news.11.today.com popups

Begbie · May 27, 2010

Similar to http://forums.malwarebytes.org/index.php?s...mp;#entry256589 I am getting random popups, mainly news.11.today.com. Adaware and MBAM are not picking anything up.

I would be grateful for any help.

Please be aware that RkU detects a parasite inside itself when run and recommends removing it!!!

___________________________________________________

HJT log.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:53:24, on 27/05/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe

C:\Program Files\Labtec\Mouse\V3.0\moffice.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Labtec\Mouse\V3.0\MOUSE32A.EXE

D:\Program Files\WinZip Pro\WZQKPICK.EXE

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\WINDOWS\ATKKBService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\AVG\AVG9\avgemc.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\cidaemon.exe

D:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\cidaemon.exe

D:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/home/?ai=13054

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;2

R3 - URLSearchHook: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Program Files\myBabylon_English\tbmyBa.dll

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ladklq.exe,

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Program Files\Real\rpbrowserrecordplugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O2 - BHO: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Program Files\myBabylon_English\tbmyBa.dll

O3 - Toolbar: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Program Files\myBabylon_English\tbmyBa.dll

O4 - HKLM\..\Run: [unlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe -H

O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe

O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\Mouse\V3.0\moffice.exe

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTHOME~2\Help\SMARTB~3\BTHelpNotifier.exe

O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe

O4 - HKLM\..\RunOnce: [uninstall Adobe Download Manager] "C:\WINDOWS\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O4 - S-1-5-18 Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'Default user')

O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe

O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Home Hub\Help\bin\matcli.exe

O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip Pro\WZQKPICK.EXE

O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe

O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe

O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Google Update Service (gupdate1ca3b719fe19692) (gupdate1ca3b719fe19692) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Visibroker Activation Daemon (oad) - Unknown owner - D:\Inprise\vbroker\bin\oad.exe

O23 - Service: VisiBroker Smart Agent (osagent) - Unknown owner - D:\Inprise\vbroker\bin\osagent.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--

End of file - 7547 bytes

________________________________________________

OTL.txt

OTL logfile created on: 27/05/2010 20:06:18 - Run 2

OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Administrator\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 70.00% Memory free

5.00 Gb Paging File | 4.00 Gb Available in Paging File | 85.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 232.88 Gb Total Space | 201.25 Gb Free Space | 86.42% Space Free | Partition Type: NTFS

Drive D: | 465.76 Gb Total Space | 317.34 Gb Free Space | 68.13% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: PAUL

Current User Name: Administrator

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\AVG\AVG9\avgnsx.exe (AVG Technologies CZ, s.r.o.)

PRC - D:\Program Files\WinZip Pro\WZQKPICK.EXE (WinZip Computing, S.L.)

PRC - D:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

PRC - C:\Program Files\AVG\AVG9\avgchsvx.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\AVG\AVG9\avgrsx.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\AVG\AVG9\avgemc.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\AVG\AVG9\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)

PRC - C:\Program Files\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)

PRC - C:\Program Files\Labtec\Mouse\V3.0\moffice.exe ()

PRC - C:\Program Files\Labtec\Mouse\V3.0\mouse32a.exe ()

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Unlocker\UnlockerAssistant.exe ()

PRC - C:\Program Files\Windows NT\Accessories\wordpad.exe (Microsoft Corporation)

PRC - C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)

PRC - C:\WINDOWS\ATKKBService.exe (ASUSTeK COMPUTER INC.)

PRC - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (Rocket Division Software)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\Program Files\Labtec\Mouse\V3.0\mouDL32A.dll ()

MOD - C:\Program Files\Unlocker\UnlockerHook.dll ()

MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (ACDaemon) -- File not found

SRV - (getPlusHelper) getPlus® -- C:\Program Files\NOS\bin\getPlus_Helper.dll (NOS Microsystems Ltd.)

SRV - (avg9wd) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)

SRV - (avg9emc) -- C:\Program Files\AVG\AVG9\avgemc.exe (AVG Technologies CZ, s.r.o.)

SRV - (rpcapd) Remote Packet Capture Protocol v.0 (experimental) -- C:\Program Files\WinPcap\rpcapd.exe (CACE Technologies, Inc.)

SRV - (SNMP) -- C:\WINDOWS\system32\snmp.exe (Microsoft Corporation)

SRV - (LPDSVC) -- C:\WINDOWS\system32\tcpsvcs.exe (Microsoft Corporation)

SRV - (W3SVC) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)

SRV - (SMTPSVC) Simple Mail Transfer Protocol (SMTP) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)

SRV - (IISADMIN) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)

SRV - (ATKKeyboardService) -- C:\WINDOWS\ATKKBService.exe (ASUSTeK COMPUTER INC.)

SRV - (StarWindServiceAE) -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (Rocket Division Software)

SRV - (usnjsvc) -- C:\Program Files\MSN Messenger\usnsvc.exe (Microsoft Corporation)

SRV - (YPCService) -- C:\WINDOWS\system32\YPcservice.exe (Yahoo! Inc.)

SRV - (osagent) -- D:\Inprise\vbroker\bin\osagent.exe ()

SRV - (oad) -- D:\Inprise\vbroker\bin\oad.exe ()

========== Driver Services (SafeList) ==========

DRV - (AvgTdiX) -- C:\WINDOWS\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)

DRV - (AvgMfx86) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)

DRV - (AvgLdx86) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)

DRV - (sptd) -- C:\WINDOWS\System32\Drivers\sptd.sys ()

DRV - (RTHDMIAzAudService) -- C:\WINDOWS\system32\drivers\RtHDMI.sys (Realtek Semiconductor Corp.)

DRV - (NPF) -- C:\WINDOWS\system32\drivers\npf.sys (CACE Technologies, Inc.)

DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)

DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)

DRV - (nm) -- C:\WINDOWS\system32\drivers\nmnt.sys (Microsoft Corporation)

DRV - (MPE) -- C:\WINDOWS\system32\drivers\MPE.sys (Microsoft Corporation)

DRV - (asusgsb) -- C:\WINDOWS\system32\drivers\asusgsb.sys (ASUSTeK Computer Inc.)

DRV - (Video3D) -- C:\WINDOWS\system32\drivers\Video3D32.sys (ASUSTeK COMPUTER INC.)

DRV - (asuskbnt) -- C:\WINDOWS\system32\drivers\atkkbnt.sys (ASUSTeK COMPUTER INC.)

DRV - (PhilCap) -- C:\WINDOWS\system32\drivers\PhilCap.sys (NXP Semiconductors Germany GmbH)

DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)

DRV - (ASUSVRC) -- C:\WINDOWS\system32\drivers\AsusVRC.sys (ASUSTeK COMPUTER INC.)

DRV - (RTL8169) -- C:\WINDOWS\system32\drivers\Rtlh86.sys (Realtek Corporation)

DRV - (HdAudAddService) -- C:\WINDOWS\system32\drivers\AtiHdAud.sys (ATI Research Inc.)

DRV - (AsIO) -- C:\WINDOWS\system32\drivers\AsIO.sys ()

DRV - (RTLE8023xp) -- C:\WINDOWS\system32\drivers\Rtenicxp.sys (Realtek Semiconductor Corporation )

DRV - (AmdK8) -- C:\WINDOWS\system32\drivers\AmdK8.sys (Advanced Micro Devices)

DRV - (btaudio) -- C:\WINDOWS\system32\drivers\btaudio.sys (Broadcom Corporation.)

DRV - (BTKRNL) -- C:\WINDOWS\system32\drivers\btkrnl.sys (Broadcom Corporation.)

DRV - (BTDriver) -- C:\WINDOWS\system32\drivers\btport.sys (Broadcom Corporation.)

DRV - (BTWDNDIS) -- C:\WINDOWS\system32\drivers\btwdndis.sys (Broadcom Corporation.)

DRV - (BTWUSB) -- C:\WINDOWS\system32\drivers\btwusb.sys (Broadcom Corporation.)

DRV - (btwhid) -- C:\WINDOWS\system32\drivers\btwhid.sys (Broadcom Corporation.)

DRV - (MRENDIS5) -- C:\Program Files\Common Files\Motive\MRENDIS5.sys (Motive, Inc.)

DRV - (Aspi32) -- C:\WINDOWS\system32\drivers\aspi32.sys (Adaptec)

DRV - (MREMPR5) -- C:\Program Files\Common Files\Motive\MREMPR5.sys (Motive, Inc.)

DRV - (MarvinBus) -- C:\WINDOWS\system32\drivers\MarvinBus.sys (Pinnacle Systems GmbH)

DRV - (MTsensor) -- C:\WINDOWS\system32\drivers\ASACPI.sys ()

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-21-448539723-162531612-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/home/?ai=13054

IE - HKU\S-1-5-21-448539723-162531612-1801674531-500\..\URLSearchHook: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Program Files\myBabylon_English\tbmyBa.dll (Conduit Ltd.)

IE - HKU\S-1-5-21-448539723-162531612-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-448539723-162531612-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;2

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"

FF - prefs.js..browser.search.defaulturl: "http://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&ai=13054"

FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"

FF - prefs.js..browser.search.selectedEngine: "Search the web (Babylon)"

FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"

FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.812

FF - prefs.js..extensions.enabledItems: en-GB@dictionaries.addons.mozilla.org:1.19

FF - prefs.js..extensions.enabledItems: piclens@cooliris.com:1.11.7

FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7.3

FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.9

FF - prefs.js..extensions.enabledItems: {1018e4d6-728f-4b20-ad56-37578a4de76b}:4.0.5

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0

FF - prefs.js..extensions.enabledItems: firefox@tvunetworks.com:2

FF - prefs.js..extensions.enabledItems: 5

FF - prefs.js..extensions.enabledItems: 2

FF - prefs.js..extensions.enabledItems: {9AA46F4F-4DC7-4c06-97AF-5035170634FE}:3.3.3

FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1.6.2.63

FF - prefs.js..network.proxy.http: "222.68.207.11"

FF - prefs.js..network.proxy.http_port: 80

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/04/21 12:33:29 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: D:\Program Files\Real\browserrecord\firefox\ext [2009/09/22 11:46:27 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: D:\Program Files\Mozilla Firefox\components [2010/05/27 15:52:58 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: D:\Program Files\Mozilla Firefox\plugins [2010/05/27 16:08:46 | 000,000,000 | ---D | M]

[2009/07/29 13:12:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions

[2010/05/27 17:54:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1uv2gowj.default\extensions

[2010/05/26 18:49:39 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1uv2gowj.default\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}(2)

[2010/05/26 18:49:33 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1uv2gowj.default\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}(3)

[2010/05/26 22:05:02 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1uv2gowj.default\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}(4)

[2010/05/08 12:33:56 | 000,000,000 | ---D | M] (Flagfox) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1uv2gowj.default\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}

[2009/08/15 13:39:48 | 000,000,000 | ---D | M] (IE Tab) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1uv2gowj.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}

[2010/04/14 19:15:52 | 000,000,000 | ---D | M] (ImTranslator) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1uv2gowj.default\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170634FE}

[2010/04/28 11:12:12 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1uv2gowj.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}

[2010/03/27 13:24:13 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1uv2gowj.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}

[2010/05/27 16:08:41 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1uv2gowj.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}

[2009/11/03 16:43:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1uv2gowj.default\extensions\en-GB@dictionaries.addons.mozilla.org

[2010/04/25 14:28:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1uv2gowj.default\extensions\firefox@tvunetworks.com

[2010/03/14 13:02:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1uv2gowj.default\extensions\piclens@cooliris.com

O1 HOSTS File: ([2008/04/14 11:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Program Files\Real\rpbrowserrecordplugin.dll (RealPlayer)

O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)

O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)

O2 - BHO: (myBabylon English Toolbar) - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Program Files\myBabylon_English\tbmyBa.dll (Conduit Ltd.)

O3 - HKLM\..\Toolbar: (myBabylon English Toolbar) - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Program Files\myBabylon_English\tbmyBa.dll (Conduit Ltd.)

O3 - HKU\S-1-5-21-448539723-162531612-1801674531-500\..\Toolbar\WebBrowser: (myBabylon English Toolbar) - {B2E293EE-FD7E-4C71-A714-5F4750D8D7B7} - C:\Program Files\myBabylon_English\tbmyBa.dll (Conduit Ltd.)

O3 - HKU\S-1-5-21-448539723-162531612-1801674531-500\..\Toolbar\WebBrowser: (Webs Credits) - {D09588AA-5560-4240-B2F2-774D78D7E917} - Reg Error: Value error. File not found

O3 - HKU\S-1-5-21-448539723-162531612-1801674531-500\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)

O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)

O4 - HKLM..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe (Motive Communications, Inc.)

O4 - HKLM..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\Mouse\V3.0\moffice.exe ()

O4 - HKLM..\Run: [Motive SmartBridge] C:\Program Files\BT Home Hub\Help\SmartBridge\BTHelpNotifier.exe (Motive)

O4 - HKLM..\Run: [unlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe ()

O4 - HKLM..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe (Yahoo! Inc.)

O4 - HKLM..\RunOnce: [uninstall Adobe Download Manager] File not found

O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk = C:\Program Files\BT Home Hub\Help\bin\matcli.exe (Motive Communications, Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = D:\Program Files\WinZip Pro\WZQKPICK.EXE (WinZip Computing, S.L.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: VerboseStatus = 0

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\S-1-5-21-448539723-162531612-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-448539723-162531612-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\S-1-5-21-448539723-162531612-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\S-1-5-21-448539723-162531612-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\S-1-5-21-448539723-162531612-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()

O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)

O9 - Extra Button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)

O15 - HKU\S-1-5-21-448539723-162531612-1801674531-500\..Trusted Domains: motive.com ([pbttbc.bt] https in Trusted sites)

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)

O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)

O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254

O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)

O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\ladklq.exe) - C:\WINDOWS\System32\ladklq.exe File not found

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)

O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)

O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009/07/29 11:43:23 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O33 - MountPoints2\E\Shell - "" = AutoRun

O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\Setup.exe -- File not found

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/27 19:19:26 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

[2010/05/27 16:20:53 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit

[2010/05/27 16:20:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Conduit

[2010/05/27 16:20:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\myBabylon_English

[2010/05/27 16:20:51 | 000,000,000 | ---D | C] -- C:\Program Files\myBabylon_English

[2010/05/27 16:08:44 | 000,000,000 | ---D | C] -- C:\Program Files\NOS

[2010/05/27 16:08:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS

[2010/05/27 15:58:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe

[2010/05/27 15:36:28 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent

[2010/05/27 15:32:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\IIS Temporary Compressed Files

[2010/05/27 15:31:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Cache

[2010/05/27 15:29:36 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\smtpctrs.dll

[2010/05/27 15:29:36 | 000,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\snprfdll.dll

[2010/05/27 15:29:35 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fcachdll.dll

[2010/05/27 15:29:35 | 000,023,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\regtrace.exe

[2010/05/27 15:29:35 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\adsiisex.dll

[2010/05/27 15:29:25 | 000,010,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\aspperf.dll

[2010/05/27 15:29:25 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\w3svapi.dll

[2010/05/27 15:29:25 | 000,004,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\w3ctrs.dll

[2010/05/27 15:29:24 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\iisreset.exe

[2010/05/27 15:29:24 | 000,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wamregps.dll

[2010/05/27 15:29:24 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ftpsapi2.dll

[2010/05/27 15:29:24 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\iisrstap.dll

[2010/05/27 15:29:23 | 000,056,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\convlog.exe

[2010/05/27 15:29:23 | 000,019,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\inetsloc.dll

[2010/05/27 15:29:23 | 000,008,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\infoctrs.dll

[2010/05/27 15:29:23 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\admxprox.dll

[2010/05/27 15:29:23 | 000,003,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\iismui.dll

[2010/05/27 15:29:18 | 000,010,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\smtpapi.dll

[2010/05/27 15:29:18 | 000,009,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rwnh.dll

[2010/05/27 15:29:17 | 000,290,816 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\adsiis.dll

[2010/05/27 15:29:17 | 000,068,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\iisext.dll

[2010/05/27 15:29:17 | 000,064,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\iismap.dll

[2010/05/27 15:29:17 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\exstrace.dll

[2010/05/27 15:29:17 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\infoadmn.dll

[2010/05/27 15:29:16 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\iisRtl.dll

[2010/05/27 15:29:16 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\admwprox.dll

[2010/05/27 15:29:13 | 000,022,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\lpdsvc.dll

[2010/05/27 15:29:13 | 000,018,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\lprmon.dll

[2010/05/27 15:29:13 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\staxmem.dll

[2010/05/27 15:29:09 | 000,000,000 | ---D | C] -- C:\Inetpub

[2010/05/27 15:27:54 | 000,101,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\evntagnt.dll

[2010/05/27 15:27:54 | 000,092,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\evntwin.exe

[2010/05/27 15:27:54 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\snmp.exe

[2010/05/27 15:27:54 | 000,024,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\evntcmd.exe

[2010/05/27 15:27:54 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\snmpmib.dll

[2010/05/27 15:27:53 | 000,039,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\hostmib.dll

[2010/05/27 15:27:52 | 000,033,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\lmmib2.dll

[2010/05/27 13:51:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\7A9B63233F5E4A2E939E8A1F4F6A0CA8.TMP

[2010/05/27 11:32:00 | 000,000,000 | ---D | C] -- C:\Program Files\Motive

[2010/05/26 22:32:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel

[2010/05/26 22:04:26 | 000,000,000 | ---D | C] -- C:\Program Files\Motive(4)

[2010/05/26 21:34:34 | 000,000,000 | ---D | C] -- C:\Program Files\Motive(4)(2)

[2010/05/26 16:45:40 | 000,000,000 | ---D | C] -- C:\Program Files\Motive(3)

[2010/05/25 20:39:38 | 000,000,000 | ---D | C] -- C:\Program Files\Motive(2)

[2010/05/25 14:39:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\ippycyxlp

[2010/05/22 18:02:32 | 000,000,000 | ---D | C] -- C:\FSiLinks

[2010/05/22 18:00:05 | 000,000,000 | ---D | C] -- C:\FSi

[2010/05/19 17:47:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes

[2010/05/19 17:47:16 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/05/19 17:47:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2010/05/19 17:47:15 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/05/18 14:56:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\manky

[2010/05/16 12:20:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer

[2010/05/16 00:03:44 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys

[2010/05/14 12:50:38 | 000,000,000 | -HSD | C] -- C:\WINDOWS\System32\usewrw

[2010/05/13 22:52:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\DVDVideoSoft

[2010/05/13 22:52:25 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DVDVideoSoft

[2010/05/04 01:34:40 | 000,000,000 | ---D | C] -- C:\Program Files\Internet Explorer

[2010/05/04 01:33:32 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8

[2010/05/04 00:20:50 | 000,000,000 | ---D | C] -- C:\Microgaming

[2010/04/30 12:44:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun

[2010/04/29 14:37:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe

[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/27 19:20:08 | 000,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI

[2010/05/27 19:19:37 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\RKUnhookerLE.EXE

[2010/05/27 19:19:30 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\prvlcl.dat

[2010/05/27 19:19:26 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

[2010/05/27 19:13:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2010/05/27 18:00:27 | 060,433,047 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm

[2010/05/27 16:37:10 | 000,001,754 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk

[2010/05/27 16:18:35 | 000,073,456 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

[2010/05/27 15:52:58 | 000,000,722 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk

[2010/05/27 15:38:05 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2010/05/27 15:38:02 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/05/27 15:37:59 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/05/27 15:36:29 | 006,139,904 | ---- | M] () -- C:\Documents and Settings\Administrator\ntuser.dat

[2010/05/27 15:36:29 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini

[2010/05/27 15:32:36 | 000,570,256 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2010/05/27 15:32:36 | 000,476,638 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/05/27 15:32:36 | 000,083,406 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/05/27 13:29:48 | 000,000,579 | ---- | M] () -- C:\WINDOWS\win.ini

[2010/05/27 13:29:48 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/05/26 23:13:59 | 000,000,243 | -HS- | M] () -- C:\boot.ini

[2010/05/26 22:58:06 | 000,265,416 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010/05/26 22:36:39 | 000,000,349 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\PCLECHAL.INI

[2010/05/26 22:29:31 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

[2010/05/26 22:23:02 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

[2010/05/26 20:20:10 | 000,001,030 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\limited connectivity.rtf

[2010/05/26 16:23:14 | 000,253,740 | ---- | M] () -- C:\firewall.jpg

[2010/05/26 12:35:17 | 000,196,608 | ---- | M] () -- C:\WINDOWS\System32\drivers\nStandard.bin

[2010/05/25 12:45:24 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/05/25 12:35:30 | 006,291,456 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db

[2010/05/23 15:18:33 | 000,017,408 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\WebpageIcons.db

[2010/05/22 01:39:00 | 000,406,318 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\btv.zip

[2010/05/22 01:37:16 | 000,001,772 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\UKTV.zip

[2010/05/21 21:20:52 | 000,041,914 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\flags.jpg

[2010/05/21 00:00:10 | 000,000,583 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Sweepstake.zip

[2010/05/19 17:47:20 | 000,000,588 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/05/16 00:03:41 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys

[2010/05/15 22:15:24 | 000,425,984 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mbb

[2010/05/15 22:15:24 | 000,275,456 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mb

[2010/05/15 22:07:00 | 000,000,452 | ---- | M] () -- C:\WINDOWS\tasks\EasyShare Registration Task.job

[2010/05/11 01:03:03 | 000,002,640 | ---- | M] () -- C:\WINDOWS\System32\settings.aaw

[2010/05/11 01:03:03 | 000,000,960 | ---- | M] () -- C:\WINDOWS\System32\history.aaw

[2010/05/09 22:53:54 | 000,000,762 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Zattoo.lnk

[2010/05/04 01:37:13 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Internet Explorer.lnk

[2010/05/01 14:55:15 | 000,000,590 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\SopCast.lnk

[2010/04/30 12:44:41 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat

[2010/04/29 22:13:37 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk

[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/27 19:19:38 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\RKUnhookerLE.EXE

[2010/05/27 16:37:10 | 000,001,754 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk

[2010/05/27 15:52:58 | 000,000,722 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk

[2010/05/27 15:29:36 | 000,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini

[2010/05/27 15:29:36 | 000,008,002 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.h

[2010/05/27 15:29:35 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini

[2010/05/27 15:29:35 | 000,000,773 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.h

[2010/05/27 15:29:25 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini

[2010/05/27 15:29:25 | 000,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini

[2010/05/27 15:29:25 | 000,005,379 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.h

[2010/05/27 15:29:25 | 000,002,024 | ---- | C] () -- C:\WINDOWS\System32\axctrnm.h

[2010/05/27 15:29:23 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini

[2010/05/27 15:29:23 | 000,003,276 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.h

[2010/05/27 15:27:58 | 000,049,275 | ---- | C] () -- C:\WINDOWS\System32\wfospf.mib

[2010/05/27 15:27:58 | 000,026,236 | ---- | C] () -- C:\WINDOWS\System32\wins.mib

[2010/05/27 15:27:58 | 000,004,332 | ---- | C] () -- C:\WINDOWS\System32\smi.mib

[2010/05/27 15:27:57 | 000,107,882 | ---- | C] () -- C:\WINDOWS\System32\mib_ii.mib

[2010/05/27 15:27:57 | 000,038,608 | ---- | C] () -- C:\WINDOWS\System32\nipx.mib

[2010/05/27 15:27:57 | 000,034,317 | ---- | C] () -- C:\WINDOWS\System32\msiprip2.mib

[2010/05/27 15:27:57 | 000,030,448 | ---- | C] () -- C:\WINDOWS\System32\mcastmib.mib

[2010/05/27 15:27:57 | 000,021,386 | ---- | C] () -- C:\WINDOWS\System32\mipx.mib

[2010/05/27 15:27:57 | 000,013,767 | ---- | C] () -- C:\WINDOWS\System32\msipbtp.mib

[2010/05/27 15:27:57 | 000,010,313 | ---- | C] () -- C:\WINDOWS\System32\mripsap.mib

[2010/05/27 15:27:57 | 000,000,581 | ---- | C] () -- C:\WINDOWS\System32\msft.mib

[2010/05/27 15:27:56 | 000,048,593 | ---- | C] () -- C:\WINDOWS\System32\hostmib.mib

[2010/05/27 15:27:56 | 000,026,100 | ---- | C] () -- C:\WINDOWS\System32\lmmib2.mib

[2010/05/27 15:27:56 | 000,020,079 | ---- | C] () -- C:\WINDOWS\System32\http.mib

[2010/05/27 15:27:56 | 000,015,799 | ---- | C] () -- C:\WINDOWS\System32\ipforwd.mib

[2010/05/27 15:27:56 | 000,006,179 | ---- | C] () -- C:\WINDOWS\System32\ftp.mib

[2010/05/27 15:27:56 | 000,004,597 | ---- | C] () -- C:\WINDOWS\System32\dhcp.mib

[2010/05/27 15:27:56 | 000,000,698 | ---- | C] () -- C:\WINDOWS\System32\inetsrv.mib

[2010/05/27 15:27:55 | 000,016,617 | ---- | C] () -- C:\WINDOWS\System32\authserv.mib

[2010/05/27 15:27:55 | 000,015,597 | ---- | C] () -- C:\WINDOWS\System32\accserv.mib

[2010/05/26 23:58:58 | 006,139,904 | ---- | C] () -- C:\Documents and Settings\Administrator\ntuser.dat

[2010/05/26 21:02:52 | 000,015,975 | ---- | C] () -- C:\Documents and Settings\Administrator\log.txt

[2010/05/26 20:20:10 | 000,001,030 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\limited connectivity.rtf

[2010/05/26 19:27:13 | 000,001,594 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

[2010/05/26 19:27:13 | 000,000,864 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk

[2010/05/26 16:23:14 | 000,253,740 | ---- | C] () -- C:\firewall.jpg

[2010/05/22 01:38:59 | 000,406,318 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\btv.zip

[2010/05/22 01:37:16 | 000,001,772 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\UKTV.zip

[2010/05/21 21:20:52 | 000,041,914 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\flags.jpg

[2010/05/21 00:00:10 | 000,000,583 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Sweepstake.zip

[2010/05/19 17:47:20 | 000,000,588 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/05/16 00:08:05 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

[2010/05/04 01:38:53 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Internet Explorer.lnk

[2010/04/30 12:44:41 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

[2010/04/30 12:44:41 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat

[2010/04/13 16:39:35 | 000,201,488 | ---- | C] () -- C:\WINDOWS\System32\MACD32.DLL

[2010/04/13 16:39:35 | 000,141,584 | ---- | C] () -- C:\WINDOWS\System32\MAMC32.DLL

[2010/04/13 16:39:35 | 000,063,248 | ---- | C] () -- C:\WINDOWS\System32\MASD32.DLL

[2010/02/18 20:27:10 | 000,000,031 | -H-- | C] () -- C:\WINDOWS\UKCpInfo.sys

[2010/01/01 13:09:45 | 000,000,530 | ---- | C] () -- C:\WINDOWS\System32\tx14_ic.ini

[2009/11/20 16:41:20 | 000,237,568 | R--- | C] () -- C:\WINDOWS\System32\qtmlClient.dll

[2009/11/20 16:41:20 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Graffiti5.2Pin.ini

[2009/11/15 15:38:43 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI

[2009/10/20 01:13:42 | 000,716,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys

[2009/08/21 13:56:11 | 000,005,440 | ---- | C] () -- C:\WINDOWS\cdplayer.ini

[2009/08/05 18:08:29 | 000,055,808 | ---- | C] () -- C:\WINDOWS\System32\ActPanel.dll

[2009/07/29 21:07:30 | 000,000,848 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys

[2009/07/29 19:55:57 | 000,024,576 | R--- | C] () -- C:\WINDOWS\System32\AsIO.dll

[2009/07/29 19:55:57 | 000,012,664 | R--- | C] () -- C:\WINDOWS\System32\drivers\AsIO.sys

[2009/07/29 19:55:52 | 000,012,096 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsInsHelp64.sys

[2009/07/29 19:55:52 | 000,010,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsInsHelp32.sys

[2009/07/29 19:37:44 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI

[2009/07/29 19:13:26 | 000,000,018 | ---- | C] () -- C:\WINDOWS\System32\atkid.ini

[2009/07/29 19:13:25 | 000,046,592 | ---- | C] () -- C:\WINDOWS\System32\asfrench.dll

[2009/07/29 19:13:25 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\asrussian.dll

[2009/07/29 19:13:25 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\asgerman.dll

[2009/07/29 19:13:25 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\aseng.dll

[2009/07/29 19:13:25 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\askorean.dll

[2009/07/29 19:13:25 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\asjapan.dll

[2009/07/29 19:13:25 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\aschs.dll

[2009/07/29 19:13:24 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\ASCHT.dll

[2009/07/29 18:22:58 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll

[2009/07/29 13:07:07 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll

[2009/07/29 11:58:14 | 000,020,257 | ---- | C] () -- C:\WINDOWS\Ascd_log.ini

[2009/07/29 11:58:03 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys

[2009/07/29 11:58:01 | 000,021,582 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini

[2009/07/29 11:57:52 | 000,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS

[2009/07/17 18:03:47 | 000,009,760 | ---- | C] () -- C:\WINDOWS\System32\716xCoInstaller.dll

[2009/01/25 22:10:48 | 000,179,200 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll

[2009/01/09 00:01:22 | 000,629,760 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll

[2008/12/23 16:33:18 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll

[2008/04/14 11:00:00 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\CopyToSendTo.dll

[2007/01/26 03:04:12 | 000,144,144 | ---- | C] () -- C:\WINDOWS\System32\MASE32.DLL

[2007/01/26 03:04:12 | 000,033,040 | ---- | C] () -- C:\WINDOWS\System32\MA32.DLL

[2006/06/07 16:52:08 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll

[2005/02/17 12:41:32 | 000,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest

[2005/02/17 12:41:30 | 000,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest

[2004/10/11 11:19:00 | 000,092,672 | ---- | C] () -- C:\WINDOWS\System32\ASUSASV2.DLL

[2003/09/23 13:40:34 | 000,394,240 | ---- | C] () -- C:\WINDOWS\System32\HMTCD.dll

[2003/08/07 15:01:50 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll

[2002/10/15 23:54:04 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll

[2001/11/14 13:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1

< End of report >

__________________________________________________

Extras.txt

OTL Extras logfile created on: 27/05/2010 20:06:18 - Run 2

OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Administrator\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 70.00% Memory free

5.00 Gb Paging File | 4.00 Gb Available in Paging File | 85.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 232.88 Gb Total Space | 201.25 Gb Free Space | 86.42% Space Free | Partition Type: NTFS

Drive D: | 465.76 Gb Total Space | 317.34 Gb Free Space | 68.13% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: PAUL

Current User Name: Administrator

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.html [@ = htmlfile] -- C:\Program Files\Yahoo!\browser\ybrowser.exe (Yahoo!, Inc.)

[HKEY_USERS\S-1-5-21-448539723-162531612-1801674531-500\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- D:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- Reg Error: Key error.

htmlfile [open] -- C:\PROGRA~1\Yahoo!\browser\ybrowser.exe %1 (Yahoo!, Inc.)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [AddToPlaylistVLC] -- "D:\Program Files\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [PlayWithVLC] -- "D:\Program Files\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 0

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

"DisableUnicastResponsesToMulticastBroadcast" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

"DisableUnicastResponsesToMulticastBroadcast" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"86:TCP" = 86:TCP:*:Enabled:BroadCam Video Streaming Server Web Server

"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- (Microsoft Corporation)

"C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe:*:Enabled:hpqpse.exe -- (Hewlett-Packard Development Co. L.P.)

"C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe" = C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe:*:Enabled:hpqphotocrm.exe -- (Hewlett-Packard Development Co. L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe:*:Enabled:hpqsudi.exe -- (Hewlett-Packard Development Co. L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe:*:Enabled:hpqpsapp.exe -- (Hewlett-Packard Development Co. L.P.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- File not found

"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- File not found

"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe -- File not found

"D:\Program Files\spotify.exe" = D:\Program Files\spotify.exe:*:Enabled:Spotify -- (Spotify AB)

"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- (Microsoft Corporation)

"D:\Program Files\Sopcast\SopCast.exe" = D:\Program Files\Sopcast\SopCast.exe:*:Enabled:SopCast Main Application -- (www.sopcast.com)

"D:\Program Files\uTorrent\uTorrent.exe" = D:\Program Files\uTorrent\uTorrent.exe:*:Enabled:

Elise · May 28, 2010

Hello ,

And :welcome: My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

Please download GMER from one of the following locations and save it to your desktop:

Main Mirror
This version will download a randomly named file (Recommended)
Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

A detailed description of your problems
GMER log

Begbie · May 31, 2010

Thanks for your reply, Elise.

I have downloaded GMER but I'm reluctant to disconnect from the internet.

Since my original post, things have got really bad on my PC. I can no longer get on-line without reinstalling my broadband software (BT Home Hub). My Local Area Connection 2 icon shows 'Limited or no connection', or words to that effect. The 'install' doesn't complete, it just 'hangs', but a re-boot after trying to re-install seems to get me back on-line.

I don't know if the 2 problems are connected but finding a cure for the 'new' problem has to take precedence.

Elise · May 31, 2010

Yes, I can understand that

Please try to run GMER while staying connected (run the scan with only the Sections option checked).

In case the computer really becomes unworkable, please let me know and I will give you instructions for an alternative approach.

Begbie · June 1, 2010

GMER.log with just 'Sections' checked. Not disconnected from internet.

__________________________________________________________

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-06-01 13:42:33

Windows 5.1.2600 Service Pack 3

Running: vvr2t66u.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdapod.sys

---- Kernel code sections - GMER 1.0.15 ----

? spbw.sys The system cannot find the file specified. !

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9882000, 0x1B601E, 0xE8000020]

.text USBPORT.SYS!DllUnload B8514934 5 Bytes JMP 8A91A280

.text atfulxcx.SYS B8497384 1 Byte [20]

.text atfulxcx.SYS B8497384 37 Bytes [20, 00, 00, 68, 00, 00, 00, ...]

.text atfulxcx.SYS B84973AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, ...]

.text atfulxcx.SYS B84973C4 3 Bytes [00, 00, 00]

.text atfulxcx.SYS B84973C9 1 Byte [00]

.text ...

.rsrc C:\WINDOWS\system32\DRIVERS\ipsec.sys entry point in ".rsrc" section [0xAB878614]

? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[224] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00B8000A

.text C:\WINDOWS\Explorer.EXE[224] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 00C2000A

.text C:\WINDOWS\Explorer.EXE[224] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 00B7000C

.text C:\WINDOWS\Explorer.EXE[224] SHELL32.dll!SHFileOperationW 7CA70A18 5 Bytes JMP 10001102 C:\Program Files\Unlocker\UnlockerHook.dll

.text C:\WINDOWS\system32\svchost.exe[1528] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 006E000A

.text C:\WINDOWS\system32\svchost.exe[1528] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 006F000A

.text C:\WINDOWS\system32\svchost.exe[1528] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 006D000C

.text C:\WINDOWS\system32\svchost.exe[1528] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00E1000A

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\ipsec.sys suspicious modification

---- EOF - GMER 1.0.15 ----

__________________________________________________________________________

The 'suspicious modification' entry at the end jumps out.

Elise · June 1, 2010

Yes it does indeed It indicates you have a nasty rootkit on board. Before starting the cleanup, please consider the following information first.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
Double click on Combofix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Begbie · June 1, 2010

Thanks Elise. Sounds like a re-format is in order.

I have ran ComboFix and get :

_________________________________________________________

ComboFix 10-05-31.03 - Administrator 01/06/2010 15:09:35.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3070.2480 [GMT 1:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\tempfile.tmp

c:\windows\system32\AutoRun.inf

c:\windows\system32\Cache

Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected

Restored copy from - Kitty had a snack

.

((((((((((((((((((((((((( Files Created from 2010-05-01 to 2010-06-01 )))))))))))))))))))))))))))))))

.

2010-06-01 13:45 . 2010-06-01 13:45 -------- d-----w- c:\windows\system32\wbem\Repository

2010-05-31 14:31 . 2010-06-01 13:44 -------- d-----w- c:\program files\Motive

2010-05-30 21:29 . 2010-05-30 21:29 -------- d-----w- c:\program files\NOS

2010-05-27 22:40 . 2010-05-30 21:29 -------- dc----w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-05-27 22:40 . 2010-05-27 22:40 -------- d-----w- c:\program files\Lavasoft

2010-05-27 15:20 . 2010-05-27 15:20 -------- d-----w- c:\program files\Conduit

2010-05-27 15:20 . 2010-05-27 15:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Conduit

2010-05-27 15:20 . 2010-01-20 11:13 52224 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1uv2gowj.default\extensions\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}\components\FFExternalAlert.dll

2010-05-27 15:20 . 2010-01-20 11:13 101376 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1uv2gowj.default\extensions\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}\components\RadioWMPCore.dll

2010-05-27 15:08 . 2010-05-27 15:09 1924976 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe

2010-05-27 15:08 . 2010-05-30 21:29 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-05-27 15:08 . 2010-03-29 07:53 32576 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1uv2gowj.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll

2010-05-27 15:08 . 2010-03-29 07:53 29984 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1uv2gowj.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe

2010-05-27 14:58 . 2010-05-27 15:14 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2010-05-27 14:32 . 2010-05-27 14:32 -------- d-----w- c:\windows\IIS Temporary Compressed Files

2010-05-27 14:27 . 2008-04-14 10:00 10240 ----a-w- c:\windows\system32\wbem\snmpstup.dll

2010-05-26 21:32 . 2010-05-26 21:34 -------- d-----w- c:\windows\SxsCaPendDel

2010-05-26 21:04 . 2010-05-26 21:04 -------- d-----w- c:\program files\Motive(4)

2010-05-26 20:34 . 2010-05-26 21:04 -------- d-----w- c:\program files\Motive(4)(2)

2010-05-26 15:45 . 2010-05-26 17:49 -------- d-----w- c:\program files\Motive(3)

2010-05-25 19:39 . 2010-05-26 17:46 -------- d-----w- c:\program files\Motive(2)

2010-05-25 13:39 . 2010-05-25 13:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ippycyxlp

2010-05-25 12:52 . 2010-05-25 12:52 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-05-22 17:02 . 2010-05-25 13:39 -------- d-----w- C:\FSiLinks

2010-05-22 17:00 . 2010-05-25 13:38 -------- d-----w- C:\FSi

2010-05-19 16:47 . 2010-05-19 16:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-05-19 16:47 . 2010-05-19 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-05-16 12:37 . 2010-05-16 12:37 5642000 ----a-w- c:\documents and settings\Administrator\Application Data\TVU networks\AutoUpgrade\TVUPlayer2.5.3.1.exe

2010-05-16 11:20 . 2010-05-16 11:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer

2010-05-15 23:03 . 2010-05-15 23:03 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-05-14 11:50 . 2010-05-15 20:52 -------- d-sh--w- c:\windows\system32\usewrw

2010-05-13 21:52 . 2010-05-13 21:52 -------- d-----w- c:\program files\Common Files\DVDVideoSoft

2010-05-04 00:33 . 2010-05-04 00:34 -------- dc-h--w- c:\windows\ie8

2010-05-03 23:20 . 2010-05-03 23:20 -------- d-----w- C:\Microgaming

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-01 13:48 . 2010-01-31 12:33 -------- d-----w- c:\program files\PokerStars

2010-06-01 13:44 . 2009-11-15 13:49 -------- d-----w- c:\program files\Common Files\Motive

2010-06-01 13:19 . 2009-12-23 20:48 0 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\prvlcl.dat

2010-06-01 13:15 . 2009-07-29 12:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Motive

2010-05-30 21:41 . 2010-02-18 19:27 -------- d-----w- c:\program files\Coupon Printer

2010-05-27 22:40 . 2009-08-03 13:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-05-27 18:54 . 2009-07-29 19:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-05-27 15:24 . 2009-08-14 23:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sina

2010-05-27 15:22 . 2010-02-20 15:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc

2010-05-27 15:18 . 2009-07-29 18:19 73456 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-27 12:50 . 2009-10-03 21:13 -------- d-----w- c:\program files\ArcSoft

2010-05-26 22:56 . 2009-10-03 21:13 -------- d-----w- c:\program files\Common Files\ArcSoft

2010-05-26 22:11 . 2009-10-03 21:13 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll

2010-05-26 21:42 . 2009-11-27 21:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

2010-05-26 21:23 . 2010-04-30 11:44 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-05-26 17:49 . 2009-11-15 13:49 -------- d-----w- c:\program files\BT Home Hub

2010-05-26 11:35 . 2009-07-29 18:13 196608 ----a-w- c:\windows\system32\drivers\nStandard.bin

2010-05-25 13:38 . 2009-07-29 20:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent

2010-05-23 19:23 . 2009-08-10 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\{AB3EC276-D261-4943-A921-1CC1C6799AED}

2010-05-19 18:31 . 2009-11-30 13:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-04-30 11:44 . 2010-04-30 11:44 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-04-25 13:28 . 2010-04-25 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\TVU Networks

2010-04-21 11:31 . 2009-07-29 12:09 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-04-20 14:56 . 2009-11-27 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip

2010-04-13 16:39 . 2010-04-13 16:39 -------- d-----w- c:\program files\Microsoft Silverlight

2010-04-13 15:40 . 2009-08-07 18:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Pinnacle

2010-04-13 15:38 . 2009-11-20 15:28 -------- d-----w- c:\program files\Pinnacle

2010-04-13 15:38 . 2009-07-29 11:01 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-04-13 14:00 . 2010-01-01 12:25 1 ----a-w- c:\documents and settings\Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2010-04-09 15:49 . 2010-04-09 15:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2010-04-09 15:48 . 2010-04-09 15:48 -------- d-----w- c:\program files\Common Files\Apple

2010-03-17 12:13 . 2010-03-17 12:13 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-17 12:13 . 2009-07-29 12:09 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-03-17 12:13 . 2009-07-29 12:09 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-07-29 20:13 . 2009-07-29 20:07 848 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

------- Sigcheck -------

[-] 2008-12-30 . 5AE1C2695F6523AD98B948F2887D8C5E . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys

c:\windows\System32\wscntfy.exe ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\ypager.exe" [2005-08-31 2478080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]

"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-01 15872]

"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]

"FLMOFFICE4DMOUSE"="c:\program files\Labtec\Mouse\V3.0\moffice.exe" [2009-07-29 958464]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-22 198160]

"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2005-12-29 543232]

"Motive SmartBridge"="c:\progra~1\BTHOME~2\Help\SMARTB~3\BTHelpNotifier.exe" [2006-02-06 462935]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"_nltide_3"="advpack.dll" [2009-03-08 128512]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

BT Broadband Desktop Help.lnk - c:\program files\BT Home Hub\Help\bin\matcli.exe [2010-5-31 217088]

WinZip Quick Pick.lnk - d:\program files\WinZip Pro\WZQKPICK.EXE [2010-4-5 494920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-17 12:13 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"osagent"=3 (0x3)

"oad"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"EMCKEYBOARD"=c:\program files\EMC\Keyboard Application\1.2\EMCKBAPP.exe

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

"ASUSGamerOSD"=c:\program files\ASUS\GamerOSD\GamerOSD.exe

"MSPY2002"=c:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

"qqlive"="d:\program files\QQLiveOneClick.exe" -system_startup

"ArcSoft Connection Service"=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

"YBrowser"=c:\progra~1\Yahoo!\browser\ybrwicon.exe

"Motive SmartBridge"=c:\progra~1\BTHOME~2\Help\SMARTB~3\BTHelpNotifier.exe

"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe

"PHIME2002A"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

"btbb_wcm_McciTrayApp"=c:\program files\btbb_wcm\McciTrayApp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"d:\\Program Files\\spotify.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"d:\\Program Files\\Sopcast\\SopCast.exe"=

"d:\\Program Files\\uTorrent\\uTorrent.exe"=

"d:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=

"d:\\Program Files\\Real\\realplay.exe"=

"d:\\Program Files\\TVAnts\\Tvants.exe"=

"d:\\Program Files\\Zattoo\\zattood.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"d:\\Downloads\\BT\\SpeedTouch_upgrade_wizard_R4421\\upgradeST.exe"=

"d:\\Downloads\\BT\\Unlock BT HomeHub\\SpeedTouch upgrade wizard R4421\\upgradeST.exe"=

"d:\\Program Files\\Pinnacle\\Programs\\RM.exe"=

"d:\\Program Files\\Pinnacle\\Programs\\Studio.exe"=

"d:\\Program Files\\Pinnacle\\Programs\\umi.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

"d:\\Program Files\\Sopcast\\adv\\SopAdver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"86:TCP"= 86:TCP:BroadCam Video Streaming Server Web Server

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [29/07/2009 13:09 216200]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [29/07/2009 13:09 242896]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [17/03/2010 13:13 916760]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [17/03/2010 13:13 308064]

R3 PhilCap;Pinnacle PCTV service;c:\windows\system32\drivers\PhilCap.sys [17/07/2009 18:03 908832]

S2 gupdate1ca3b719fe19692;Google Update Service (gupdate1ca3b719fe19692);c:\program files\Google\Update\GoogleUpdate.exe [22/09/2009 11:44 133104]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [23/12/2008 16:35 50704]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [20/10/2009 01:13 716272]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ASPI32

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-22 10:44]

2010-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-22 10:44]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://search.babylon.com/home/?ai=13054

mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html

uInternet Settings,ProxyOverride = 127.0.0.1;2

uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

Trusted Zone: motive.com\pbttbc.bt

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1uv2gowj.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&ai=13054

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1uv2gowj.default\extensions\piclens@cooliris.com\components\coolirisstub.dll

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - component: d:\program files\Real\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll

FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1uv2gowj.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll

FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1uv2gowj.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll

FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1uv2gowj.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: d:\program files\Quick Time\Plugins\npqtplugin.dll

FF - plugin: d:\program files\Quick Time\Plugins\npqtplugin2.dll

FF - plugin: d:\program files\Quick Time\Plugins\npqtplugin3.dll

FF - plugin: d:\program files\Quick Time\Plugins\npqtplugin4.dll

FF - plugin: d:\program files\Quick Time\Plugins\npqtplugin5.dll

FF - plugin: d:\program files\Quick Time\Plugins\npqtplugin6.dll

FF - plugin: d:\program files\Quick Time\Plugins\npqtplugin7.dll

FF - plugin: d:\program files\Real\Netscape6\nppl3260.dll

FF - plugin: d:\program files\Real\Netscape6\nprjplug.dll

FF - plugin: d:\program files\Real\Netscape6\nprpjplug.dll

FF - plugin: d:\program files\Veetle\Player\npvlc.dll

FF - plugin: d:\program files\Veetle\plugins\npVeetle.dll

FF - plugin: d:\program files\Veetle\VLCBroadcast\npvbp.dll

---- FIREFOX POLICIES ----

d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

d:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{D09588AA-5560-4240-B2F2-774D78D7E917} - d:\program files\Webs Credits\Toolbar.dll

AddRemove-com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 - c:\program files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe

AddRemove-InterBase - d:\program files\Borland\InterBase\ibuninst.exe

AddRemove-VexcastPlayer2.0 - c:\windows\system32\Nagasoft\Uninstall.exe

AddRemove-{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA} - c:\program files\InstallShield Installation Information\{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA}\Setup.exeUNINSTALL

**************************************************************************

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-448539723-162531612-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,73,c5,67,71,dc,9d,c6,4f,b7,29,70,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,95,41,a2,ba,e4,dc,b4,4f,82,e2,03,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(872)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2010-06-01 15:17:04

ComboFix-quarantined-files.txt 2010-06-01 14:17

Pre-Run: 216,226,332,672 bytes free

Post-Run: 222,631,411,712 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /noexecute=alwaysoff /usepmtimer

- - End Of File - - 89E6864F5FF5CD170ECBBB311036FD91

__________________________________________________________

Elise · June 1, 2010

Hi, that looks already a lot better, the rootkit is gone, but still some other things to take care of

Click Start > Run, type sfc /scannow in the runbox and press enter. Allow the System File Checker to run and follow the on-screen prompts.

When done please continue with the next script.

CF-SCRIPT

-------------

We need to execute a CF-script.

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

DDS::
uInternet Settings,ProxyOverride = 127.0.0.1;2

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Begbie · June 1, 2010

Thanks for the quick response, Elise.

The new combofix.txt file is:

________________________________________________________

ComboFix 10-05-31.03 - Administrator 01/06/2010 17:11:51.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3070.2422 [GMT 1:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\cfscript.txt

.

((((((((((((((((((((((((( Files Created from 2010-05-01 to 2010-06-01 )))))))))))))))))))))))))))))))

.

2010-06-01 14:21 . 2010-06-01 14:21 -------- d-----w- c:\program files\ESET