fleamour Posted July 17, 2011 Author ID:455089 Share Posted July 17, 2011 It is possible yes, I will use snipping tool & post along with ESET log. Link to post Share on other sites More sharing options...
fleamour Posted July 18, 2011 Author ID:455245 Share Posted July 18, 2011 Please find ESET log & screen capture attached.ESETScan.txt Link to post Share on other sites More sharing options...
Elise Posted July 18, 2011 ID:455294 Share Posted July 18, 2011 Hi again, that looks interesting indeed.GMER-------Please download GMER from one of the following locations and save it to your desktop:Main MirrorThis version will download a randomly named file (Recommended)Zipped MirrorThis version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.Disconnect from the Internet and close all running programs.Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.Now click the Scan button. If you see a rootkit warning window, click OK.When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.Click the Copy button and paste the results into your next reply.Exit GMER and re-enable all active protection when done.-- If you encounter any problems, try running GMER in Safe Mode. Link to post Share on other sites More sharing options...
fleamour Posted July 18, 2011 Author ID:455319 Share Posted July 18, 2011 Should I scan all system drives with GMER or just root? Link to post Share on other sites More sharing options...
Elise Posted July 18, 2011 ID:455390 Share Posted July 18, 2011 Only your windows installation drive. Link to post Share on other sites More sharing options...
fleamour Posted July 19, 2011 Author ID:455875 Share Posted July 19, 2011 GMER 1.0.15.15640 - http://www.gmer.netRootkit scan 2011-07-19 21:10:49Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 WDC_WD5000AAKS-00UU3A0 rev.01.03B01Running: 3qhipide.exe; Driver: C:\Users\fleamour\AppData\Local\Temp\pfldrpog.sys---- System - GMER 1.0.15 ----SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwAssignProcessToJobObject [0x944DFFC0]SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwCreateFile [0x944E0A56]SSDT \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\28711\RapportCerberus32_28711.sys ZwCreateThreadEx [0x8CB07190]SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteFile [0x944E0BD4]SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteKey [0x944E427C]SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteValueKey [0x944E42AE]SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwLoadKey [0x944E4410]SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenFile [0x944E0B2C]SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenProcess [0x944E0104]SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenThread [0x944E02F6]SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwProtectVirtualMemory [0x944E0428]SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwQueryValueKey [0x944E4386]SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRenameKey [0x944E42F0]SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwReplaceKey [0x944E4322]SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRestoreKey [0x944E4354]SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetContextThread [0x944DFF66]SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetInformationFile [0x944E0C40]SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetValueKey [0x944E4214]SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSuspendThread [0x944DFF02]SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwTerminateProcess [0x944DFE56]SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwTerminateThread [0x944DFE9E]---- Kernel code sections - GMER 1.0.15 ----.text ntoskrnl.exe!ZwSaveKey + 13CD 8303EA09 1 Byte [06].text ntoskrnl.exe!KiDispatchInterrupt + 5A2 8305E512 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}.text ntoskrnl.exe!KeRemoveQueueEx + 141B 830657E8 4 Bytes [C0, FF, 4D, 94] {SAR BH, 0x4d; XCHG ESP, EAX}.text ntoskrnl.exe!KeRemoveQueueEx + 1477 83065844 4 Bytes [56, 0A, 4E, 94] {PUSH ESI; OR CL, [ESI-0x6c]}.text ntoskrnl.exe!KeRemoveQueueEx + 14CF 8306589C 4 Bytes [90, 71, B0, 8C].text ntoskrnl.exe!KeRemoveQueueEx + 1507 830658D4 8 Bytes [D4, 0B, 4E, 94, 7C, 42, 4E, ...] {AAM 0xb; DEC ESI; XCHG ESP, EAX; JL 0x48; DEC ESI; XCHG ESP, EAX}.text ntoskrnl.exe!KeRemoveQueueEx + 1517 830658E4 4 Bytes [AE, 42, 4E, 94] {SCASB ; INC EDX; DEC ESI; XCHG ESP, EAX}.text ... PAGE spsys.sys!?SPRevision@@3PADA + 4F90 A363C000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]PAGE spsys.sys!?SPRevision@@3PADA + 50B3 A363C123 629 Bytes [75, 63, A3, FE, 05, 34, 75, ...]PAGE spsys.sys!?SPRevision@@3PADA + 5329 A363C399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]PAGE spsys.sys!?SPRevision@@3PADA + 538F A363C3FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]PAGE spsys.sys!?SPRevision@@3PADA + 543B A363C4AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]PAGE ... ---- User code sections - GMER 1.0.15 ----.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[260] ntdll.dll!KiUserApcDispatcher 77356F58 5 Bytes JMP 0043E8F0 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.).text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[260] WS2_32.dll!getaddrinfo 76DF4296 5 Bytes JMP 71A50022 .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[260] WS2_32.dll!gethostbyname 76E07673 5 Bytes JMP 71AE0022 .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[868] ntdll.dll!KiUserApcDispatcher 77356F58 5 Bytes JMP 004140F0 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.).text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[868] WS2_32.dll!getaddrinfo 76DF4296 5 Bytes JMP 71A40022 .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[868] WS2_32.dll!gethostbyname 76E07673 5 Bytes JMP 71AD0022 .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1804] kernel32.dll!SetUnhandledExceptionFilter 7581F4FB 4 Bytes [C2, 04, 00, 00]---- User IAT/EAT - GMER 1.0.15 ----IAT C:\Windows\Explorer.EXE[264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74812437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)IAT C:\Windows\Explorer.EXE[264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [747F5600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)IAT C:\Windows\Explorer.EXE[264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [747F56BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)IAT C:\Windows\Explorer.EXE[264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [748124B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)IAT C:\Windows\Explorer.EXE[264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74808514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)IAT C:\Windows\Explorer.EXE[264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74804CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)IAT C:\Windows\Explorer.EXE[264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7480506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)IAT C:\Windows\Explorer.EXE[264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74805144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)IAT C:\Windows\Explorer.EXE[264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74806671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)IAT C:\Windows\Explorer.EXE[264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7480826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)IAT C:\Windows\Explorer.EXE[264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [748087BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)IAT C:\Windows\Explorer.EXE[264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7480901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)IAT C:\Windows\Explorer.EXE[264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7480E1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)IAT C:\Windows\Explorer.EXE[264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74804BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\kernel32.dll [ntdll.dll!RtlReAllocateHeap] [6A779832] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\kernel32.dll [ntdll.dll!RtlSizeHeap] [6A77A27D] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\kernel32.dll [ntdll.dll!RtlLockHeap] [6A7794D8] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\kernel32.dll [ntdll.dll!RtlUnlockHeap] [6A7794E8] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\kernel32.dll [ntdll.dll!RtlAllocateHeap] [6A7792CD] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\kernel32.dll [ntdll.dll!RtlFreeHeap] [6A779E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\kernel32.dll [ntdll.dll!RtlDestroyHeap] [6A7794B8] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\kernel32.dll [ntdll.dll!RtlCreateHeap] [6A7794A8] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\kernel32.dll [ntdll.dll!RtlExitUserProcess] [6A77AA9E] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\ADVAPI32.dll [ntdll.dll!RtlFreeHeap] [6A779E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\ADVAPI32.dll [ntdll.dll!RtlAllocateHeap] [6A7792CD] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\ADVAPI32.dll [ntdll.dll!RtlReAllocateHeap] [6A779832] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [753BFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\RPCRT4.dll [ntdll.dll!RtlFreeHeap] [6A779E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\RPCRT4.dll [ntdll.dll!RtlAllocateHeap] [6A7792CD] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\GDI32.dll [ntdll.dll!RtlAllocateHeap] [6A7792CD] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\GDI32.dll [ntdll.dll!RtlFreeHeap] [6A779E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [753BFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\USER32.dll [ntdll.dll!RtlSizeHeap] [6A77A27D] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\USER32.dll [ntdll.dll!RtlReAllocateHeap] [6A779832] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\USER32.dll [ntdll.dll!RtlAllocateHeap] [6A7792CD] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\USER32.dll [ntdll.dll!RtlFreeHeap] [6A779E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [753BFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\WS2_32.dll [ntdll.dll!RtlFreeHeap] [6A779E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\WS2_32.dll [ntdll.dll!RtlAllocateHeap] [6A7792CD] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\NETAPI32.dll [ntdll.dll!RtlAllocateHeap] [6A7792CD] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\NETAPI32.dll [ntdll.dll!RtlFreeHeap] [6A779E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\SHELL32.dll [ntdll.dll!RtlFreeHeap] [6A779E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [753BFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\ole32.dll [ntdll.dll!RtlFreeHeap] [6A779E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\ole32.dll [ntdll.dll!RtlAllocateHeap] [6A7792CD] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\ole32.dll [ntdll.dll!RtlReAllocateHeap] [6A779832] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\CRYPT32.dll [ntdll.dll!RtlFreeHeap] [6A779E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\CRYPT32.dll [ntdll.dll!RtlAllocateHeap] [6A7792CD] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [753BFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [753BFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\IPHLPAPI.DLL [ntdll.dll!RtlFreeHeap] [6A779E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\IPHLPAPI.DLL [ntdll.dll!RtlAllocateHeap] [6A7792CD] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\Secur32.dll [ntdll.dll!RtlAllocateHeap] [6A7792CD] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\Secur32.dll [ntdll.dll!RtlFreeHeap] [6A779E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2888] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [753BFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)---- Devices - GMER 1.0.15 ----Device \Driver\ACPI_HAL \Device\00000055 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)---- EOF - GMER 1.0.15 ---- Link to post Share on other sites More sharing options...
Elise Posted July 19, 2011 ID:455901 Share Posted July 19, 2011 Nothing there. Lets see if OTL will show the Unicode entries.OTL-----Please download OTL from one of the following mirrors:This is THE Mirror[*]Save it to your desktop.[*]Double click on the icon on your desktop.[*]Click the "Scan All Users" checkbox.[*]Push the button.[*]Two reports will open, copy and paste them in a reply here:OTL.txt <-- Will be openedExtra.txt <-- Will be minimized Link to post Share on other sites More sharing options...
fleamour Posted July 19, 2011 Author ID:455906 Share Posted July 19, 2011 I Guess I can ignore this warning?Details: Web page: http://oldtimer.geekstogo.com/OTL.exe Description: Access to the web page was blocked by ESET NOD32 Antivirus. The web page is on the list of websites with potentially dangerous content.www.eset.com Link to post Share on other sites More sharing options...
fleamour Posted July 19, 2011 Author ID:455911 Share Posted July 19, 2011 ESET will not let me manually bypass warning & download file, even with real time protection turned off. Link to post Share on other sites More sharing options...
fleamour Posted July 19, 2011 Author ID:455918 Share Posted July 19, 2011 Uninstalled ESET:OTL logfile created on: 19/07/2011 22:34:27 - Run 1OTL by OldTimer - Version 3.2.26.1 Folder = C:\Users\fleamour\Desktop Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstationInternet Explorer (Version = 9.0.8112.16421)Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy3.12 Gb Total Physical Memory | 2.12 Gb Available Physical Memory | 67.73% Memory free6.24 Gb Paging File | 5.13 Gb Available in Paging File | 82.12% Paging File freePaging file location(s): ?:\pagefile.sys [binary data]%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program FilesDrive C: | 148.76 Gb Total Space | 69.55 Gb Free Space | 46.75% Space Free | Partition Type: NTFSDrive D: | 298.05 Mb Total Space | 256.16 Mb Free Space | 85.95% Space Free | Partition Type: NTFSDrive E: | 415.47 Gb Total Space | 62.55 Gb Free Space | 15.06% Space Free | Partition Type: NTFSDrive F: | 316.71 Gb Total Space | 223.56 Gb Free Space | 70.59% Space Free | Partition Type: NTFSDrive H: | 3.71 Gb Total Space | 3.11 Gb Free Space | 83.86% Space Free | Partition Type: FAT32Computer Name: ASROCK | User Name: fleamour | Logged in as Administrator.Boot Mode: Normal | Scan Mode: All usersCompany Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days========== Processes (SafeList) ==========PRC - [2011/07/19 22:33:18 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Users\fleamour\Desktop\OTL.exePRC - [2011/06/22 18:01:18 | 001,550,136 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportService.exePRC - [2011/06/22 18:01:18 | 000,870,200 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exePRC - [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exePRC - [2011/05/21 06:01:00 | 000,839,272 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exePRC - [2011/02/25 06:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exePRC - [2010/11/20 13:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exePRC - [2009/07/14 02:14:41 | 000,354,304 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\StikyNot.exePRC - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exePRC - [2005/07/15 22:48:33 | 000,479,232 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Gmail Notifier\gnotify.exe========== Modules (SafeList) ==========MOD - [2011/07/19 22:33:18 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Users\fleamour\Desktop\OTL.exeMOD - [2010/11/20 12:55:09 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll========== Win32 Services (SafeList) ==========SRV - [2011/06/22 18:01:18 | 000,870,200 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)SRV - [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)SRV - [2010/08/06 23:55:54 | 001,343,400 | ---- | M] (Microsoft Corporation) [unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)SRV - [2009/07/14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)SRV - [2009/07/14 02:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)SRV - [2009/07/14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)SRV - [2007/12/17 05:00:00 | 000,143,872 | ---- | M] (SEIKO EPSON CORPORATION) [Disabled | Stopped] -- C:\ProgramData\EPSON\EPW!3 SSRP\E_S40ST7.EXE -- (EPSON_EB_RPCV4_01) EPSON V5 Service4(01)SRV - [2007/01/11 05:02:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION) [Disabled | Stopped] -- C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE -- (EPSON_PM_RPCV4_01) EPSON V3 Service4(01)========== Driver Services (SafeList) ==========DRV - [2011/07/12 22:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Users\fleamour\AppData\Local\Temp\SAS_SelfExtract\saskutil.sys -- (SASKUTIL)DRV - [2011/07/12 22:55:22 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Users\fleamour\AppData\Local\Temp\SAS_SelfExtract\sasdifsv.sys -- (SASDIFSV)DRV - [2011/07/11 19:46:04 | 000,216,752 | ---- | M] () [Kernel | System | Running] -- C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\28711\RapportCerberus32_28711.sys -- (RapportCerberus_28711)DRV - [2011/06/22 18:01:26 | 000,158,904 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)DRV - [2011/06/22 18:01:26 | 000,066,360 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys -- (RapportEI)DRV - [2011/06/22 18:01:26 | 000,053,816 | ---- | M] (Trusteer Ltd.) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\RapportKELL.sys -- (RapportKELL)DRV - [2011/05/21 06:01:00 | 010,589,800 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)DRV - [2010/11/20 13:30:18 | 000,296,064 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\vpcvmm.sys -- (vpcvmm)DRV - [2010/11/20 13:30:18 | 000,172,416 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vpchbus.sys -- (vpcbus)DRV - [2010/11/20 13:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\vmbus.sys -- (vmbus)DRV - [2010/11/20 13:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\vmstorfl.sys -- (storflt)DRV - [2010/11/20 13:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\storvsc.sys -- (storvsc)DRV - [2010/11/20 11:50:40 | 000,078,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vpcusb.sys -- (vpcusb)DRV - [2010/11/20 11:50:38 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\vpcnfltr.sys -- (vpcnfltr)DRV - [2010/11/20 11:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)DRV - [2010/11/20 11:21:14 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)DRV - [2010/11/20 10:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)DRV - [2010/11/20 10:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\VMBusHID.sys -- (VMBusHID)DRV - [2010/11/20 10:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\vms3cap.sys -- (s3cap)DRV - [2010/08/16 16:31:08 | 000,016,472 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\pwdrvio.sys -- (pwdrvio)DRV - [2010/08/16 16:31:06 | 000,011,104 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\pwdspio.sys -- (pwdspio)DRV - [2010/04/07 12:16:16 | 000,376,160 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netr61.sys -- (rt61x86)DRV - [2009/06/30 10:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\Windows\system32\drivers\pavboot.sys -- (pavboot)========== Standard Registry (SafeList) ==================== Internet Explorer ==========IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0IE - HKU\S-1-5-21-3007608149-1695688726-1621582678-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blankIE - HKU\S-1-5-21-3007608149-1695688726-1621582678-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gbIE - HKU\S-1-5-21-3007608149-1695688726-1621582678-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = CA 1C FF B5 B6 35 CB 01 [binary data]IE - HKU\S-1-5-21-3007608149-1695688726-1621582678-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0IE - HKU\S-1-5-21-3007608149-1695688726-1621582678-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local========== FireFox ==========FF - prefs.js..browser.startup.homepage: "www.google.co.uk"FF - prefs.js..extensions.enabledItems: {1a0c9ebe-ddf9-4b76-b8a3-675c77874d37}:3.0FF - prefs.js..extensions.enabledItems: {6e84150a-d526-41f1-a480-a67d3fed910d}:1.4.5.1FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not foundFF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()FF - HKLM\Software\MozillaPlugins\@bullguard.com/onlinescanner: C:\Program Files\BullGuard Ltd\BullGuard Online Scanner\npbgscanner.dll (BullGuard Ltd.)FF - HKLM\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: File not foundFF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)FF - HKLM\Software\MozillaPlugins\@pandasecurity.com/activescan: C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll (Panda Security, S.L.)FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)FF - HKCU\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: File not foundFF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\fleamour\AppData\Local\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\fleamour\AppData\Local\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/01/11 15:39:23 | 000,000,000 | ---D | M]FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/06 22:18:06 | 000,000,000 | ---D | M]FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/07/01 16:35:54 | 000,000,000 | ---D | M]FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla ThunderbirdFF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/01/11 15:39:23 | 000,000,000 | ---D | M][2010/10/28 22:10:59 | 000,000,000 | ---D | M] (No name found) -- C:\Users\fleamour\AppData\Roaming\Mozilla\Extensions[2011/07/12 22:37:44 | 000,000,000 | ---D | M] (No name found) -- C:\Users\fleamour\AppData\Roaming\Mozilla\Firefox\Profiles\r0nnu1kt.default\extensions[2011/07/12 22:37:42 | 000,000,000 | ---D | M] (WebMail Notifier) -- C:\Users\fleamour\AppData\Roaming\Mozilla\Firefox\Profiles\r0nnu1kt.default\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}[2010/10/28 22:18:26 | 000,000,000 | ---D | M] (IE View) -- C:\Users\fleamour\AppData\Roaming\Mozilla\Firefox\Profiles\r0nnu1kt.default\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}[2011/07/12 22:37:44 | 000,000,000 | ---D | M] (BitDefender QuickScan) -- C:\Users\fleamour\AppData\Roaming\Mozilla\Firefox\Profiles\r0nnu1kt.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}[2011/04/06 22:18:06 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensionsFile not found (No name found) -- () (No name found) -- C:\USERS\FLEAMOUR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\R0NNU1KT.DEFAULT\EXTENSIONS\{1A0C9EBE-DDF9-4B76-B8A3-675C77874D37}.XPI() (No name found) -- C:\USERS\FLEAMOUR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\R0NNU1KT.DEFAULT\EXTENSIONS\GRWATCHER@AJNASZ.HU.XPI[2011/03/18 18:57:02 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll[2009/11/06 17:37:19 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll[2009/11/06 17:37:20 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll[2010/01/01 09:00:00 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml[2010/01/01 09:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml[2010/01/01 09:00:00 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml[2010/01/01 09:00:00 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml[2010/01/01 09:00:00 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xmlO1 HOSTS File: ([2011/07/15 20:27:57 | 000,435,740 | R--- | M]) - C:\Windows\System32\drivers\etc\hostsO1 - Hosts: 127.0.0.1 www.007guard.comO1 - Hosts: 127.0.0.1 007guard.comO1 - Hosts: 127.0.0.1 008i.comO1 - Hosts: 127.0.0.1 www.008k.comO1 - Hosts: 127.0.0.1 008k.comO1 - Hosts: 127.0.0.1 www.00hq.comO1 - Hosts: 127.0.0.1 00hq.comO1 - Hosts: 127.0.0.1 010402.comO1 - Hosts: 127.0.0.1 www.032439.comO1 - Hosts: 127.0.0.1 032439.comO1 - Hosts: 127.0.0.1 www.0scan.comO1 - Hosts: 127.0.0.1 0scan.comO1 - Hosts: 127.0.0.1 1000gratisproben.comO1 - Hosts: 127.0.0.1 www.1000gratisproben.comO1 - Hosts: 127.0.0.1 1001namen.comO1 - Hosts: 127.0.0.1 www.1001namen.comO1 - Hosts: 127.0.0.1 100888290cs.comO1 - Hosts: 127.0.0.1 www.100888290cs.comO1 - Hosts: 127.0.0.1 www.100sexlinks.comO1 - Hosts: 127.0.0.1 100sexlinks.comO1 - Hosts: 127.0.0.1 10sek.comO1 - Hosts: 127.0.0.1 www.10sek.comO1 - Hosts: 127.0.0.1 www.1-2005-search.comO1 - Hosts: 127.0.0.1 1-2005-search.comO1 - Hosts: 127.0.0.1 123fporn.infoO1 - Hosts: 14993 more lines...O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)O4 - HKLM..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe (Google Inc.)O4 - HKU\S-1-5-21-3007608149-1695688726-1621582678-1001..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe (Microsoft Corporation)O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO7 - HKU\S-1-5-21-3007608149-1695688726-1621582678-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO7 - HKU\S-1-5-21-3007608149-1695688726-1621582678-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)O15 - HKU\S-1-5-21-3007608149-1695688726-1621582678-1001\..Trusted Domains: akamai.net ([a248.e] http in Trusted sites)O15 - HKU\S-1-5-21-3007608149-1695688726-1621582678-1001\..Trusted Domains: bitdefender.com ([]http in Trusted sites)O15 - HKU\S-1-5-21-3007608149-1695688726-1621582678-1001\..Trusted Domains: bitdefender.com ([kb] http in Trusted sites)O15 - HKU\S-1-5-21-3007608149-1695688726-1621582678-1001\..Trusted Domains: netflame.cc ([ssl-hints] http in Trusted sites)O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab (BDSCANONLINE Control)O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab (ActiveScan 2.0 Installer Class)O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 8.8.4.4 8.8.8.8O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not foundO32 - HKLM CDRom: AutoRun - 1O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]O34 - HKLM BootExecute: (autocheck autochk *) - File not foundO34 - HKLM BootExecute: (autocheck PuranDefragBT -AD) - File not foundO35 - HKLM\..comfile [open] -- "%1" %*O35 - HKLM\..exefile [open] -- "%1" %*O37 - HKLM\...com [@ = ComFile] -- "%1" %*O37 - HKLM\...exe [@ = exefile] -- "%1" %*========== Files/Folders - Created Within 30 Days ==========[2011/07/19 22:33:23 | 000,579,584 | ---- | C] (OldTimer Tools) -- C:\Users\fleamour\Desktop\OTL.exe[2011/07/19 21:23:57 | 000,000,000 | ---D | C] -- C:\Windows\Minidump[2011/07/19 21:03:18 | 000,000,000 | ---D | C] -- C:\Users\fleamour\AppData\Local\{5CF4032B-1BAA-4951-822B-4A4DC7B38326}[2011/07/18 09:53:17 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\drivers\pavboot.sys[2011/07/18 09:53:15 | 000,000,000 | ---D | C] -- C:\Program Files\Panda Security[2011/07/18 08:00:07 | 000,000,000 | ---D | C] -- C:\Users\fleamour\AppData\Local\{5D04D2B8-2F80-4581-BF03-4833A1561907}[2011/07/17 18:27:22 | 002,322,184 | ---- | C] (ESET) -- C:\Users\fleamour\Desktop\esetsmartinstaller_enu.exe[2011/07/17 18:24:18 | 000,000,000 | ---D | C] -- C:\Users\fleamour\AppData\Roaming\Malwarebytes[2011/07/17 18:24:14 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys[2011/07/17 18:24:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware[2011/07/17 18:24:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes[2011/07/17 18:24:10 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys[2011/07/17 18:24:10 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware[2011/07/17 18:14:59 | 000,000,000 | ---D | C] -- C:\Users\fleamour\AppData\Local\{2F525746-BB80-456F-ABBD-5B0C8F9B7265}[2011/07/16 23:31:41 | 000,000,000 | ---D | C] -- C:\Users\fleamour\AppData\Roaming\SUPERAntiSpyware.com[2011/07/16 23:31:41 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com[2011/07/16 22:11:47 | 000,000,000 | ---D | C] -- C:\Users\fleamour\AppData\Local\{3EC6EE34-FAA2-4FE7-806D-681C5F295ED0}[2011/07/15 20:22:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy[2011/07/15 20:22:09 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy[2011/07/15 19:17:52 | 000,000,000 | ---D | C] -- C:\Program Files\BullGuard Ltd[2011/07/15 16:54:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Western Digital Corporation[2011/07/15 16:54:39 | 000,000,000 | ---D | C] -- C:\Program Files\Western Digital Corporation[2011/07/15 16:01:05 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN[2011/07/15 15:54:12 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe[2011/07/15 15:54:12 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe[2011/07/15 15:54:12 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe[2011/07/15 15:53:19 | 000,000,000 | ---D | C] -- C:\mdwflpgnfg20416m[2011/07/15 15:38:07 | 000,000,000 | ---D | C] -- C:\mdwflpgnfg21075m[2011/07/15 15:38:07 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT[2011/07/15 15:32:27 | 000,000,000 | ---D | C] -- C:\Users\fleamour\Desktop\RK_Quarantine[2011/07/15 15:30:46 | 000,000,000 | ---D | C] -- C:\Users\fleamour\AppData\Local\{457FC8D3-D991-4E3F-964E-E7A96CFB0734}[2011/07/15 13:09:51 | 000,000,000 | ---D | C] -- C:\mdwflpgnfg[2011/07/15 13:08:13 | 000,000,000 | ---D | C] -- C:\ComboFix[2011/07/15 13:01:15 | 004,153,133 | R--- | C] (Swearware) -- C:\Users\fleamour\Desktop\mdwflpgnfg.exe[2011/07/15 12:47:06 | 000,000,000 | ---D | C] -- C:\Qoobox[2011/07/15 08:40:40 | 000,000,000 | ---D | C] -- C:\Windows\BDOSCAN8[2011/07/15 08:30:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos[2011/07/15 08:30:46 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos[2011/07/15 07:38:22 | 000,489,596 | R--- | C] (Swearware) -- C:\Users\fleamour\Desktop\dds.scr[2011/07/15 07:27:08 | 000,000,000 | ---D | C] -- C:\Users\fleamour\AppData\Local\ESET[2011/07/15 02:13:41 | 000,000,000 | ---D | C] -- C:\Users\fleamour\AppData\Local\{48E917FD-65FE-4D1F-BD27-2EB82FF86CF8}[2011/07/14 14:13:16 | 000,000,000 | ---D | C] -- C:\Users\fleamour\AppData\Local\{344A375B-0AB1-41B1-830B-978877B3EE6C}[2011/07/13 17:51:39 | 000,000,000 | ---D | C] -- C:\Users\fleamour\SecurityScans[2011/07/13 17:50:48 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Baseline Security Analyzer 2[2011/07/13 17:44:18 | 000,000,000 | ---D | C] -- C:\Users\fleamour\AppData\Local\{FF9A1E98-2512-4119-8EAD-94ACA4BCC7A8}[2011/07/12 21:17:38 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update[2011/07/12 20:57:51 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll[2011/07/12 20:57:51 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll[2011/07/12 20:57:51 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll[2011/07/12 20:57:50 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll[2011/07/12 20:57:50 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll[2011/07/12 20:57:50 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll[2011/07/12 20:57:50 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll[2011/07/12 20:57:50 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll[2011/07/12 20:57:50 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll[2011/07/12 20:57:50 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll[2011/07/12 20:57:50 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll[2011/07/12 20:57:50 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll[2011/07/12 20:57:50 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll[2011/07/12 20:57:50 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll[2011/07/12 20:57:50 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll[2011/07/12 20:57:50 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll[2011/07/12 20:57:50 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll[2011/07/12 20:57:50 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll[2011/07/12 20:57:50 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll[2011/07/12 20:57:50 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll[2011/07/12 20:57:50 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll[2011/07/12 20:57:50 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll[2011/07/12 20:57:50 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll[2011/07/12 20:57:50 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll[2011/07/12 20:57:50 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll[2011/07/12 20:57:50 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll[2011/07/12 20:57:49 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll[2011/07/12 20:57:49 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll[2011/07/12 20:57:46 | 000,271,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe[2011/07/12 20:57:45 | 000,169,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winsrv.dll[2011/07/12 20:57:31 | 002,334,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys[2011/07/12 20:54:49 | 000,000,000 | ---D | C] -- C:\Users\fleamour\AppData\Local\{59658CAE-C2D9-4DB6-9828-7980E64367EF}[2011/07/11 20:05:35 | 000,000,000 | ---D | C] -- C:\Program Files\ESET[2011/07/11 19:45:04 | 000,000,000 | ---D | C] -- C:\Users\fleamour\AppData\Local\{CC717ACE-D0EB-4121-A80F-6511CC40320C}[2011/07/05 16:45:29 | 000,000,000 | ---D | C] -- C:\Users\fleamour\AppData\Local\{764807B2-3CFE-4030-8FA4-F9154C08A26E}[2011/07/04 19:01:57 | 000,000,000 | ---D | C] -- C:\Program Files\COMODO[2011/07/04 14:10:28 | 000,000,000 | ---D | C] -- C:\Users\fleamour\AppData\Local\{A05B776D-1EF9-4436-852B-F63FF4B77EA8}[2011/07/03 16:14:09 | 000,000,000 | ---D | C] -- C:\Users\fleamour\AppData\Local\{1CADC845-3F69-4FF6-973E-4B9CD3ED17D7}[2011/07/01 16:36:33 | 000,000,000 | ---D | C] -- C:\Users\fleamour\AppData\Local\Adobe[2011/07/01 16:35:48 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe[2011/07/01 16:35:48 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe[2011/07/01 16:35:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Adobe[2011/07/01 16:31:47 | 002,560,616 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvsvcr.dll[2011/07/01 16:31:46 | 000,543,336 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\easyupdatusapiu.dll[2011/07/01 16:23:07 | 000,000,000 | ---D | C] -- C:\Program Files\Tracker Software[2011/07/01 12:17:51 | 001,549,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tquery.dll[2011/07/01 12:17:51 | 001,401,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mssrch.dll[2011/07/01 12:17:51 | 000,666,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mssvp.dll[2011/07/01 12:17:51 | 000,337,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mssph.dll[2011/07/01 12:17:51 | 000,197,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mssphtb.dll[2011/07/01 12:17:51 | 000,059,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msscntrs.dll[2011/07/01 12:15:40 | 000,000,000 | ---D | C] -- C:\Users\fleamour\AppData\Local\{42A4A021-9866-4AFD-9E76-E3AB15AF810A}[2011/06/28 13:34:49 | 000,000,000 | ---D | C] -- C:\Users\fleamour\AppData\Local\{C0995C03-FFB8-4E72-9147-28A1C6A10482}[2011/06/27 15:52:24 | 000,000,000 | ---D | C] -- C:\Users\fleamour\AppData\Local\{85C9F839-F595-4873-A8F7-4D69861F55E7}[2011/06/26 17:34:55 | 000,000,000 | ---D | C] -- C:\Users\fleamour\AppData\Local\{B097DEE0-7B31-4D2B-9E40-686C445AFC9F}[2011/06/22 18:01:26 | 000,053,816 | ---- | C] (Trusteer Ltd.) -- C:\Windows\System32\drivers\RapportKELL.sys========== Files - Modified Within 30 Days ==========[2011/07/19 22:33:18 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Users\fleamour\Desktop\OTL.exe[2011/07/19 22:31:03 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat[2011/07/19 22:31:01 | 2516,029,440 | -HS- | M] () -- C:\hiberfil.sys[2011/07/19 22:25:32 | 000,013,760 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0[2011/07/19 22:25:32 | 000,013,760 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0[2011/07/19 21:54:08 | 204,877,654 | ---- | M] () -- C:\Windows\MEMORY.DMP[2011/07/19 21:12:20 | 000,000,920 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3007608149-1695688726-1621582678-1001UA.job[2011/07/18 09:43:58 | 001,008,041 | ---- | M] () -- C:\Users\fleamour\Desktop\rkill.exe[2011/07/18 08:12:00 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3007608149-1695688726-1621582678-1001Core.job[2011/07/18 08:05:43 | 000,186,456 | ---- | M] () -- C:\Users\fleamour\Desktop\Capture.PNG[2011/07/17 18:27:25 | 002,322,184 | ---- | M] (ESET) -- C:\Users\fleamour\Desktop\esetsmartinstaller_enu.exe[2011/07/17 18:24:14 | 000,001,072 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk[2011/07/15 20:27:57 | 000,435,740 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts[2011/07/15 16:49:26 | 000,665,794 | ---- | M] () -- C:\Windows\System32\perfh009.dat[2011/07/15 16:49:26 | 000,125,520 | ---- | M] () -- C:\Windows\System32\perfc009.dat[2011/07/15 15:53:55 | 004,153,133 | R--- | M] (Swearware) -- C:\Users\fleamour\Desktop\mdwflpgnfg.exe[2011/07/15 15:31:16 | 000,516,608 | ---- | M] () -- C:\Users\fleamour\Desktop\winlogon.exe[2011/07/15 08:27:41 | 000,020,552 | ---- | M] () -- C:\Windows\System32\drivers\hitmanpro35.sys[2011/07/15 07:43:46 | 000,003,373 | ---- | M] () -- C:\Users\fleamour\Desktop\defogger_disable.zip[2011/07/15 07:39:58 | 000,302,592 | ---- | M] () -- C:\Users\fleamour\Desktop\3qhipide.exe[2011/07/15 07:38:26 | 000,489,596 | R--- | M] (Swearware) -- C:\Users\fleamour\Desktop\dds.scr[2011/07/15 07:36:39 | 000,000,000 | ---- | M] () -- C:\Users\fleamour\defogger_reenable[2011/07/15 07:35:47 | 000,050,477 | ---- | M] () -- C:\Users\fleamour\Desktop\Defogger.exe[2011/07/13 17:50:50 | 000,001,082 | ---- | M] () -- C:\Users\Public\Desktop\Microsoft Baseline Security Analyzer 2.2.lnk[2011/07/12 22:22:53 | 000,414,792 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT[2011/07/06 19:52:42 | 000,041,272 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys[2011/07/06 19:52:42 | 000,022,712 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys[2011/07/04 19:00:25 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl[2011/06/26 07:45:56 | 000,256,000 | ---- | M] () -- C:\Windows\PEV.exe[2011/06/22 18:01:26 | 000,053,816 | ---- | M] (Trusteer Ltd.) -- C:\Windows\System32\drivers\RapportKELL.sys========== Files Created - No Company Name ==========[2011/07/19 21:23:56 | 204,877,654 | ---- | C] () -- C:\Windows\MEMORY.DMP[2011/07/18 09:43:53 | 001,008,041 | ---- | C] () -- C:\Users\fleamour\Desktop\rkill.exe[2011/07/18 08:05:43 | 000,186,456 | ---- | C] () -- C:\Users\fleamour\Desktop\Capture.PNG[2011/07/17 18:24:14 | 000,001,072 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk[2011/07/15 15:54:12 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe[2011/07/15 15:54:12 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe[2011/07/15 15:54:12 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe[2011/07/15 15:54:12 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe[2011/07/15 15:54:12 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe[2011/07/15 15:31:40 | 000,516,608 | ---- | C] () -- C:\Users\fleamour\Desktop\winlogon.exe[2011/07/15 07:43:46 | 000,003,373 | ---- | C] () -- C:\Users\fleamour\Desktop\defogger_disable.zip[2011/07/15 07:39:55 | 000,302,592 | ---- | C] () -- C:\Users\fleamour\Desktop\3qhipide.exe[2011/07/15 07:36:39 | 000,000,000 | ---- | C] () -- C:\Users\fleamour\defogger_reenable[2011/07/15 07:35:54 | 000,050,477 | ---- | C] () -- C:\Users\fleamour\Desktop\Defogger.exe[2011/07/13 17:50:50 | 000,001,094 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Baseline Security Analyzer 2.2.lnk[2011/07/13 17:50:50 | 000,001,082 | ---- | C] () -- C:\Users\Public\Desktop\Microsoft Baseline Security Analyzer 2.2.lnk[2011/07/01 16:35:54 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk[2011/05/20 19:38:49 | 000,001,330 | ---- | C] () -- C:\Windows\System32\.ini[2011/04/05 18:35:35 | 000,004,112 | ---- | C] () -- C:\Windows\Ascd_tmp.ini[2011/03/20 23:27:11 | 000,725,064 | ---- | C] () -- C:\Windows\System32\pwNative.exe[2011/03/20 23:27:11 | 000,016,472 | ---- | C] () -- C:\Windows\System32\pwdrvio.sys[2011/03/20 23:27:11 | 000,011,104 | ---- | C] () -- C:\Windows\System32\pwdspio.sys[2011/02/23 18:05:59 | 000,080,896 | ---- | C] () -- C:\Windows\System32\RDVGHelper.exe[2011/02/23 18:03:53 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe[2011/01/11 15:33:52 | 000,168,557 | ---- | C] () -- C:\Windows\hphins33.dat[2011/01/05 13:26:23 | 000,020,552 | ---- | C] () -- C:\Windows\System32\drivers\hitmanpro35.sys[2011/01/05 09:25:58 | 000,000,942 | RHS- | C] () -- C:\ProgramData\ntuser.pol[2010/11/22 23:48:08 | 000,000,600 | ---- | C] () -- C:\Users\fleamour\AppData\Roaming\winscp.rnd[2010/08/06 23:48:26 | 001,474,832 | ---- | C] () -- C:\Windows\System32\drivers\sfi.dat[2010/01/29 22:30:08 | 000,000,512 | ---- | C] () -- C:\Windows\hphmdl33.dat[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe[2009/07/14 05:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat[2009/07/14 05:33:53 | 000,414,792 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT[2009/07/14 03:05:48 | 000,665,794 | ---- | C] () -- C:\Windows\System32\perfh009.dat[2009/07/14 03:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat[2009/07/14 03:05:48 | 000,125,520 | ---- | C] () -- C:\Windows\System32\perfc009.dat[2009/07/14 03:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat[2009/07/14 03:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT[2009/07/14 03:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat[2009/07/14 00:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin[2009/07/14 00:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll[2009/07/14 00:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll[2009/06/10 22:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat[2009/01/05 15:44:10 | 000,053,248 | ---- | C] () -- C:\Windows\bdoscandel.exe[2009/01/05 15:44:10 | 000,000,453 | ---- | C] () -- C:\Windows\bdoscandellang.ini[2006/10/11 04:33:58 | 000,010,288 | ---- | C] () -- C:\Windows\System32\drivers\ASUSHWIO.SYS========== Files - Unicode (All) ==========[2010/11/22 22:50:05 | 000,002,340 | ---- | M] ()(C:\Users\fleamour\Documents\omega?.con?tacts?.msn?.com) -- C:\Users\fleamour\Documents\omega.contacts.msn.com[2010/11/22 22:50:05 | 000,002,340 | ---- | C] ()(C:\Users\fleamour\Documents\omega?.con?tacts?.msn?.com) -- C:\Users\fleamour\Documents\omega.contacts.msn.com< End of report >Extras.Txt:OTL Extras logfile created on: 19/07/2011 22:34:27 - Run 1OTL by OldTimer - Version 3.2.26.1 Folder = C:\Users\fleamour\Desktop Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstationInternet Explorer (Version = 9.0.8112.16421)Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy3.12 Gb Total Physical Memory | 2.12 Gb Available Physical Memory | 67.73% Memory free6.24 Gb Paging File | 5.13 Gb Available in Paging File | 82.12% Paging File freePaging file location(s): ?:\pagefile.sys [binary data]%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program FilesDrive C: | 148.76 Gb Total Space | 69.55 Gb Free Space | 46.75% Space Free | Partition Type: NTFSDrive D: | 298.05 Mb Total Space | 256.16 Mb Free Space | 85.95% Space Free | Partition Type: NTFSDrive E: | 415.47 Gb Total Space | 62.55 Gb Free Space | 15.06% Space Free | Partition Type: NTFSDrive F: | 316.71 Gb Total Space | 223.56 Gb Free Space | 70.59% Space Free | Partition Type: NTFSDrive H: | 3.71 Gb Total Space | 3.11 Gb Free Space | 83.86% Space Free | Partition Type: FAT32Computer Name: ASROCK | User Name: fleamour | Logged in as Administrator.Boot Mode: Normal | Scan Mode: All usersCompany Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days========== Extra Registry (SafeList) ==================== File Associations ==========[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>].cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation).hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)========== Shell Spawning ==========[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]batfile [open] -- "%1" %*cmdfile [open] -- "%1" %*comfile [open] -- "%1" %*cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)exefile [open] -- "%1" %*helpfile [open] -- Reg Error: Key error.hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)piffile [open] -- "%1" %*regfile [merge] -- Reg Error: Key error.scrfile [config] -- "%1"scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %lscrfile [open] -- "%1" /Stxtfile [edit] -- Reg Error: Key error.Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)Directory [hitmanpro] -- "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" "%1\"Directory [runas] -- cmd.exe /c takeown /f "%1" /r /d y && icacls "%1" /grant administrators:F /t (Microsoft Corporation)Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)Folder [explore] -- Reg Error: Value error.Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)========== Security Center Settings ==========[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]"cval" = 1"FirewallDisableNotify" = 0"AntiVirusDisableNotify" = 0"UpdatesDisableNotify" = 0[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]"VistaSp1" = Reg Error: Unknown registry data type -- File not found"AntiVirusOverride" = 0"AntiSpywareOverride" = 0"FirewallOverride" = 0[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]========== System Restore Settings ==========[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]"DisableSR" = 0========== Firewall Settings ==========[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall][HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile][HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]"DisableNotifications" = 0"EnableFirewall" = 1[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]"DisableNotifications" = 0"EnableFirewall" = 1[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]"DisableNotifications" = 0"EnableFirewall" = 1========== Authorized Applications List ==========[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]========== HKEY_LOCAL_MACHINE Uninstall List ==========[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}" = Google Gmail Notifier"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer"{12FEC00C-027C-4A34-9AAB-562EDA43DC18}_is1" = MiniTool Partition Wizard Home Edition 5.2"{1374CC63-B520-4f3f-98E8-E9020BF01CFF}" = Windows XP Mode"{13CD417D-F1F1-4AC4-945D-FDDEB884756F}" = Microsoft Baseline Security Analyzer 2.2"{1458BB78-1DC5-4BC0-B9A3-2B644F5A8105}" = DeviceDiscovery"{150B6201-E9E6-4DFB-960E-CCBD53FBDDED}" = HPProductAssistant"{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}" = Rapport"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java 6 Update 21"{292F0F52-B62D-4E71-921B-89A682402201}" = Toolbox"{2FB9EA69-51D4-4913-9AD5-762C034DE811}" = Status"{343A1706-26A4-45EA-88CF-37CA172B0F27}" = D1600"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile"{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies"{50A0893D-47D8-48E0-A7E8-44BCD7E4422E}" = Microsoft SQL Server Native Client"{519C4DB6-B53B-4F5C-8297-89B2BE949FA5}_is1" = Data Lifeguard Diagnostic for Windows 1.24"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)"{57729BE1-DE2C-45DB-9FFA-5C1949679B3E}" = Watchtower Library 2010 - English"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack"{5DCF0E4B-F8EA-4229-A0BD-5CA6D4AFB749}" = SolutionCenter"{60FFB3E0-6D5B-4D73-AE5B-07E58B83AF0C}" = 32 Bit HP CIO Components Installer"{61AD15B2-50DB-4686-A739-14FE180D4429}" = Windows Live ID Sign-in Assistant"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin"{74DC0593-6BC6-4001-AD5F-D810AFB68D86}" = HP Update"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update"{7E6066E6-8B5B-4100-B0FA-1D9E9B663CBA}" = iTunes"{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT"{8EE94FD8-5F52-4463-A340-185D16328158}" = WebReg"{8FF6F5CA-4E30-4E3B-B951-204CAAA2716A}" = SmartWebPrinting"{90120000-0012-0000-0000-0000000FF1CE}" = Microsoft Office Standard 2007"{90120000-0012-0000-0000-0000000FF1CE}_STANDARD_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)"{90120000-0012-0000-0000-0000000FF1CE}_STANDARD_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007"{90120000-0016-0409-0000-0000000FF1CE}_STANDARD_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007"{90120000-0018-0409-0000-0000000FF1CE}_STANDARD_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007"{90120000-001A-0409-0000-0000000FF1CE}_STANDARD_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007"{90120000-001B-0409-0000-0000000FF1CE}_STANDARD_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007"{90120000-001F-0409-0000-0000000FF1CE}_STANDARD_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007"{90120000-001F-040C-0000-0000000FF1CE}_STANDARD_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007"{90120000-001F-0C0A-0000-0000000FF1CE}_STANDARD_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007"{90120000-006E-0409-0000-0000000FF1CE}_STANDARD_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007"{90120000-0115-0409-0000-0000000FF1CE}_STANDARD_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting"{96178C0A-BAF9-4E49-A2A5-CDE76722105B}" = HP Deskjet D1600 Printer Driver Software 14.0 Rel. 6"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161"{9C2F9B2C-1585-43AD-9EF9-48AAD60DFC04}" = Microsoft IntelliPoint 8.1"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer"{AC35A885-0F8F-4857-B7DA-6E8DFB43E6B3}" = HPSSupply"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.0)"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 275.33"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 275.33"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application"{B3575D00-27EF-49C2-B9E0-14B3D954E992}" = Apple Application Support"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy"{BB3447F6-9553-4AA9-960E-0DB5310C5779}" = GPBaseService2"{C0D2F614-5CE5-4DCB-8678-E5C9AF7044F8}" = Microsoft SQL Server VSS Writer"{C23CD6DA-1958-43A5-ADD0-59396572E02E}" = Apple Mobile Device Support"{C2E4B5BD-32DB-4817-A060-341AB17C3F90}" = Bonjour"{C38D079C-950D-4F18-BF7B-CE58DE86D3BD}" = Image Resizer Powertoy Clone for Windows"{C9B2F671-870B-43A0-8B9D-7DB30CEBD87E}" = DJ_SF_06_D1600_SW_Min"{CAE4213F-F797-439D-BD9E-79B71D115BE3}" = HPPhotoGadget"{CD31E63D-47FD-491C-8117-CF201D0AFAB5}" = TrayApp"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform"{D360FA88-17C8-4F14-B67F-13AAF9607B12}" = MarketResearch"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10"{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger"{FA0FF682-CC70-4C57-93CD-E276F3E7537E}" = BufferChm"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials"{FE0646A7-19D0-41B4-A2BB-2C35D644270D}" = Windows Live OneCare safety scanner"7-Zip" = 7-Zip 4.65"ActiveScan 2.0" = Panda ActiveScan 2.0"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.12 (Unicode)"BullGuard Online Scanner" = BullGuard Online Scanner"CCleaner" = CCleaner"Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows"EasyBCD" = EasyBCD 2.0"ESET Online Scanner" = ESET Online Scanner v3"HashOnClick_is1" = HashOnClick"HitmanPro35" = Hitman Pro 3.5"HP Imaging Device Functions" = HP Imaging Device Functions 14.0"HP Photo Creations" = HP Photo Creations"HP Smart Web Printing" = HP Smart Web Printing 4.60"HP Solution Center & Imaging Support Tools" = HP Solution Center 14.0"HPExtendedCapabilities" = HP Customer Participation Program 14.0"LAME for Audacity_is1" = LAME v3.98.3 for Audacity"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.1.1800"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended"Microsoft IntelliPoint 8.1" = Microsoft IntelliPoint 8.1"Mozilla Firefox 4.0 (x86 en-GB)" = Mozilla Firefox 4.0 (x86 en-GB)"NVIDIA Display Control Panel" = NVIDIA Display Control Panel"Puran Defrag Free Edition_is1" = Puran Defrag Free Edition 7.2"Rapport_msi" = Rapport"Shop for HP Supplies" = Shop for HP Supplies"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.5.4"Spotify" = Spotify"STANDARD" = Microsoft Office Standard 2007"UBCD4Win_is1" = UBCD4Win 3.60"WinLiveSuite" = Windows Live Essentials"winscp3_is1" = WinSCP 4.2.9========== HKEY_USERS Uninstall List ==========[HKEY_USERS\S-1-5-21-3007608149-1695688726-1621582678-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]"Google Chrome" = Google Chrome========== Last 10 Event Log Errors ==========[ Application Events ]Error - 14/07/2011 17:37:09 | Computer Name = ASRock | Source = VSS | ID = 12289Description = Error - 14/07/2011 17:37:09 | Computer Name = ASRock | Source = VSS | ID = 12289Description = Error - 15/07/2011 02:43:06 | Computer Name = ASRock | Source = Application Error | ID = 1000Description = Faulting application name: 3qhipide.exe, version: 1.0.15.15640, time stamp: 0x4de220a0 Faulting module name: 3qhipide.exe, version: 1.0.15.15640, time stamp: 0x4de220a0 Exception code: 0xc0000005 Fault offset: 0x0000c676 Faulting process id: 0x10dc Faulting application start time: 0x01cc42ba1b9f5847 Faulting application path: C:\Users\fleamour\Desktop\3qhipide.exe Faulting module path: C:\Users\fleamour\Desktop\3qhipide.exeReport Id: b1ac52fd-aead-11e0-b262-00196670d7feError - 15/07/2011 08:06:31 | Computer Name = ASRock | Source = Application Error | ID = 1000Description = Faulting application name: Explorer.EXE, version: 6.1.7601.17567, time stamp: 0x4d6727a7 Faulting module name: HashOnClick.dll_unloaded, version: 0.0.0.0, time stamp: 0x499cfca0 Exception code: 0xc0000005 Fault offset: 0x08b08484 Faulting process id: 0x1c4 Faulting application start time: 0x01cc42e47c6f0db2 Faulting application path: C:\Windows\Explorer.EXE Faulting module path: HashOnClick.dll Report Id: e00b4a1f-aeda-11e0-b4e4-00196670d7feError - 15/07/2011 13:36:03 | Computer Name = ASRock | Source = SideBySide | ID = 16842785Description = Activation context generation failed for "c:\UBCD4Win\BartPE\PROGRAMS\Recuva\Recuva64.exe".Dependent Assembly Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found. Please use sxstrace.exe for detailed diagnosis.Error - 15/07/2011 13:36:07 | Computer Name = ASRock | Source = SideBySide | ID = 16842815Description = Activation context generation failed for "c:\UBCD4Win\BartPE\PROGRAMS\spybot\DelZip179.dll".Error in manifest or policy file "c:\UBCD4Win\BartPE\PROGRAMS\spybot\DelZip179.dll" on line 8. The value "*" of attribute "language" in element "assemblyIdentity" is invalid.Error - 15/07/2011 14:18:37 | Computer Name = ASRock | Source = Application Error | ID = 1000Description = Faulting application name: DllHost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc6b7 Faulting module name: ntdll.dll, version: 6.1.7601.17514, time stamp: 0x4ce7b96e Exception code: 0xc0000374 Fault offset: 0x000c37b7 Faulting process id: 0x7c4 Faulting application start time: 0x01cc431b938c5530 Faulting application path: C:\Windows\system32\DllHost.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dllReport Id: db57e499-af0e-11e0-a098-00196670d7feError - 17/07/2011 19:05:24 | Computer Name = ASRock | Source = SideBySide | ID = 16842785Description = Activation context generation failed for "c:\UBCD4Win\BartPE\PROGRAMS\Recuva\Recuva64.exe".Dependent Assembly Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found. Please use sxstrace.exe for detailed diagnosis.Error - 17/07/2011 19:05:27 | Computer Name = ASRock | Source = SideBySide | ID = 16842815Description = Activation context generation failed for "c:\UBCD4Win\BartPE\PROGRAMS\spybot\DelZip179.dll".Error in manifest or policy file "c:\UBCD4Win\BartPE\PROGRAMS\spybot\DelZip179.dll" on line 8. The value "*" of attribute "language" in element "assemblyIdentity" is invalid.Error - 17/07/2011 19:05:40 | Computer Name = ASRock | Source = SideBySide | ID = 16842815Description = Activation context generation failed for "c:\program files\spybot - search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program files\spybot - search & destroy\DelZip179.dll" on line 8. The value "*" of attribute "language" in element "assemblyIdentity" is invalid.[ System Events ]Error - 17/06/2011 11:04:00 | Computer Name = ASRock | Source = Microsoft-Windows-Kernel-Processor-Power | ID = 6Description = Some processor performance power management features have been disabled due to a known firmware problem. Check with the computer manufacturer for updated firmware.Error - 17/06/2011 11:07:11 | Computer Name = ASRock | Source = DCOM | ID = 10010Description = Error - 18/06/2011 13:17:01 | Computer Name = ASRock | Source = DCOM | ID = 10010Description = Error - 26/06/2011 12:33:55 | Computer Name = ASRock | Source = Microsoft-Windows-Kernel-Processor-Power | ID = 6Description = Some processor performance power management features have been disabled due to a known firmware problem. Check with the computer manufacturer for updated firmware.Error - 26/06/2011 12:41:43 | Computer Name = ASRock | Source = DCOM | ID = 10010Description = Error - 28/06/2011 08:33:05 | Computer Name = ASRock | Source = Microsoft-Windows-Kernel-Processor-Power | ID = 6Description = Some processor performance power management features have been disabled due to a known firmware problem. Check with the computer manufacturer for updated firmware.Error - 01/07/2011 07:12:26 | Computer Name = ASRock | Source = Microsoft-Windows-Kernel-Processor-Power | ID = 6Description = Some processor performance power management features have been disabled due to a known firmware problem. Check with the computer manufacturer for updated firmware.Error - 01/07/2011 07:38:07 | Computer Name = ASRock | Source = Microsoft-Windows-Kernel-Processor-Power | ID = 6Description = Some processor performance power management features have been disabled due to a known firmware problem. Check with the computer manufacturer for updated firmware.Error - 01/07/2011 11:16:41 | Computer Name = ASRock | Source = Microsoft-Windows-Kernel-Processor-Power | ID = 6Description = Some processor performance power management features have been disabled due to a known firmware problem. Check with the computer manufacturer for updated firmware.Error - 04/07/2011 09:08:38 | Computer Name = ASRock | Source = Microsoft-Windows-Kernel-Processor-Power | ID = 6Description = Some processor performance power management features have been disabled due to a known firmware problem. Check with the computer manufacturer for updated firmware.< End of report > Link to post Share on other sites More sharing options...
Elise Posted July 20, 2011 ID:456102 Share Posted July 20, 2011 Are you using XP mode for any hardware compatibility issue? I see some errors that may point at incorrectly installed hardware, which can lead to the kind of problem you are experiencing.I also see some leftovers of Panda antivirus; did you use this at some point? Link to post Share on other sites More sharing options...
fleamour Posted July 20, 2011 Author ID:456237 Share Posted July 20, 2011 I installed Panda Cloud Antivirus right back when I installed Windows. I've also used there on demand scanner recently.I do have XP Mode installed though hardly use it. Link to post Share on other sites More sharing options...
Elise Posted July 20, 2011 ID:456238 Share Posted July 20, 2011 Please open Computer > C drive. Do you see there a folder that start with WA nd then those random characters (as seen in the mbam scan)? I do not see this folder back in any of the logs. Link to post Share on other sites More sharing options...
fleamour Posted July 20, 2011 Author ID:456240 Share Posted July 20, 2011 Not even with show hidden & OS files checked. Link to post Share on other sites More sharing options...
Elise Posted July 20, 2011 ID:456272 Share Posted July 20, 2011 Hi again,Please download SystemLook from one of the links below and save it to your Desktop.Download Mirror #1Download Mirror #2Double-click SystemLook.exe to run it.Copy the content of the following codebox into the main textfield::folderfindc:\wa*Click the Look button to start the scan.When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.Note: The log can also be found on your Desktop entitled SystemLook.txt Link to post Share on other sites More sharing options...
fleamour Posted July 20, 2011 Author ID:456302 Share Posted July 20, 2011 SystemLook 04.09.10 by jpshortstuffLog created at 22:12 on 20/07/2011 by fleamourAdministrator - Elevation successful========== folderfind ==========Searching for "c:\wa*"No folders found.-= EOF =- Link to post Share on other sites More sharing options...
fleamour Posted July 21, 2011 Author ID:456631 Share Posted July 21, 2011 Do you think I'm infected? Really disappointed with Windows if that is the case. Would hate to have to reinstall OS. I am not doing any internet banking just in case. Link to post Share on other sites More sharing options...
Elise Posted July 21, 2011 ID:456743 Share Posted July 21, 2011 My apologies, I had some trouble with internet connection/power today due to bad weather. I honestly don't know what to think of this; I cannot find any reference to this file in your logs. What we can try, is creating a live CD, which you can use to access your windows partition. You can then look for this file/folder in the drive root.Download GETxPUD.exe to the desktop of your clean computerRun GETxPUD.exeA new folder will appear on the desktop.Open the GETxPUD folder and click on the get&burn.batThe program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.Click on Start and follow the prompts to burn the image to a CD.Remove the USB & CD and insert it in the sick computerBoot the Sick computer with the CD you just burnedThe computer must be set to boot from the CDGently tap F12 and choose to boot from the CDFollow the promptsA Welcome to xPUD screen will appearPress FileExpand mntsda1,2...usually corresponds to your HDDLook at the partition containing the Windows folder (usually sda1) and see if you see a folder starting with WA and having weird characters Link to post Share on other sites More sharing options...
fleamour Posted July 21, 2011 Author ID:456758 Share Posted July 21, 2011 When you say "clean computer", I am not to build on infected PC? All my other OSs are Linux, although I can borrow a clean PC at a push, from a friend. Link to post Share on other sites More sharing options...
fleamour Posted July 21, 2011 Author ID:456788 Share Posted July 21, 2011 My C drive is BitLocker encrypted which makes mounting with any live CD a no no. I can turn off encryption then mount a search for errant folder with spare Xubuntu live CD I have lying around? Link to post Share on other sites More sharing options...
Elise Posted July 22, 2011 ID:457008 Share Posted July 22, 2011 Yes, that is okay, Ubuntu should work just as well. Link to post Share on other sites More sharing options...
fleamour Posted July 22, 2011 Author ID:457128 Share Posted July 22, 2011 Mounted with Xubuntu live CD. Only weird folders is the randomly named ComboFix/GMER, however......Decrypted drive to mount with live CD & MBAM is now scanning!?! It must be a bug with BitLocker. I use BitLocker as supposedly makes life harder for hackers? Can you file a bug report? I am soooo relieved, will reload AV/anti spyware/FW & get on with life in the peace of mind that I'm not compromised!Case closed!!! Link to post Share on other sites More sharing options...
fleamour Posted July 22, 2011 Author ID:457148 Share Posted July 22, 2011 Turns out BitLocker is not only an expensive premium (?!?) feature. But also a resource hog. 7 Boots much faster without, keeps up with Ubuntu now. Link to post Share on other sites More sharing options...
Elise Posted July 22, 2011 ID:457167 Share Posted July 22, 2011 I am not sure this is a bug, but I'll ask someone to look at it. It is possible BitLocker will not allow security products to scan certain sections of the file system, which would cause this kind of problem.I am glad we managed to find the reason for this weird behavior! ALL CLEAN--------------Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean Please do the following to remove the remaining programs from your PC:Delete the tools used during the disinfection:Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.Delete DDS and GMER (this is a random named file).Please read these advices, in order to prevent reinfecting your PC:Install and update the following programs regularly:an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.A comprehensive tutorial and a list of possible firewalls can be found here.an AntiVirus SoftwareIt is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.an Anti-Spyware programMalware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.SUPERAntiSpyware is another good scanner with high detection and removal rates.Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.Spyware BlasterA tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.[*]Keep Windows (and your other Microsoft software) up to date!I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!![*]Keep your other software up to date as wellSoftware does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.[*]Stay up to date!The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.Some more links you might find of interest:Miekies' prevention suggestionsSo How did I get infected?Microsoft - 'Security at home'Calendar of Updates: See which updates have been released.How to backup your Data with Cobian Backup:because you never know, when your harddisk might fail :wink:Commonly Used Freeware Replacements: a nice list of freeware programs in all categories, that are regarded as useful by the users of this forum.osalt: Find (free) open source alternatives to known commercial software.Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards. Link to post Share on other sites More sharing options...
fleamour Posted July 22, 2011 Author ID:457172 Share Posted July 22, 2011 Thanks for your assistance, will donate you a couple of quid for a coffee!You forgot to mention Defogger! Link to post Share on other sites More sharing options...
Recommended Posts