6D0) SSDT[249] : NtShutdownSystem @ 0x80612FAE -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34DD7CC) SSDT[253] : NtSuspendProcess @ 0x805D4AE0 -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34D9DBC) SSDT[254] : NtSuspendThread @ 0x805D4952 -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34D9C96) SSDT[255] : NtSystemDebugControl @ 0x806180CA -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34DAAFC) SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34E0898) SSDT[258] : NtTerminateThread @ 0x805D24D2 -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34E113A) SSDT[262] : NtUnloadDriver @ 0x80584306 -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34DD8F8) SSDT[277] : NtWriteVirtualMemory @ 0x805B43D4 -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34D9854) S_SSDT[307] : NtUserAttachThreadInput -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34D943C) S_SSDT[322] : NtUserCallNoParam -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34D9644) S_SSDT[323] : NtUserCallOneParam -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34D9596) S_SSDT[347] : NtUserDdeSetQualityOfService -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34D93A2) S_SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34D933E) S_SSDT[414] : NtUserGetKeyboardState -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34D91D0) S_SSDT[416] : NtUserGetKeyState -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34D916C) S_SSDT[460] : NtUserMessageCall -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34D8E76) S_SSDT[475] : NtUserPostMessage -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34D8C7C) S_SSDT[476] : NtUserPostThreadMessage -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34D8CFC) S_SSDT[491] : NtUserRegisterRawInputDevices -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34D8EFE) S_SSDT[502] : NtUserSendInput -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34D8C2A) S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34D827C) S_SSDT[552] : NtUserSetWinEventHook -> HOOKED (\??\H:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys @ 0xB34D870A) ¤¤¤ HOSTS File: ¤¤¤ --> H:\WINDOWS\system32\drivers\etc\hosts 127.0.0.1 localhost 127.0.0.1 www.007guard.com 127.0.0.1 007guard.com 127.0.0.1 008i.com 127.0.0.1 www.008k.com 127.0.0.1 008k.com 127.0.0.1 www.00hq.com 127.0.0.1 00hq.com 127.0.0.1 010402.com 127.0.0.1 www.032439.com 127.0.0.1 032439.com 127.0.0.1 www.0scan.com 127.0.0.1 0scan.com 127.0.0.1 1000gratisproben.com 127.0.0.1 www.1000gratisproben.com 127.0.0.1 1001namen.com 127.0.0.1 www.1001namen.com 127.0.0.1 100888290cs.com 127.0.0.1 www.100888290cs.com 127.0.0.1 www.100sexlinks.com [...] ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: ST3500418AS +++++ --- User --- [MBR] 1c16ffd9dacf72be06542c7b354713d1 [bSP] 68c87b7ffe18b9f0a2c898443aca5d42 : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: WDC WD10EARS-00MVWB0 +++++ --- User --- [MBR] 587c5cf1103601afa846cf3d5d548844 [bSP] f68e70e5f757c1f796d4abd4b4f885cc : Windows XP MBR Code Partition table: 0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953866 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[1]_S_12172012_02d1945.txt >> RKreport[1]_S_12172012_02d1945.txt

Hi there, My pc has been running slow for several weeks now and I have run scans with malwarebytes & my antivirus software but found nothing. I recently upgraded sypbot search & destroy and ran the rootkit scan. It found something in two video files I got from a friend's portable harddrive so I deleted the files. I had opened one of the files to watch about a month ago. Last night when I shut down google chrome there was a pop window open with a link to some sex website. So I ran spybot's rootkit scan again and found this: Type: Value Object: 齈웰行令ᖐ哘 Location: HKLM\SYSTEM\ControlSet003\Control\Session Manager\ Details: Invisible to Win32 I have downloaded dds. Attached are the two files. If someone could help me out that would be appreciated. Gemma dds.txt attach.txt

Thanks Maniac, all done now

Hi Maniac, I have been following your instructions and I am up to clearing the system restore points & creating new ones. I have done scans with both MBAM and ZoneAlarm and both come back clean but I noticed that when I run a quick scan in MBAM 209,840 files were checked but in ZA a quick scan is only scanning 7,349 files. Tonight ZA has given me pop ups every hour to say the "security scan completed" even though the software is set to scan only once a day. I was looking at the logs in ZoneAlarm just now and note that under OSFirewall there are several entries being blocked. The filename is H:\Windows\system32\svchost.exe. When I select more info it says "Generic Host Process for Win32 Services is trying to delete a value in the registry." but that my PC is safe. Should I be concerned about this? Finally, while cleaning up tonight I found details of a pop up that appeared last month and I noted down at the time but forgot about until now "Access violation at address 7E429486 in module USER32.dll. Read of address 0020006C." I probably sound paranoid but I just want to make sure nothing nasty is left behind Oh, also, is it ok to re-able teatimer now? Thanks again for your help! I really do appreciate it.

Ok, cool. Sounds great. Thanks

Hi Maniac, yes I think everything is ok! Thank you so much for helping me. I really do appreciate it. I will be making a donation via paypal. I hope it goes to you! Do I now delete all the files and applications you asked me to download and keep on my desktop?

Ok. It is downloading like normal now. Much faster than last night.

Ok, I downloaded and ran the AVP Tool. It didn't find anything. There was only one report to save, automatic scan report. I have ADSL2+ internet speed so it's usually fast but it took well over an hour to download the AVP file averaging 13kb/sec!! Could ComboFix have changed my internet settings because since I have run it, I now have an IE shortcut on my desktop and Chrome is no longer my default browser? I also wasn't able to download AVP Tool via Chrome. When I clicked on download I kept getting 404 error not found. When I opened IE and tried the page loaded right away. Also, with my previous post below. Yesterday I stupidly disconnected the internet and then ended the top 2 processes and was worried about the number of processes running. I intended to keep my pc on until I heard from you however by doing that I shut down both MBAM and ZAlarm which meant handle.3XE started to run so I stopped that process too as I had no idea if it was ligit or not. I have since checked and there is no file H:\ComboFix\handle.3XE on the H drive!

ComboFix 11-11-19.04 - Gemma 20/11/2011 15:07:43.1.4 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2618 [GMT 11:00] Running from: h:\documents and settings\Gemma\Desktop\ComboFix.exe . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . h:\documents and settings\All Users\Start Menu\HP Image Zone .lnk h:\windows\jestertb.dll . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_COMSYSAPP -------\Service_COMSysApp . . ((((((((((((((((((((((((( Files Created from 2011-10-20 to 2011-11-20 ))))))))))))))))))))))))))))))) . . 2011-11-19 09:47 . 2011-11-19 09:47 -------- d-----w- h:\program files\ESET 2011-11-17 10:18 . 2011-11-17 10:18 388096 ----a-r- h:\documents and settings\Gemma\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-11-17 10:18 . 2011-11-17 10:18 -------- d-----w- h:\program files\Trend Micro 2011-11-15 11:37 . 2011-11-15 11:37 -------- d-----w- h:\program files\Conduit 2011-11-15 10:30 . 2011-11-15 10:30 -------- d-----w- h:\documents and settings\Gemma\Application Data\Malwarebytes 2011-11-15 10:29 . 2011-11-15 10:29 -------- d-----w- h:\documents and settings\All Users\Application Data\Malwarebytes 2011-11-15 10:29 . 2011-11-15 10:29 -------- d-----w- h:\program files\Malwarebytes' Anti-Malware 2011-11-15 10:29 . 2011-08-31 06:00 22216 ----a-w- h:\windows\system32\drivers\mbam.sys 2011-11-14 05:24 . 2011-11-14 05:24 -------- d-----w- h:\documents and settings\UpdatusUser 2011-11-14 05:24 . 2011-11-14 05:24 -------- d-----w- h:\documents and settings\All Users\Application Data\NVIDIA 2011-11-14 05:24 . 2011-05-20 19:01 543336 ----a-w- h:\windows\system32\easyupdatusapiu.dll 2011-11-14 04:50 . 2011-11-14 04:50 -------- d-----w- h:\program files\Microsoft.NET 2011-11-13 11:05 . 2011-11-13 11:05 -------- d-----w- h:\documents and settings\Gemma\Application Data\SUPERAntiSpyware.com 2011-11-13 11:05 . 2011-11-13 11:05 -------- d-----w- h:\program files\SUPERAntiSpyware 2011-11-13 11:05 . 2011-11-13 11:05 -------- d-----w- h:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2011-11-03 10:33 . 2011-11-03 10:33 -------- d-----w- h:\documents and settings\LocalService\Application Data\Malwarebytes 2011-10-26 08:43 . 2011-10-26 08:43 -------- d-----w- h:\program files\iPod 2011-10-26 08:43 . 2011-10-26 08:43 -------- d-----w- h:\program files\iTunes 2011-10-26 08:38 . 2011-10-26 08:38 -------- d-----w- h:\program files\Bonjour . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-10-10 14:22 . 2010-08-07 07:12 692736 ----a-w- h:\windows\system32\inetcomm.dll 2011-09-28 07:06 . 2004-08-04 12:00 599040 ----a-w- h:\windows\system32\crypt32.dll 2011-09-26 00:41 . 2008-07-29 09:59 611328 ----a-w- h:\windows\system32\uiautomationcore.dll 2011-09-26 00:41 . 2004-08-04 12:00 220160 ----a-w- h:\windows\system32\oleacc.dll 2011-09-26 00:41 . 2004-08-04 12:00 20480 ----a-w- h:\windows\system32\oleaccrc.dll 2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- h:\windows\system32\win32k.sys 2011-08-30 12:05 . 2011-08-30 12:05 83816 ----a-w- h:\windows\system32\dns-sd.exe 2011-08-30 12:05 . 2011-08-30 12:05 73064 ----a-w- h:\windows\system32\dnssd.dll 2011-08-30 12:05 . 2011-08-30 12:05 50536 ----a-w- h:\windows\system32\jdns_sd.dll 2011-08-30 12:05 . 2011-08-30 12:05 178536 ----a-w- h:\windows\system32\dnssdX.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="h:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-11-07 4617600] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2009-02-02 18085888] "HP Software Update"="h:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208] "Adobe Reader Speed Launcher"="h:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760] "Adobe ARM"="h:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288] "DivXUpdate"="h:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704] "AppleSyncNotifier"="h:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656] "QuickTime Task"="h:\program files\QuickTime\QTTask.exe" [2011-07-05 421888] "APSDaemon"="h:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-26 59240] "iTunesHelper"="h:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736] "NvMediaCenter"="NvMCTray.dll" [2011-05-20 111208] "NvCplDaemon"="h:\windows\system32\NvCpl.dll" [2011-05-20 13895272] "nwiz"="h:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-04 1632360] "Malwarebytes' Anti-Malware"="h:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608] "ZoneAlarm"="h:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-11-09 73360] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="h:\windows\system32\CTFMON.EXE" [2008-04-14 15360] . h:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - h:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624] HP Image Zone Fast Start.lnk - h:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "h:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2011-05-04 17:54 551296 ----a-w- h:\program files\SUPERAntiSpyware\SASWINLO.DLL . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "h:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "h:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "h:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "h:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "h:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "h:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "h:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "h:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "h:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "h:\\Program Files\\Bonjour\\mDNSResponder.exe"= "h:\\Program Files\\iTunes\\iTunes.exe"= "h:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"= . R1 kl2;kl2;h:\windows\system32\drivers\kl2.sys [14/10/2010 5:08 PM 11352] R1 SASDIFSV;SASDIFSV;h:\program files\SUPERAntiSpyware\sasdifsv.sys [23/07/2011 3:27 AM 12880] R1 SASKUTIL;SASKUTIL;h:\program files\SUPERAntiSpyware\SASKUTIL.SYS [13/07/2011 8:55 AM 67664] R2 !SASCORE;SAS Core Service;h:\program files\SUPERAntiSpyware\SASCore.exe [12/08/2011 10:38 AM 116608] R2 MBAMService;MBAMService;h:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [15/11/2011 9:29 PM 366152] R2 nvUpdatusService;NVIDIA Update Service Daemon;h:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [14/11/2011 4:24 PM 2214504] R3 MBAMProtector;MBAMProtector;h:\windows\system32\drivers\mbam.sys [15/11/2011 9:29 PM 22216] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;h:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 1:16 PM 130384] S3 WDC_SAM;WD SCSI Pass Thru driver;h:\windows\system32\drivers\wdcsam.sys [6/05/2008 4:06 PM 11520] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;h:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 1:16 PM 753504] . Contents of the 'Scheduled Tasks' folder . 2011-09-14 h:\windows\Tasks\AppleSoftwareUpdate.job - h:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 07:57] . 2011-11-01 h:\windows\Tasks\Disk Cleanup.job - h:\windows\system32\cleanmgr.exe [2004-08-04 00:12] . 2011-11-07 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-1993962763-839522115-1004Core.job - h:\documents and settings\Gemma\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-08 10:57] . 2011-11-19 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-1993962763-839522115-1004UA.job - h:\documents and settings\Gemma\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-08 10:57] . 2011-11-12 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-1993962763-839522115-1005Core.job - h:\documents and settings\Elizabeth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-25 04:56] . 2011-11-19 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-1993962763-839522115-1005UA.job - h:\documents and settings\Elizabeth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-25 04:56] . 2011-10-23 h:\windows\Tasks\Malwarebytes' Anti-Malware.job - h:\progra~1\MALWAR~1\mbam.exe [2011-11-15 06:01] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com.au/ uInternet Settings,ProxyOverride = <local>;*.local uInternet Settings,ProxyServer = 200.76.23.165:80 IE: E&xport to Microsoft Excel - h:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 TCP: DhcpNameServer = 10.1.1.1 . - - - - ORPHANS REMOVED - - - - . BHO-{91da5e8a-3318-4f8c-b67e-5964de3ab546} - (no file) AddRemove-NVIDIA Display Control Panel - h:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-11-20 15:14 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1645522239-1993962763-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{35FF3DB5-B1F9-448B-3FC7-6CED177A7C9C}*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) "oagpihefnphanpfngepnpkplhbkhlj"=hex:64,61,67,6e,69,6e,62,61,00,84 "oakolcohlajajeehcenikdpffabegp"=hex:6a,61,6c,6e,70,6c,66,64,6e,68,6b,67,67,6d, 69,68,69,70,67,68,00,02 "naibbchnamilgnjlfiodjaoenkna"=hex:6a,61,67,6e,6e,6e,6c,63,61,69,62,67,6d,6c, 64,70,68,70,6e,69,00,02 . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(724) h:\program files\SUPERAntiSpyware\SASWINLO.DLL h:\windows\system32\WININET.dll . - - - - - - - > 'explorer.exe'(3888) h:\windows\system32\WININET.dll h:\progra~1\CHECKP~1\ZONEAL~1\MAILFR~1\mlfhook.dll h:\windows\system32\ieframe.dll h:\windows\system32\WPDShServiceObj.dll h:\windows\system32\PortableDeviceTypes.dll h:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . h:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe h:\program files\Bonjour\mDNSResponder.exe h:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe h:\windows\system32\nvsvc32.exe h:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe h:\windows\RTHDCPL.EXE h:\windows\system32\RunDLL32.exe h:\program files\iPod\bin\iPodService.exe h:\program files\HP\Digital Imaging\bin\hpqimzone.exe h:\program files\HP\Digital Imaging\bin\hpqSTE08.exe h:\progra~1\CHECKP~1\ZONEAL~1\MAILFR~1\mantispm.exe . ************************************************************************** . Completion time: 2011-11-20 15:18:32 - machine was rebooted ComboFix-quarantined-files.txt 2011-11-20 04:18 . Pre-Run: 465,173,950,464 bytes free Post-Run: 465,053,671,424 bytes free . - - End Of File - - 1D45384C8B75C8B3FDA5AFC35DC91036