Jump to content

Recommended Posts

ALWAYS state the Windows version-edition !!!!! Not surprisingly, some pc's run different editions. <eg>

Please print out, read and follow the directions here, skipping any steps you are unable to complete.

Please reply here with the MBAM scan log

the DDS logs

the GMER log

Link to post
Share on other sites

You will want to print out or copy these instructions to Notepad for offline reference!

eusa_hand.gifIf you are a casual viewer, do NOT try this on your system!

If you are not wildphill1 and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

It is quite likely Tea Timer was blocking any fixes. You MUST turn it OFF.

How to disable Spybot-S&D temporarily

Start Spybot-S&D, switch to the Advanced mode via the menu bar item Mode

then select Advanced Mode

On the left hand side, slect Tools

Then click on the Resident icon in the list

Uncheck Resident TeaTimer and OK any prompts.

Now Logoff & Restart your computer fresh.

Step 2

Show all files:

  • Click the Start button, and then click Computer.
  • On the Organize menu, click Folder and Search Options.
  • Click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders.
  • Click Apply > OK.

Step 3

Download The Avenger by Swandog46 from here.

  • Unzip/extract it to a folder on your desktop.
  • Right click on avenger.exe and select Run As Administrator to start The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Drivers to disable:
    fsgfiaoh

    Drivers to delete:
    fsgfiaoh

    Files to delete:
    C:\Windows\System32\drivers\fsgfiaoh.sys

    Folders to delete:
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler


  • In the avenger window, click the Paste Script from Clipboard icon, pastets4.png button.
  • ! Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.

If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.

and then reboot the system again.

Step 4

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below, and SAVE it to your Desktop.

Link 1

Link 2

Link 3

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

Right- click on Combo-Fix.exe on your Desktop and select "Run as Administrator".

  • A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt.

Note:

Do not mouseclick combofix's window nor run any program while Combofix is running.

That may cause it to stall.

Reply with a copy of the C:\Avenger.txt log, and the C:\Combofix.txt log

Do NOT use the attachment feature to post your reports !! ALWAYS use NOTEPAD and Copy and Paste the contents into main body of reply text-box.

Link to post
Share on other sites

Next step

Close all open browsers at this point.

Start Internet Explorer (fresh) by pressing Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.

Using Internet Explorer browser only, go to ESET Online Scanner website:

http://www.eset.com/onlinescan/

  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.

    Look at contents of this file using Notepad or Wordpad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here

    http://www.eset.com/onlinescan/cac4.php?page=faq

    • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
      Otherwise the scan will take twice as long to do:
      everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
      (And the prompt re-enabling when finished.)
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.
    • Do not use the system while the scan is running. Once the full scan is underway, go take a long break popcorn.gifpepsi.gif

Step 2

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

  • Close all open windows on the Task Bar. Click the icon (for Vista, right click the icon and Run as Administrator) to start the program.
  • In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
  • Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  • It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.
  • Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
  • Exit OTL by clicking the X at top right.

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

eusa_hand.gifIf one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Then copy/paste the following into your post (in order):

  • the contents of Eset online report
  • the contents of OTL.txt
  • the contents of Extras.txt
  • the contents of checkup.txt

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Link to post
Share on other sites

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=1ed5de3c76bda24896b168808d9967cd

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-05-02 02:03:44

# local_time=2010-05-02 03:03:44 (+0000, GMT Daylight Time)

# country="United Kingdom"

# lang=1033

# osver=6.0.6001 NT Service Pack 1

# compatibility_mode=512 16777215 100 0 78128 78128 0 0

# compatibility_mode=1536 16777215 100 0 0 0 0 0

# compatibility_mode=5892 16776573 100 95 71921423 110337060 0 0

# compatibility_mode=8192 67108863 100 0 1050 1050 0 0

# scanned=154665

# found=7

# cleaned=7

# scan_time=4703

C:\Qoobox\Quarantine\C\Windows\System32\drivers\MSIVXcidipmxvcmwtimyhchebsdmbtsomtinb.sys.vir.vir a variant of Win32/Kryptik.TV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Users\sam\AppData\Local\Mozilla\Firefox\Profiles\0qwohswq.default\Cache\1A2F053Cd01 JS/TrojanDownloader.FakeAlert.NAB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Users\wildphill\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\DoubleD\GamingHarbor Toolbar\4.1.4.20920\bin\stbup.exe Win32/Adware.DoubleD application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Users\wildphill\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\productinfo.dll Win32/Adware.DoubleD application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Users\wildphill\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\Setup.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C

C:\Users\wildphill\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\stbup.exe Win32/Adware.DoubleD application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Users\wildphill\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\650996da-2327938f probably a variant of Java/TrojanDownloader.Agent.AB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

OTL logfile created on: 02/05/2010 15:06:24 - Run 1

OTL by OldTimer - Version 3.2.4.0 Folder = C:\Users\wildphill\Desktop

Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation

Internet Explorer (Version = 7.0.6001.18000)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 63.00% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 85.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 137.05 Gb Total Space | 89.51 Gb Free Space | 65.31% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: WILDPHILL-PC

Current User Name: wildphill

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/02 15:06:07 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Users\wildphill\Desktop\OTL.exe

PRC - [2009/03/29 10:48:41 | 000,581,632 | ---- | M] (THOMSON Telecom Belgium) -- C:\Program Files\Thomson\ST330\service\st330service.exe

PRC - [2009/03/29 10:48:39 | 000,557,149 | ---- | M] (THOMSON Telecom Belgium) -- C:\Program Files\Thomson\ST330\diagnostics\diagnostics.exe

PRC - [2008/10/29 07:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe

PRC - [2008/01/29 18:51:52 | 004,911,104 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe

PRC - [2006/11/02 13:35:35 | 000,176,128 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wpcumi.exe

========== Modules (SafeList) ==========

MOD - [2010/05/02 15:06:07 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Users\wildphill\Desktop\OTL.exe

MOD - [2008/01/21 03:24:37 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx

MOD - [2008/01/21 03:23:44 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (SBSDWSCService)

SRV - File not found [Disabled | Stopped] -- -- (NMIndexingService)

SRV - File not found [Disabled | Stopped] -- -- (Nero BackItUp Scheduler 3)

SRV - File not found [On_Demand | Stopped] -- -- (gusvc)

SRV - [2009/09/06 13:38:06 | 000,071,096 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU)

SRV - [2009/03/29 10:48:41 | 000,581,632 | ---- | M] (THOMSON Telecom Belgium) [Auto | Running] -- C:\Program Files\Thomson\ST330\service\st330service.exe -- (st330service)

SRV - [2008/01/21 03:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

========== Driver Services (SafeList) ==========

DRV - [2010/01/12 13:03:34 | 011,586,280 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)

DRV - [2009/12/06 11:07:53 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)

DRV - [2009/09/28 21:57:28 | 000,007,168 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\StarOpen.sys -- (StarOpen)

DRV - [2009/03/29 10:48:40 | 000,035,328 | ---- | M] (THOMSON Telecom Belgium) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stppp.sys -- (stppp)

DRV - [2009/03/29 10:48:40 | 000,030,464 | ---- | M] (THOMSON Telecom Belgium) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\st330.sys -- (ST330)

DRV - [2009/03/29 10:48:40 | 000,012,672 | ---- | M] (THOMSON Telecom Belgium) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stbus.sys -- (STBUS)

DRV - [2008/01/30 11:34:20 | 002,058,528 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)

DRV - [2008/01/21 03:23:49 | 000,007,680 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\umpass.sys -- (UMPass)

DRV - [2008/01/21 03:23:27 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)

DRV - [2008/01/21 03:23:27 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)

DRV - [2008/01/21 03:23:27 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)

DRV - [2008/01/21 03:23:26 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)

DRV - [2008/01/21 03:23:26 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)

DRV - [2008/01/21 03:23:26 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)

DRV - [2008/01/21 03:23:25 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)

DRV - [2008/01/21 03:23:25 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)

DRV - [2008/01/21 03:23:24 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)

DRV - [2008/01/21 03:23:24 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®

DRV - [2008/01/21 03:23:24 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)

DRV - [2008/01/21 03:23:23 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)

DRV - [2008/01/21 03:23:23 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)

DRV - [2008/01/21 03:23:23 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)

DRV - [2008/01/21 03:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)

DRV - [2008/01/21 03:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)

DRV - [2008/01/21 03:23:23 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)

DRV - [2008/01/21 03:23:22 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)

DRV - [2008/01/21 03:23:21 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)

DRV - [2008/01/21 03:23:21 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)

DRV - [2008/01/21 03:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)

DRV - [2008/01/21 03:23:20 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)

DRV - [2008/01/21 03:23:00 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)

DRV - [2008/01/21 03:23:00 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)

DRV - [2008/01/21 03:23:00 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)

DRV - [2007/12/24 17:37:00 | 000,138,384 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\tmcomm.sys -- (tmcomm)

DRV - [2007/10/31 11:23:22 | 000,124,960 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvrd32.sys -- (nvrd32)

DRV - [2007/10/31 11:23:20 | 000,115,744 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvstor32.sys -- (nvstor32)

DRV - [2007/10/12 15:53:10 | 000,013,312 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvsmu.sys -- (nvsmu)

DRV - [2006/11/02 10:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)

DRV - [2006/11/02 10:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)

DRV - [2006/11/02 10:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)

DRV - [2006/11/02 10:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)

DRV - [2006/11/02 10:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)

DRV - [2006/11/02 10:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)

DRV - [2006/11/02 10:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)

DRV - [2006/11/02 10:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)

DRV - [2006/11/02 10:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)

DRV - [2006/11/02 10:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)

DRV - [2006/11/02 10:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)

DRV - [2006/11/02 09:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)

DRV - [2006/11/02 09:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)

DRV - [2006/11/02 09:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)

DRV - [2006/11/02 09:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)

DRV - [2006/11/02 09:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)

DRV - [2006/11/02 09:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)

DRV - [2006/11/02 08:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)

DRV - [2006/11/02 08:30:56 | 000,044,544 | ---- | M] (Realtek Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/04 23:58:13 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/04 23:58:13 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/03/18 19:09:05 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2009/04/05 12:26:24 | 000,000,000 | ---D | M] -- C:\Users\wildphill\AppData\Roaming\Mozilla\Extensions

[2009/10/30 09:01:57 | 000,000,000 | ---D | M] -- C:\Users\wildphill\AppData\Roaming\Mozilla\Firefox\Profiles\i3mr301o.default\extensions

[2010/05/02 10:02:00 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2008/04/15 23:34:05 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\packardbell@partners.mozilla.com

[2008/09/04 01:11:24 | 000,054,600 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll

[2010/03/22 00:34:36 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml

[2010/03/22 00:34:36 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml

[2010/03/22 00:34:36 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml

[2010/03/22 00:34:36 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/05/02 10:08:31 | 000,393,089 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: ::1 localhost

O1 - Hosts: 127.0.0.1 www.007guard.com

O1 - Hosts: 127.0.0.1 007guard.com

O1 - Hosts: 127.0.0.1 008i.com

O1 - Hosts: 127.0.0.1 www.008k.com

O1 - Hosts: 127.0.0.1 008k.com

O1 - Hosts: 127.0.0.1 www.00hq.com

O1 - Hosts: 127.0.0.1 00hq.com

O1 - Hosts: 127.0.0.1 010402.com

O1 - Hosts: 127.0.0.1 www.032439.com

O1 - Hosts: 127.0.0.1 032439.com

O1 - Hosts: 127.0.0.1 www.0scan.com

O1 - Hosts: 127.0.0.1 0scan.com

O1 - Hosts: 127.0.0.1 1000gratisproben.com

O1 - Hosts: 127.0.0.1 www.1000gratisproben.com

O1 - Hosts: 127.0.0.1 1001namen.com

O1 - Hosts: 127.0.0.1 www.1001namen.com

O1 - Hosts: 127.0.0.1 100888290cs.com

O1 - Hosts: 127.0.0.1 www.100888290cs.com

O1 - Hosts: 127.0.0.1 www.100sexlinks.com

O1 - Hosts: 127.0.0.1 100sexlinks.com

O1 - Hosts: 127.0.0.1 10sek.com

O1 - Hosts: 127.0.0.1 www.10sek.com

O1 - Hosts: 127.0.0.1 www.1-2005-search.com

O1 - Hosts: 13577 more lines...

O4 - HKLM..\Run: [diagnostics] C:\Program Files\Thomson\ST330\diagnostics\diagnostics.exe (THOMSON Telecom Belgium)

O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)

O4 - HKLM..\Run: [WPCUMI] C:\Windows\System32\wpcumi.exe (Microsoft Corporation)

O4 - HKCU..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Users\wildphill\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg

O24 - Desktop BackupWallPaper: C:\Users\wildphill\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg

O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\AUTOEXEC.BAK -- [ NTFS ]

O32 - AutoRun File - [2009/06/15 18:26:32 | 000,000,052 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/05/02 15:05:29 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Users\wildphill\Desktop\OTL.exe

[2010/05/02 13:28:02 | 000,000,000 | ---D | C] -- C:\Program Files\ESET

[2010/05/02 10:52:33 | 000,000,000 | ---D | C] -- C:\Windows\Sun

[2010/05/02 09:37:34 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN

[2010/05/02 09:37:30 | 000,000,000 | ---D | C] -- C:\Users\wildphill\AppData\Local\temp

[2010/05/02 09:35:15 | 000,000,000 | ---D | C] -- C:\Windows\temp

[2010/05/02 09:27:49 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe

[2010/05/02 09:27:49 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe

[2010/05/02 09:27:49 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe

[2010/05/02 09:27:44 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT

[2010/05/02 09:27:21 | 000,000,000 | ---D | C] -- C:\Qoobox

[2010/05/02 09:27:06 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe

[2010/05/01 20:15:13 | 000,000,000 | ---D | C] -- C:\Avenger

[2010/05/01 16:03:24 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2010/05/01 15:44:17 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos

[2010/05/01 14:02:36 | 000,000,000 | ---D | C] -- C:\Program Files\Unlocker

[2010/04/28 12:14:05 | 000,000,000 | ---D | C] -- C:\Users\wildphill\Desktop\Plan B - Who Needs Actions When You Got Words

[2010/04/13 09:52:40 | 000,000,000 | -HSD | C] -- C:\Users\Public\Documents\MCE Logs

[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/02 15:06:42 | 006,553,600 | -HS- | M] () -- C:\Users\wildphill\ntuser.dat

[2010/05/02 15:06:07 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Users\wildphill\Desktop\OTL.exe

[2010/05/02 15:05:30 | 000,003,344 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2010/05/02 15:05:30 | 000,003,344 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2010/05/02 12:18:58 | 000,013,346 | ---- | M] () -- C:\Users\wildphill\Desktop\images.jpg

[2010/05/02 12:18:03 | 000,038,350 | ---- | M] () -- C:\Users\wildphill\Desktop\sorenguns.jpg

[2010/05/02 10:25:27 | 000,020,661 | ---- | M] () -- C:\Users\wildphill\Desktop\LEGO-guns.jpg

[2010/05/02 10:08:31 | 000,393,089 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts

[2010/05/02 09:35:34 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini

[2010/05/02 09:22:34 | 000,747,142 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI

[2010/05/02 09:22:34 | 000,638,346 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2010/05/02 09:22:34 | 000,121,342 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2010/05/02 09:16:58 | 000,035,275 | ---- | M] () -- C:\ProgramData\nvModes.dat

[2010/05/02 09:16:58 | 000,035,275 | ---- | M] () -- C:\ProgramData\nvModes.001

[2010/05/02 09:16:35 | 000,065,536 | ---- | M] () -- C:\Windows\System32\Ikeext.etl

[2010/05/02 09:16:33 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT

[2010/05/02 09:16:28 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2010/05/02 09:15:41 | 000,524,288 | -HS- | M] () -- C:\Users\wildphill\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms

[2010/05/02 09:15:41 | 000,065,536 | -HS- | M] () -- C:\Users\wildphill\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf

[2010/05/02 09:14:48 | 000,002,531 | ---- | M] () -- C:\Users\wildphill\Desktop\HiJackThis.lnk

[2010/05/02 00:02:46 | 000,002,076 | ---- | M] () -- C:\Users\wildphill\AppData\Roaming\wklnhst.dat

[2010/05/01 20:13:40 | 000,724,952 | ---- | M] () -- C:\Users\wildphill\Desktop\avenger.zip

[2010/05/01 16:56:56 | 000,008,704 | ---- | M] () -- C:\Users\wildphill\Desktop\mbam-log-2010-05-01 (16-56-39).wps

[2010/05/01 16:47:08 | 193,047,824 | ---- | M] () -- C:\Windows\MEMORY.DMP

[2010/05/01 16:20:59 | 000,000,020 | ---- | M] () -- C:\Users\wildphill\defogger_reenable

[2010/05/01 16:16:37 | 000,293,376 | ---- | M] () -- C:\Users\wildphill\Desktop\xgld0znj.exe

[2010/05/01 16:15:57 | 000,525,824 | ---- | M] () -- C:\Users\wildphill\Desktop\dds.scr

[2010/05/01 16:15:25 | 000,050,477 | ---- | M] () -- C:\Users\wildphill\Desktop\Defogger.exe

[2010/05/01 15:22:46 | 000,000,438 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts.ics

[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys

[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

[2010/04/28 12:19:10 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf

[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\Windows\PEV.exe

[2010/04/21 14:25:04 | 000,090,112 | ---- | M] () -- C:\Users\wildphill\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/04/19 12:06:01 | 000,001,176 | ---- | M] () -- C:\Users\wildphill\AppData\Roaming\vso_ts_preview.xml

[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/02 10:26:18 | 000,013,346 | ---- | C] () -- C:\Users\wildphill\Desktop\images.jpg

[2010/05/02 10:25:55 | 000,038,350 | ---- | C] () -- C:\Users\wildphill\Desktop\sorenguns.jpg

[2010/05/02 10:25:27 | 000,020,661 | ---- | C] () -- C:\Users\wildphill\Desktop\LEGO-guns.jpg

[2010/05/02 09:27:49 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe

[2010/05/02 09:27:49 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe

[2010/05/02 09:27:49 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe

[2010/05/02 09:27:49 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe

[2010/05/02 09:27:49 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe

[2010/05/01 20:13:56 | 000,731,136 | ---- | C] () -- C:\Users\wildphill\Desktop\avenger.exe

[2010/05/01 20:13:36 | 000,724,952 | ---- | C] () -- C:\Users\wildphill\Desktop\avenger.zip

[2010/05/01 16:56:56 | 000,008,704 | ---- | C] () -- C:\Users\wildphill\Desktop\mbam-log-2010-05-01 (16-56-39).wps

[2010/05/01 16:20:43 | 000,000,020 | ---- | C] () -- C:\Users\wildphill\defogger_reenable

[2010/05/01 16:16:28 | 000,293,376 | ---- | C] () -- C:\Users\wildphill\Desktop\xgld0znj.exe

[2010/05/01 16:15:33 | 000,525,824 | ---- | C] () -- C:\Users\wildphill\Desktop\dds.scr

[2010/05/01 16:15:25 | 000,050,477 | ---- | C] () -- C:\Users\wildphill\Desktop\Defogger.exe

[2010/05/01 16:03:25 | 000,002,531 | ---- | C] () -- C:\Users\wildphill\Desktop\HiJackThis.lnk

[2010/05/01 12:23:01 | 000,002,076 | ---- | C] () -- C:\Users\wildphill\AppData\Roaming\wklnhst.dat

[2010/04/28 12:19:10 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf

[2009/10/22 14:51:36 | 000,007,168 | ---- | C] () -- C:\Windows\System32\drivers\StarOpen.sys

[2009/04/09 16:45:13 | 000,168,448 | ---- | C] () -- C:\Windows\System32\unrar.dll

[2009/04/09 16:45:11 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll

[2009/04/09 16:45:11 | 000,795,648 | ---- | C] () -- C:\Windows\System32\xvidcore.dll

[2009/04/09 16:45:11 | 000,130,048 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll

[2009/04/09 16:45:09 | 000,067,584 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll

[2009/04/09 16:45:09 | 000,000,547 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll.manifest

[2006/11/02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll

[2006/11/02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== LOP Check ==========

[2010/04/30 09:57:41 | 000,000,000 | ---D | M] -- C:\Users\wildphill\AppData\Roaming\BitTorrent

[2009/11/23 11:05:08 | 000,000,000 | ---D | M] -- C:\Users\wildphill\AppData\Roaming\Canneverbe Limited

[2009/10/22 14:52:24 | 000,000,000 | ---D | M] -- C:\Users\wildphill\AppData\Roaming\Canneverbe_Limited

[2009/12/06 11:12:03 | 000,000,000 | ---D | M] -- C:\Users\wildphill\AppData\Roaming\DAEMON Tools Lite

[2009/04/09 11:37:54 | 000,000,000 | ---D | M] -- C:\Users\wildphill\AppData\Roaming\DNA

[2009/12/28 22:56:05 | 000,000,000 | ---D | M] -- C:\Users\wildphill\AppData\Roaming\Doblon

[2009/04/23 09:01:18 | 000,000,000 | ---D | M] -- C:\Users\wildphill\AppData\Roaming\Template

[2009/04/03 15:29:13 | 000,000,000 | ---D | M] -- C:\Users\wildphill\AppData\Roaming\Thunderbird

[2010/04/19 12:06:02 | 000,000,000 | ---D | M] -- C:\Users\wildphill\AppData\Roaming\Vso

[2010/05/02 00:18:59 | 000,032,644 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:8CE646EE

@Alternate Data Stream - 108 bytes -> C:\ProgramData\TEMP:CB0AACC9

< End of report >

Link to post
Share on other sites

OTL Extras logfile created on: 02/05/2010 15:06:24 - Run 1

OTL by OldTimer - Version 3.2.4.0 Folder = C:\Users\wildphill\Desktop

Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation

Internet Explorer (Version = 7.0.6001.18000)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 63.00% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 85.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 137.05 Gb Total Space | 89.51 Gb Free Space | 65.31% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: WILDPHILL-PC

Current User Name: wildphill

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.exe [@ = exefile] -- Reg Error: Key error. File not found

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

"FirewallDisableNotify" = 0

"AntiVirusDisableNotify" = 0

"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

"VistaSp1" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"EnableFirewall" = 0

"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{0910D292-9B6D-4A93-99C8-3E73344B1990}" = lport=10244 | protocol=6 | dir=in | app=system |

"{09BDC1F2-5C70-4061-A268-D1078821787A}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |

"{1F94A3B2-52DF-452A-B27C-4ECD744ACE23}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

"{20D118E1-FE85-4637-AE64-EF690B4EDA66}" = lport=139 | protocol=6 | dir=in | app=system |

"{37C313A4-C92F-401A-8379-DC3CF57B9E8C}" = lport=138 | protocol=17 | dir=in | app=system |

"{45D0DBFE-86F7-492A-A243-638C3AAE6397}" = lport=7777 | protocol=17 | dir=in | app=%systemroot%\ehome\ehshell.exe |

"{4E3692CF-F418-4458-BECE-3C286A91B9FE}" = lport=554 | protocol=6 | dir=in | app=%systemroot%\ehome\ehshell.exe |

"{5CC22C6E-E70F-4517-836A-6351FA6C5C33}" = rport=138 | protocol=17 | dir=out | app=system |

"{61D59481-C91F-45EA-B927-F57D6C28BAC4}" = lport=3390 | protocol=6 | dir=in | app=system |

"{66E3A3F3-C36D-41B9-B58C-A4EB816A6DB3}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

"{726CF986-E7B1-4184-821B-6B2BD5737080}" = rport=10244 | protocol=6 | dir=out | app=system |

"{7EFE6722-9D0E-417A-80C5-F02BD3653CAB}" = lport=445 | protocol=6 | dir=in | app=system |

"{82F563A4-6C41-49F9-BFC7-7711003A53AA}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |

"{86DB434D-49BB-42E6-8926-1E6B8DD2035B}" = rport=139 | protocol=6 | dir=out | app=system |

"{94334C1D-EEAD-45C3-AD8B-505F66D4A9F5}" = lport=137 | protocol=17 | dir=in | app=system |

"{99DFE602-BCAF-4A34-9C8D-57C9F1BF2F38}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{9B8402C6-F3DA-4BE3-BA5A-1F089D6994A8}" = lport=7777 | protocol=17 | dir=in | app=%systemroot%\ehome\ehshell.exe |

"{A8F82280-D1B8-4AD6-9DC2-9EC744058D57}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{AC7EC6C7-9B46-4EE9-9C20-058CA1F0E0FE}" = rport=10244 | protocol=6 | dir=out | app=system |

"{B48CEC4B-3D50-4267-8996-EEB134FAB3FC}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{B8BD2445-8322-4A7E-97AC-C45254A7EBF9}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{CBEB9C6B-70F3-4258-B42A-4EE950A30633}" = lport=554 | protocol=6 | dir=in | app=%systemroot%\ehome\ehshell.exe |

"{CDBE044B-4A41-4850-8EAD-BA559105C584}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{CE0B947B-7BD6-4A87-95CE-1FAA49549315}" = rport=137 | protocol=17 | dir=out | app=system |

"{D07FA7B3-5CCD-4815-8C3F-0DEB858169BC}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

"{D1014445-19FA-411E-AEA6-91B62E8DEA18}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{E4352E48-CFEE-43EC-AAD6-B0C700C79EF1}" = lport=10244 | protocol=6 | dir=in | app=system |

"{E7602D45-BD3B-4552-9AA5-F71AFA1B944B}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

"{F2A546F9-4A47-4653-8CC0-8330B8ABEF03}" = rport=445 | protocol=6 | dir=out | app=system |

"{F739D611-F01C-4558-91DB-7F842C4C1FFB}" = lport=3390 | protocol=6 | dir=in | app=system |

"{FA80C3AF-2F49-4C51-A413-0D106B777A9A}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{FC044A2F-2397-4BE4-B57E-18C5C080DB07}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{06F54C51-9349-47F6-B269-4B13EFC8F151}" = protocol=17 | dir=out | app=%systemroot%\ehome\ehshell.exe |

"{077105FF-D479-4D81-8747-1A6DBAD2FF83}" = protocol=17 | dir=in | app=c:\program files\thomson\st330\service\st330service.exe |

"{0A8A7671-A9AB-47B4-B488-EC6CEA477126}" = protocol=6 | dir=in | app=c:\users\wildphill\appdata\local\temp\installer.exe |

"{0C104C1C-EFB2-4C6A-A657-B63E05013670}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |

"{204E1CEF-5867-4248-B511-FC3A1E19CB6D}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |

"{24E70FE3-5DF7-4653-B62A-82BF349C8A22}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |

"{34622CBD-C2A5-4285-90DC-2F2017B8C9F5}" = protocol=17 | dir=in | app=c:\users\wildphill\appdata\local\temp\installer.exe |

"{3B40C6ED-4846-4B7A-8383-95D94F84DFF4}" = protocol=6 | dir=in | app=c:\program files\thomson\st330\service\st330service.exe |

"{7C7FB38B-0847-48C4-B60D-2F58452E08F1}" = protocol=6 | dir=out | app=%systemroot%\ehome\mcx2prov.exe |

"{8111DCA6-71E4-44A0-9FF6-3850661285CD}" = protocol=17 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |

"{8EB12C13-BEBB-4E6F-A72D-7B5164E654F6}" = protocol=6 | dir=in | app=c:\program files\dna\btdna.exe |

"{A6399056-63AA-4E43-8441-868482D384CF}" = protocol=6 | dir=out | app=%systemroot%\ehome\mcx2prov.exe |

"{B2E3BA30-E557-4378-B76F-549E9EE124FF}" = protocol=6 | dir=out | svc=mcx2svc | app=%systemroot%\system32\svchost.exe |

"{B6BEE10C-4EB0-440D-AF79-D652623F296C}" = protocol=6 | dir=out | app=%systemroot%\ehome\ehshell.exe |

"{B71C0B5F-15FA-4097-AEA8-6741E610D425}" = protocol=17 | dir=in | app=c:\program files\dna\btdna.exe |

"{DA980411-366A-4022-A732-7D7355F5145D}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |

"{DFB1C3AB-9436-4398-914A-2753D2FBD1CD}" = protocol=6 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |

"{E828D17E-E266-4D7A-90BE-328F669D4763}" = protocol=6 | dir=out | svc=mcx2svc | app=%systemroot%\system32\svchost.exe |

"{EFA4203B-6089-4B21-8B8F-904BC6CD6F94}" = protocol=17 | dir=out | app=%systemroot%\ehome\ehshell.exe |

"{F3A99A6F-E90A-402C-B4EA-581DFA0B35DE}" = protocol=6 | dir=out | app=%systemroot%\ehome\ehshell.exe |

"TCP Query User{72796DEA-CA41-470F-9AFE-616125F65039}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe |

"TCP Query User{BA618611-6F6B-4FE6-8F8A-C142C76B984F}C:\program files\bittorrent\bittorrent.exe" = protocol=6 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |

"UDP Query User{31862491-757E-4E76-B053-3922965E863D}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe |

"UDP Query User{5F5B9C84-D672-47F5-9C24-6326D024A1E9}C:\program files\bittorrent\bittorrent.exe" = protocol=17 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{1A655D51-1423-48A3-B748-8F5A0BE294C8}" = Microsoft Visual J# .NET Redistributable Package 1.1

"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java 6 Update 15

"{2E97F7E8-ABDE-4E0D-B0AD-B6B4BAD89E24}" = Rome - Total War

"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup

"{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll

"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = Browser Address Error Redirector

"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis

"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml

"{58BAA8D0-404E-4585-9FD3-ED1BB72AC2EE}" = Adobe Flash Player 9 ActiveX

"{5A347920-4AFC-11D5-9FB0-800649886934}" = SDFormatter

"{67E03279-F703-408F-B4BF-46B5FC8D70CD}" = Microsoft Works

"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{76C24F39-B161-498F-BD8B-C64789812D13}_is1" = ConvertXtoDVD 3.6.13.178

"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP

"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system

"{95120000-003F-0409-0000-0000000FF1CE}" = Microsoft Office Excel Viewer

"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)

"{98613C99-1399-416C-A07C-1EE1C585D872}" = SeaTools for Windows

"{AB7032FF-AFED-4C58-AA5C-8473B273793A}" = HDReg

"{AC76BA86-7AD7-1033-7B44-A81000000003}" = Adobe Reader 8.1.0

"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy

"{BDE1289F-4025-41A5-AD17-101DB4D82CA7}" = TRS2004

"{C0698BDA-0D29-40EE-8570-A31106DF9AB1}" = Medieval II Total War

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser

"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"{FD69C8CB-6964-432C-98AB-A5A09ED50EEA}" = Barbarian Invasion

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"Adobe Shockwave Player" = Adobe Shockwave Player

"AdobeReader" = Adobe Reader 8.1.0

"AUDIO_REALTEK" = Realtek HD Audio V6.0.1.5559

"Broken Crescent" = Broken Crescent

"EAW_Campaigns_for_OP" = EAW Single-Player Campaigns for SFC:OP - 20030330 (remove only)

"ESET Online Scanner" = ESET Online Scanner v3

"FirefoxGB" = Firefox

"Fishdom1.0" = Fishdom

"HeavyMetal_Plus" = HeavyMetal Plus

"ImageWriter" = Packard Bell ImageWriter

"KLiteCodecPack_is1" = K-Lite Codec Pack 4.7.5 (Full)

"LCDTest" = Packard Bell LCD Test

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"MechWarrior Mercenaries" = MechWarrior 4 Mercenaries

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)

"Mozilla Thunderbird (2.0.0.24)" = Mozilla Thunderbird (2.0.0.24)

"NVIDIA Display Control Panel" = NVIDIA Display Control Panel

"NVIDIA Drivers" = NVIDIA Drivers

"Picasa_2" = Picasa2

"Picasa2" = Picasa 2

"SETUPMYPC_GB" = SetUp My PC

"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.5.0

"SpeedTouch 330" = SpeedTouch 330

"Starfleet Command Orion Pirates" = Starfleet Command Orion Pirates

"Unlocker" = Unlocker 1.8.9

"Updator" = Packard Bell Updator

"VIDEO_NVIDIA_GOB" = Video NVIDIA V163.96

"WinRAR archiver" = WinRAR archiver

"WinSPMBT CD Edition" = WinSPMBT CD Edition

"works9se" = Microsoft Works 9 SE

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"BitTorrent" = BitTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 26/04/2010 02:59:05 | Computer Name = wildphill-PC | Source = WinMgmt | ID = 10

Description =

Error - 27/04/2010 02:58:23 | Computer Name = wildphill-PC | Source = WinMgmt | ID = 10

Description =

Error - 28/04/2010 03:03:51 | Computer Name = wildphill-PC | Source = WinMgmt | ID = 10

Description =

Error - 28/04/2010 03:04:31 | Computer Name = wildphill-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083

Description =

Error - 28/04/2010 10:19:06 | Computer Name = wildphill-PC | Source = RasClient | ID = 20227

Description =

Error - 28/04/2010 10:20:09 | Computer Name = wildphill-PC | Source = RasClient | ID = 20227

Description =

Error - 28/04/2010 10:20:52 | Computer Name = wildphill-PC | Source = RasClient | ID = 20227

Description =

Error - 28/04/2010 10:21:25 | Computer Name = wildphill-PC | Source = RasClient | ID = 20227

Description =

Error - 29/04/2010 02:16:22 | Computer Name = wildphill-PC | Source = WinMgmt | ID = 10

Description =

Error - 30/04/2010 03:08:58 | Computer Name = wildphill-PC | Source = WinMgmt | ID = 10

Description =

[ System Events ]

Error - 08/10/2009 02:27:55 | Computer Name = wildphill-PC | Source = HTTP | ID = 15016

Description =

Error - 08/10/2009 02:27:58 | Computer Name = wildphill-PC | Source = Service Control Manager | ID = 7000

Description =

Error - 08/10/2009 02:28:30 | Computer Name = wildphill-PC | Source = cdrom | ID = 262151

Description = The device, \Device\CdRom0, has a bad block.

Error - 08/10/2009 03:27:57 | Computer Name = wildphill-PC | Source = Server | ID = 2505

Description = The server could not bind to the transport \Device\NetBT_Tcpip_{0E7DF90C-B91D-409A-A941-2A637212EA20}

because another computer on the network has the same name. The server could not

start.

Error - 08/10/2009 12:31:12 | Computer Name = wildphill-PC | Source = cdrom | ID = 262151

Description = The device, \Device\CdRom0, has a bad block.

Error - 09/10/2009 02:16:24 | Computer Name = wildphill-PC | Source = HTTP | ID = 15016

Description =

Error - 09/10/2009 02:16:26 | Computer Name = wildphill-PC | Source = Service Control Manager | ID = 7000

Description =

Error - 09/10/2009 02:17:40 | Computer Name = wildphill-PC | Source = cdrom | ID = 262151

Description = The device, \Device\CdRom0, has a bad block.

Error - 09/10/2009 03:26:58 | Computer Name = wildphill-PC | Source = Server | ID = 2505

Description = The server could not bind to the transport \Device\NetBT_Tcpip_{0E7DF90C-B91D-409A-A941-2A637212EA20}

because another computer on the network has the same name. The server could not

start.

Error - 09/10/2009 13:49:12 | Computer Name = wildphill-PC | Source = cdrom | ID = 262151

Description = The device, \Device\CdRom0, has a bad block.

< End of report >

Results of screen317's Security Check version 0.99.4

Windows Vista Service Pack 1 (UAC is enabled)

Out of date service pack!!

Internet Explorer 7 Out of date!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET Online Scanner v3

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 15

Out of date Java installed!

Adobe Flash Player 9 (Out of date Flash Player installed!)

Adobe Flash Player 10.0.32.18

Adobe Reader 8.1.0

Out of date Adobe Reader installed!

Mozilla Thunderbird (2.0.0) Thunderbird Out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

````````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

Link to post
Share on other sites

You need to disable Spybot'ts Tea Timer, otherwise it blocks (reverses) needed changes.

Start Spybot-S&D, switch to the Advanced mode via the menu bar item Mode

then select Advanced Mode

On the left hand side, slect Tools

Then click on the Resident icon in the list

Uncheck Resident TeaTimer and OK any prompts.

Now Logoff & Restart your computer fresh.

These logs do not show an antivirus program on this system. You must have one right away.

If cost is an issue, you may consider the following free ones (free for non-commercial use)

You may get MS Security Essentials http://www.microsoft.com/security_essentials/default.aspx

or Avira Antivir http://www.free-av.com

De-install BitTorrent. This type of program opens doors to malware infections.

I do not recommend their use since such filesharing/downloading from unknown sources is one of the leading causes of transmission of malware.

File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

P2P file sharing: Know the risks

De-install your Adobe Reader: Adobe Reader 8.1.0.

Get the latest version from http://get.adobe.com/reader/

The java runtime needs to be updated and older versions removed:

javaicon.gif See this topic in the AumHa Security forum and get the latest Java run-time

http://aumha.net/viewtopic.php?f=26&t=43792

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup) javaicon.gif
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

Small tweaks for Java runtime, since most all users do not need to load Java at each Windows startup:

Click Advanced Tab. Expand the Miscellaneous item.

UN-check the line Java quick starter

If you want to also un-check the "Check for updates automatically" you may:

Click the Update tab. un-check the line if it is checked.

Press Apply then OK. Close the applet when done.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml

When all is well, you should see Java Version: Java 6 Update 20 from Sun Microsystems Inc.

Please download >> DrWeb-CureIt << and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:

  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Link to post
Share on other sites

Temprarily disable your antivirus before starting this next online scan.

Once this is started, do not use the pc to do any other jobs/programs/tasks .

Scan the system with the Kaspersky Online Scanner

http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

icon_arrow.gifAttention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished.

During this run, make sure your browser does not block popup windows. Have patience while some screens populate.

Read the Information block presented on the screen, and then press the Accept button.

1) Accept the agreement

2) The necessary files will be downloaded and installed. Please have plenty of patience.

3) After Kaspersky AntiVirus Database is updated, look at the Scan box.

4) Click the My Computer line

5 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares

6) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply.

( To see an animated tutorial-how-to on the scan, see >>this link<<)

icon_arrow.gifRe-enable your antivirus program after Kaspersky has finished.

Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or other quarantine.

Kaspersky is a report only and does not remove files.

Reply with copy of the Kaspersky.txt report

How is your system now icon_question.gif

Link to post
Share on other sites

here is the result of the scan

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Tuesday, May 4, 2010

Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Tuesday, May 04, 2010 04:40:09

Records in database: 4043648

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

Scan statistics:

Objects scanned: 151576

Threats found: 0

Infected objects found: 0

Suspicious objects found: 0

Scan duration: 02:11:58

No threats found. Scanned area is clean.

Selected area has been scanned.

my system is not showing any signs of strange behaviour

Link to post
Share on other sites

Very good.

If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( combofix.exe icon_exclaim.gif), put that name in the RUN box stated just below.

The "/uninstall" in the command line below is to start Combofix for it's cleanup & removal function.

Note the space after exe and before the slash mark.

The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

  • Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
    In the command box that opens, type or copy/paste
    c:\users\wildphill\Desktop\ComboFix.exe /uninstall
    and then press ENTER key.

  • Please RIGHT-click OTL.exe otlDesktopIcon.png and select Run As Administrator to start it.
  • Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.

Start button > in Start menu -- Control Panel > Uninstall a Program (listed under Programs).

{In Classic view, double click Program and features}.

Look for ESET Online Scanner

Select Change/Remove to de-install it.

Un-install Eset online scan.

Also un-install Kaspersky Online

OK & Exit out of Control Panel

We are finished here. Best regards.

Stay safe!

Since this issue is resolved I will close the thread to prevent others from posting here.

All Others needing assistance please start your own topic and someone will be happy to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.