PDA

View Full Version : help with Backdoor Trojan



lilcrooky
2010-05-14, 01:55
Hi can anyone help me with advise on how to remove a virus my PC seemed to get 2 days ago, its called `Backdoor:Win32.Nuwar.A` and seems to be in at least one folder `AppData/local.asam. and possibly in AppData/local.syssvc too (according to Microsft Security Essentials, as it asks me to send info on those files everytime it has to clean Backdoor/Win32.Nuwar.A from system)

My Microsoft Security Essentials, has detected, deleted this virus over and over in the past 48hrs since it showed up, but it just keeps repeated popping back and having to repeat scans and deletes time after time.

Im stumped on what to do, i rarely ever get any viruses or any cause for Microsoft Security Essentials to be called into action, however past rare problems have been dealt with and deleted 1st time no probs, but this virus just keeps coming back for more, and ive no idea what to do since Microsoft Security Essentials doesnt seem to be able to deal with it this time.

Many Thanks.

Allison.

:oops: Im really sorry, I should have read more carefully what info i needed to include with my description, im a noob, i apologise, after re-reading more carefully the "before you post" topic before my 1st post above, Ionly hope i now get it right and put the bits in right in this second post, or my secret identity as a Blonde air-head will be blown. lol.... here goes...

DDS (Ver_10-03-17.01) - NTFSx86
Run by Allison at 1:17:22.41 on 14/05/2010
Internet Explorer: 8.0.6001.18882
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1534.867 [GMT 1:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Allison\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QP0OFCO2\dds[1].scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [dwdttuvn] c:\users\allison\appdata\local\xxaimewmp\lrijxgmtssd.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
LSP: c:\windows\system32\wpclsp.dll
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\allison\appdata\roaming\mozilla\firefox\profiles\v1soe1id.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://facebook.com/
FF - prefs.js: keyword.URL - hxxp://search.bearshare.com//web?src=ffb&q=
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\users\allison\appdata\roaming\mozilla\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows

presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 42368]
S2 IK;IKE and AuthIP IPsec Keying Modules;c:\windows\system32\svchost.exe -k netsvcs [2008-1-21 21504]

=============== Created Last 30 ================

2010-05-13 07:28:45 4838 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-05-12 02:37:40 157634354 ----a-w- c:\windows\MEMORY.DMP
2010-05-01 02:58:20 0 d-----w- c:\programdata\1468
2010-04-27 23:09:52 0 d-----w- c:\program files\common files\DivX Shared
2010-04-27 23:09:06 0 d-----w- c:\program files\DivX
2010-04-27 23:08:36 0 d-----w- c:\programdata\DivX
2010-04-27 16:55:30 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-04-20 09:46:04 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-04-20 09:46:03 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-04-20 09:46:00 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-04-20 09:45:58 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-04-20 09:35:41 0 d--h--w- c:\windows\msdownld.tmp
2010-04-20 09:35:35 0 d-----w- c:\windows\system32\directx
2010-04-19 17:18:27 0 d-----w- c:\program files\Microsoft Security Essentials

==================== Find3M ====================

2010-04-20 15:35:46 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-20 15:25:39 86016 ----a-w- c:\windows\inf\infstor.dat
2010-04-20 15:25:39 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-17 17:24:40 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-02-24 10:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-01-10 17:26:11 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-02-05 12:27:47 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-12-18 17:00:45 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 1:18:24.26 ===============

peku006
2010-05-17, 15:45
Hello and :welcome: to Safer Networking

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:


If you don't know or understand something please don't hesitate to ask
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

Thanks peku006

lilcrooky
2010-05-17, 22:34
ComboFix 10-05-16.02 - Allison 17/05/2010 19:36:33.1.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1534.886 [GMT 1:00]
Running from: c:\users\Allison\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-04-17 to 2010-05-17 )))))))))))))))))))))))))))))))
.

2010-05-15 17:28 . 2010-05-15 17:28 -------- d-----w- c:\users\Allison\AppData\Roaming\Safer Networking
2010-05-15 17:26 . 2010-05-15 17:28 -------- d-----w- c:\program files\Safer Networking
2010-05-14 13:39 . 2010-05-14 13:39 2855 ----a-w- c:\users\Allison\AppData\Local\syssvc.PIF
2010-05-14 01:19 . 2010-05-14 01:24 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-14 01:19 . 2010-05-14 01:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-14 01:10 . 2010-05-14 01:12 -------- d-----w- c:\program files\ERUNT
2010-05-13 07:21 . 2010-05-13 07:21 61184 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{EAB66D24-8614-3E15-A4B7-BE2D7054983A}-asam.exe
2010-05-12 03:24 . 2010-05-12 03:24 61184 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{0D7CE56F-74E6-6B51-C4F9-A8D568E6C3D3}-asam.exe
2010-05-12 03:17 . 2010-05-12 03:17 2855 ----a-w- c:\users\Allison\AppData\Local\asam.PIF
2010-05-12 01:12 . 2010-05-12 01:12 61184 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{20C19514-C1F7-28B5-4721-19085FA3684C}-syssvc.exe
2010-05-01 02:58 . 2010-05-01 02:58 -------- d-----w- c:\programdata\1468
2010-04-27 23:11 . 2010-04-27 23:11 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-04-27 23:11 . 2010-04-27 23:08 754984 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-04-27 23:11 . 2010-04-06 11:04 1180952 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-04-27 23:10 . 2010-04-27 23:10 56766 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-04-27 23:10 . 2010-04-27 23:10 56978 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-04-27 23:10 . 2010-04-27 23:10 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-04-27 23:10 . 2010-04-27 23:10 57409 ----a-w- c:\programdata\DivX\ControlPanel\Uninstaller.exe
2010-04-27 23:10 . 2010-04-27 23:10 52963 ----a-w- c:\programdata\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-04-27 23:09 . 2010-04-27 23:09 54073 ----a-w- c:\programdata\DivX\Qt4.5\Uninstaller.exe
2010-04-27 23:09 . 2010-04-27 23:09 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-04-27 23:09 . 2010-04-27 23:10 -------- d-----w- c:\program files\DivX
2010-04-27 23:08 . 2010-04-27 23:10 -------- d-----w- c:\programdata\DivX
2010-04-27 16:55 . 2010-04-27 16:55 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-04-20 09:46 . 2010-02-04 09:01 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-04-20 09:46 . 2010-02-04 09:01 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-04-20 09:46 . 2010-02-04 09:01 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-04-20 09:45 . 2010-02-04 09:01 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-04-20 09:35 . 2010-04-20 09:42 -------- d--h--w- c:\windows\msdownld.tmp
2010-04-19 17:18 . 2010-04-19 17:18 -------- d-----w- c:\program files\Microsoft Security Essentials

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-13 22:11 . 2010-05-13 07:28 4838 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-05-06 14:04 . 2009-12-08 11:55 1356 ----a-r- c:\users\Allison\AppData\Local\d3d9caps.dat
2010-05-01 04:09 . 2009-12-22 22:29 -------- d-----w- c:\program files\Google
2010-04-20 15:25 . 2010-03-21 02:38 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-04-18 16:37 . 2009-11-28 13:45 99864 ----a-w- c:\users\Allison\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-17 17:24 . 2010-03-20 16:31 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-04-14 15:19 . 2009-12-15 04:52 -------- d-----w- c:\programdata\NOS
2010-04-13 21:16 . 2010-04-13 21:16 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb34AA.tmp.exe
2010-04-12 18:05 . 2009-11-28 14:02 -------- d-----w- c:\program files\World of Warcraft
2010-04-06 18:30 . 2010-04-06 18:30 -------- d-----w- c:\programdata\WindowsSearch
2010-03-26 19:57 . 2010-03-26 19:57 -------- d-----w- c:\users\Kids\AppData\Roaming\Logitech
2010-03-26 05:55 . 2009-12-17 15:45 -------- d-----w- c:\program files\Steam
2010-03-26 05:35 . 2009-11-30 17:05 -------- d-----w- c:\programdata\Apple Computer
2010-03-24 21:06 . 2010-03-24 21:06 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-24 18:17 . 2010-03-24 08:04 952768 ----a-w- c:\programdata\Adobe\Reader\9.2\ARM\ARM Update\AdobeARM.exe
2010-03-24 18:17 . 2010-03-24 08:04 70584 ----a-w- c:\programdata\Adobe\Reader\9.2\ARM\ARM Update\AdobeExtractFiles.dll
2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\programdata\Adobe\Reader\9.2\ARM\ARM Update\ReaderUpdater.exe
2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\programdata\Adobe\Reader\9.2\ARM\ARM Update\AcrobatUpdater.exe
2010-03-21 02:40 . 2010-03-21 02:40 53248 ----a-r- c:\users\Allison\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2010-03-21 02:40 . 2010-01-19 18:07 -------- d-----w- c:\programdata\LogiShrd
2010-03-21 02:39 . 2010-03-21 02:39 -------- d-----w- c:\program files\Common Files\SetPointG
2010-03-21 02:39 . 2010-03-21 02:39 -------- d-----w- c:\program files\Common Files\SetPointP
2010-03-20 16:25 . 2010-03-20 16:22 -------- d-----w- c:\users\Allison\AppData\Roaming\Logitech
2010-03-20 16:23 . 2010-03-20 16:22 -------- d-----w- c:\users\Allison\AppData\Roaming\Logishrd
2010-03-20 12:59 . 2010-01-27 17:32 -------- d-----w- c:\programdata\Microsoft Help
2010-03-20 09:52 . 2010-03-12 11:10 -------- d-----w- c:\program files\Canon
2010-03-20 09:50 . 2010-03-12 07:12 -------- d-----w- c:\users\Allison\AppData\Roaming\Canon
2010-03-20 09:28 . 2009-12-17 15:46 -------- d-----w- c:\program files\Common Files\Steam
2010-02-24 10:16 . 2009-11-29 10:47 181632 ------w- c:\windows\system32\MpSigStub.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-28 149280]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-09-29 61440]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

c:\users\Kids\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office Groove.lnk - c:\program files\Microsoft Office\Office12\GROOVE.EXE [2007-8-29 340856]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\users\Allison\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
taskmgr shortcut.lnk - c:\windows\System32\taskmgr.exe [2008-1-21 163840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EvtMgr6]
2010-01-27 11:30 1312848 ----a-w- c:\program files\Common Files\SetPointP\SetPoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):36,7a,29,09,1b,92,ca,01

R2 IK;IKE and AuthIP IPsec Keying Modules;c:\windows\system32\svchost.exe [2008-01-21 21504]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2010-05-14 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2010-05-14 14:31]

2010-05-14 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2010-05-14 14:31]

2010-05-17 c:\windows\Tasks\User_Feed_Synchronization-{3BA4D43F-A437-4B6A-A315-69B39969253D}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]

2010-05-17 c:\windows\Tasks\User_Feed_Synchronization-{850964FB-6DB5-4D9A-9069-350105764764}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]

2010-05-17 c:\windows\Tasks\User_Feed_Synchronization-{D58A8518-80BB-4064-9FA8-053C5566BE4A}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
LSP: c:\windows\system32\wpclsp.dll
FF - ProfilePath - c:\users\Allison\AppData\Roaming\Mozilla\Firefox\Profiles\v1soe1id.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://facebook.com/
FF - prefs.js: keyword.URL - hxxp://search.bearshare.com//web?src=ffb&q=
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\users\Allison\AppData\Roaming\Mozilla\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-dwdttuvn - c:\users\Allison\AppData\Local\xxaimewmp\lrijxgmtssd.exe
MSConfigStartUp-DriverUpdaterPro - c:\program files\CleverTune Software\Driver Updater Pro\DriverUpdaterPro.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-17 19:43
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-05-17 19:47:10
ComboFix-quarantined-files.txt 2010-05-17 18:47

Pre-Run: 79,005,655,040 bytes free
Post-Run: 87,193,210,880 bytes free

Current=3 Default=3 Failed=4 LastKnownGood=5 Sets=1,3,4,5
- - End Of File - - 830DF9DADC585540C9C2F85F93AF2443

peku006
2010-05-18, 09:59
Hi lilcrooky

1 - Download and Run Malwarebytes' Anti-Malware

Please save any items you were working on... close any open programs. You may be asked to reboot your machine.
Please download Malwarebytes Anti-Malware (http://www.malwarebytes.org/mbam-download.php) and save it to your desktop. If needed...Tutorial w/screenshots (http://thespykiller.co.uk/index.php/topic,5946.0.html)
Alternate download sites available here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or here (http://www.besttechie.net/tools/mbam-setup.exe).
Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.
If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
Problems downloading the updates? Manually download them from here (http://malwarebytes.gt500.org/mbam-rules.exe) and double-click on "mbam-rules.exe" to install.
On the Scanner tab:
Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
Click on the Show Results button to see a list of any malware that was found.
Check all items except items in the C:\System Volume Information folder... then click on Remove Selected.
We will take care of the System Volume Information items later.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

2 - Status Check
Please reply with

the Malwarebytes' Anti-Malware Log

Thanks peku006

lilcrooky
2010-05-18, 16:48
I also forgot to mention that i have been un-able to perform any Windows Updates at all since 16/02/2010, when i try to access the Windows Update via control panel it crashes the control panel (>control panel >system and maintenence >windows update) screen the second i click on Windows Update, and the crashed control panel screen can then only be removed again via the task manager (selecting the crashed control window in the application tab on taskmanager and clicking end task, which opens a small window saying it is not rsponding giving me the option to `end now` which i do) and when i do that it pops up with a window saying `Windows Explorer is not responding` >check for a solution and close the program (it checks but never offers a solution/no solutions found) & >close the program & view problem details (Description:
A problem caused this program to stop interacting with Windows.

Problem signature:
Problem Event Name: AppHangXProcB1
Application Name: Explorer.EXE
Application Version: 6.0.6002.18005
Application Timestamp: 49e01da5
Hang Signature: 82aa
Hang Type: 6208
Waiting on Application Name: svchost.exe:{9b1f122c-2982-4e91-aa8b-e071d54f2a4d}
Waiting on Application Version: 0.0.0.0
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 2057
Additional Hang Signature 1: cc926d7385ddf3e3f97224a44dccc56f
Additional Hang Signature 2: 49ca
Additional Hang Signature 3: 3fb2b40050b6728d372f689f24329bc1
Additional Hang Signature 4: 82aa
Additional Hang Signature 5: cc926d7385ddf3e3f97224a44dccc56f
Additional Hang Signature 6: 49ca
Additional Hang Signature 7: 3fb2b40050b6728d372f689f24329bc1

Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409)

Ive also noticed for a couple of months whenever task manager is open the CPU usage (bar/graph) is always at 100% when i check this via >task manager >performance >resource monitor >CPU, it shows `svchost.exe` always at top of that list, using `average CPU` amount of 72%-81%(changes constantly while looking at it but is normal between those figures) and old `generate health reports` through the resource monitor has pointed somewthing out to do with `svchost.exe` files that ofc i couldnt understand. Seems incredibly high even to a tech novice like myself, noting else comes close on the `average CPU` list (any thing listed under svchost.exe, of many there) in %, so wondered if that was usual too?

Sorry im pc illiterate, but i can just about find my way around, esp if helped/pointed in right direction, and would love to get to the bottom of the:

Windows Update issue
CPU usage issue
Backdoor:Win32/Nuwar.A
Trojan:Win32/FakeSpypro

and any other issues my pc may have that hasnt been spotted (those four issues/problems/viruses are merely the issues ive managed to see/detect so far, but there may be ones that were not as obvious as those to spot, and therefore gone easily unspotted by my very untrained eye) and listed above, and restore some normality back to my system, and ofc learn how to prevent such occurances happing again, once these ones are resolved to prevent things getting to this state again, im hoping to deal with em then happy to learn from past mistakes to prevent it happening again.

Thanks for the time and help on this so far...

Allison.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4111

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

18/05/2010 14:47:56
mbam-log-2010-05-18 (14-47-56).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 255960
Time elapsed: 1 hour(s), 37 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

peku006
2010-05-18, 17:17
Hi Allison

Lets take a "deeper look"

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) by Old Timer and save it to your Desktop.

Double click on OTL.exe to run it.
Under Output, ensure that Minimal Output is selected.
Under Extra Registry section, select Use SafeList.
Click the Scan All Users checkbox.
Click on Run Scan at the top left hand corner.
When done, two Notepad files will open.
OTListIt.txt <-- Will be opened
Extra.txt <-- Will be minimized
Please post the contents of these 2 Notepad files in your next reply.

Thanks peku006

lilcrooky
2010-05-18, 18:19
OTL logfile created on: 18/05/2010 16:05:53 - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Users\Allison\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18882)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 49.00% Memory free
10.00 Gb Paging File | 9.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): c:\pagefile.sys 8500 9500 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 81.25 Gb Free Space | 54.51% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ALLISON-PC
Current User Name: Allison
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\Allison\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
PRC - C:\Windows\System32\Macromed\Flash\FlashUtil10e.exe (Adobe Systems, Inc.)
PRC - c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Windows Live\Contacts\wlcomm.exe (Microsoft Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
PRC - C:\Windows\System32\wpcumi.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Users\Allison\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll (Microsoft Corporation)
MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (Steam Client Service) -- C:\Program Files\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
SRV - (SBSDWSCService) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (MpFilter) -- C:\Windows\System32\drivers\MpFilter.sys (Microsoft Corporation)
DRV - (MpNWMon) -- C:\Windows\System32\drivers\MpNWMon.sys (Microsoft Corporation)
DRV - (LUsbFilt) -- C:\Windows\System32\drivers\LUsbFilt.sys (Logitech, Inc.)
DRV - (LMouKE) -- C:\Windows\System32\drivers\LMouKE.Sys (Logitech, Inc.)
DRV - (LMouFilt) -- C:\Windows\System32\drivers\LMouFilt.Sys (Logitech, Inc.)
DRV - (LHidFilt) -- C:\Windows\System32\drivers\LHidFilt.Sys (Logitech, Inc.)
DRV - (L8042mou) -- C:\Windows\System32\drivers\L8042mou.Sys (Logitech, Inc.)
DRV - (L8042Kbd) -- C:\Windows\System32\drivers\L8042Kbd.sys (Logitech, Inc.)
DRV - (R300) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (atikmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (UMPass) -- C:\Windows\System32\drivers\umpass.sys (Microsoft Corporation)
DRV - (MegaSR) -- C:\Windows\system32\drivers\megasr.sys (LSI Corporation, Inc.)
DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Corporation)
DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (E1G60) Intel(R) -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)
DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (yukonwlh) -- C:\Windows\System32\drivers\yk60x86.sys (Marvell)
DRV - (nvstor32) -- C:\Windows\system32\DRIVERS\nvstor32.sys (NVIDIA Corporation)
DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (Symc8xx) -- C:\Windows\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1577944746-1904882149-615149784-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
IE - HKU\S-1-5-21-1577944746-1904882149-615149784-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-1577944746-1904882149-615149784-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1577944746-1904882149-615149784-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-1577944746-1904882149-615149784-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "BearShare Web Search"
FF - prefs.js..browser.search.order.1: "BearShare Web Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://facebook.com/"
FF - prefs.js..keyword.URL: "http://search.bearshare.com//web?src=ffb&q="
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/28 00:08:12 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/28 00:08:12 | 000,000,000 | ---D | M]

[2009/12/11 23:21:22 | 000,000,000 | ---D | M] -- C:\Users\Allison\AppData\Roaming\Mozilla\Extensions
[2010/05/17 16:14:06 | 000,000,000 | ---D | M] -- C:\Users\Allison\AppData\Roaming\Mozilla\Firefox\Profiles\v1soe1id.default\extensions
[2009/12/15 08:20:58 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Allison\AppData\Roaming\Mozilla\Firefox\Profiles\v1soe1id.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/03/05 08:55:12 | 000,002,277 | ---- | M] () -- C:\Users\Allison\AppData\Roaming\Mozilla\Firefox\Profiles\v1soe1id.default\searchplugins\BearShareWebSearch.xml
[2009/12/11 15:38:56 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/28 00:08:08 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/02/22 17:45:04 | 000,000,973 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\BearShareWebSearch.xml
[2010/04/28 00:08:08 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/04/28 00:08:08 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/04/28 00:08:08 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/05/14 07:11:32 | 000,395,221 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 13649 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [WPCUMI] C:\Windows\System32\wpcumi.exe (Microsoft Corporation)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Users\Allison\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Users\Kids\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office Groove.lnk = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE (Microsoft Corporation)
O4 - Startup: C:\Users\Kids\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1577944746-1904882149-615149784-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1577944746-1904882149-615149784-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1577944746-1904882149-615149784-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1577944746-1904882149-615149784-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKU\S-1-5-21-1577944746-1904882149-615149784-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img18.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img18.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/18 16:03:55 | 000,571,392 | ---- | C] (OldTimer Tools) -- C:\Users\Allison\Desktop\OTL.exe
[2010/05/18 12:55:07 | 000,000,000 | ---D | C] -- C:\Users\Allison\AppData\Roaming\Malwarebytes
[2010/05/18 12:54:58 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/05/18 12:54:57 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/05/18 12:54:57 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/18 12:54:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/05/18 12:48:37 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Allison\Desktop\mbam-setup-1.46.exe
[2010/05/17 19:47:12 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/05/17 19:47:12 | 000,000,000 | ---D | C] -- C:\Users\Allison\AppData\Local\temp
[2010/05/17 19:46:21 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/05/17 19:34:22 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/05/17 19:34:22 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/05/17 19:34:22 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/05/17 19:34:00 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/05/17 19:30:14 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/15 18:28:53 | 000,000,000 | ---D | C] -- C:\Users\Allison\AppData\Roaming\Safer Networking
[2010/05/15 18:26:12 | 000,000,000 | ---D | C] -- C:\Program Files\Safer Networking
[2010/05/14 02:19:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010/05/14 02:19:37 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/05/14 02:13:27 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/05/14 02:10:46 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/05/01 03:58:20 | 000,000,000 | ---D | C] -- C:\ProgramData\1468
[2010/04/28 00:13:12 | 000,000,000 | ---D | C] -- C:\Users\Allison\Documents\Downloads
[2010/04/28 00:09:52 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DivX Shared
[2010/04/28 00:09:06 | 000,000,000 | ---D | C] -- C:\Program Files\DivX
[2010/04/28 00:08:36 | 000,000,000 | ---D | C] -- C:\ProgramData\DivX
[2010/04/20 10:46:04 | 000,074,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_4.dll
[2010/04/20 10:46:03 | 000,528,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_6.dll
[2010/04/20 10:46:00 | 000,238,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_6.dll
[2010/04/20 10:45:58 | 000,022,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\X3DAudio1_7.dll
[2010/04/20 10:35:41 | 000,000,000 | -H-D | C] -- C:\Windows\msdownld.tmp
[2010/04/20 10:35:35 | 000,000,000 | ---D | C] -- C:\Windows\System32\directx
[2010/04/19 18:18:27 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/18 16:06:59 | 000,000,426 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{850964FB-6DB5-4D9A-9069-350105764764}.job
[2010/05/18 16:06:59 | 000,000,426 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{3BA4D43F-A437-4B6A-A315-69B39969253D}.job
[2010/05/18 16:04:26 | 007,077,888 | -HS- | M] () -- C:\Users\Allison\ntuser.dat
[2010/05/18 16:04:14 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Users\Allison\Desktop\OTL.exe
[2010/05/18 16:03:00 | 000,000,416 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{D58A8518-80BB-4064-9FA8-053C5566BE4A}.job
[2010/05/18 14:35:26 | 000,004,240 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/05/18 14:35:26 | 000,004,240 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/05/18 13:37:48 | 000,005,632 | ---- | M] () -- C:\Users\Allison\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/18 12:54:16 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Allison\Desktop\mbam-setup-1.46.exe
[2010/05/18 08:35:22 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/05/18 08:35:16 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/05/18 08:34:41 | 096,423,952 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/05/17 23:16:26 | 000,524,288 | -HS- | M] () -- C:\Users\Allison\ntuser.dat{61c355a3-ebe9-11de-a675-001bb959aa6c}.TMContainer00000000000000000001.regtrans-ms
[2010/05/17 23:16:26 | 000,065,536 | -HS- | M] () -- C:\Users\Allison\ntuser.dat{61c355a3-ebe9-11de-a675-001bb959aa6c}.TM.blf
[2010/05/17 23:16:00 | 002,689,597 | -H-- | M] () -- C:\Users\Allison\AppData\Local\IconCache.db
[2010/05/17 20:42:33 | 000,000,873 | ---- | M] () -- C:\Users\Allison\Desktop\World of Warcraft.lnk
[2010/05/17 20:38:32 | 000,000,732 | ---- | M] () -- C:\Users\Allison\Desktop\ERUNT.lnk
[2010/05/17 20:38:23 | 000,001,073 | ---- | M] () -- C:\Users\Allison\Desktop\Spybot - Search & Destroy.lnk
[2010/05/17 20:38:16 | 000,001,031 | ---- | M] () -- C:\Users\Allison\Desktop\RunAlyzer.lnk
[2010/05/17 20:38:11 | 000,001,013 | ---- | M] () -- C:\Users\Allison\Desktop\RegAlyzer.lnk
[2010/05/17 20:38:07 | 000,001,007 | ---- | M] () -- C:\Users\Allison\Desktop\FileAlyzer.lnk
[2010/05/17 19:43:38 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/05/17 19:33:57 | 003,690,041 | R--- | M] () -- C:\Users\Allison\Desktop\ComboFix.exe
[2010/05/17 19:08:12 | 001,494,626 | ---- | M] () -- C:\Users\Allison\Documents\gays.pptx
[2010/05/17 18:34:03 | 002,318,266 | ---- | M] () -- C:\Users\Allison\Documents\ya.pptx
[2010/05/17 03:26:15 | 000,000,749 | ---- | M] () -- C:\Users\Allison\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskmgr shortcut.lnk
[2010/05/14 14:39:59 | 000,002,855 | ---- | M] () -- C:\Users\Allison\AppData\Local\syssvc.PIF
[2010/05/14 14:15:50 | 000,000,334 | ---- | M] () -- C:\Windows\tasks\Spybot - Search & Destroy - Scheduled Task.job
[2010/05/14 07:11:32 | 000,395,221 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/05/14 07:00:55 | 000,000,120 | ---- | M] () -- C:\Windows\wininit.ini
[2010/05/14 05:57:44 | 000,000,270 | ---- | M] () -- C:\Windows\tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
[2010/05/14 03:19:55 | 000,001,985 | ---- | M] () -- C:\Users\Allison\Desktop\Windows Live Messenger .lnk
[2010/05/14 03:18:44 | 000,000,770 | ---- | M] () -- C:\Users\Allison\Desktop\Ventrilo.lnk
[2010/05/14 02:24:23 | 000,000,761 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20100514-071132.backup
[2010/05/14 02:12:17 | 000,000,913 | ---- | M] () -- C:\Users\Allison\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/05/12 04:17:00 | 000,002,855 | ---- | M] () -- C:\Users\Allison\AppData\Local\asam.PIF
[2010/05/12 03:46:13 | 000,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/05/12 03:46:13 | 000,599,942 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/05/12 03:46:13 | 000,105,448 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/05/06 15:04:26 | 000,001,356 | R--- | M] () -- C:\Users\Allison\AppData\Local\d3d9caps.dat
[2010/05/01 12:27:07 | 001,103,051 | ---- | M] () -- C:\Users\Allison\Documents\agiienst.pptx
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/27 17:55:32 | 000,002,560 | ---- | M] () -- C:\Windows\_MSRSTRT.EXE
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\Windows\PEV.exe
[2010/04/18 17:37:38 | 000,099,864 | ---- | M] () -- C:\Users\Allison\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/04/18 17:31:19 | 000,370,960 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/17 20:38:32 | 000,000,732 | ---- | C] () -- C:\Users\Allison\Desktop\ERUNT.lnk
[2010/05/17 20:38:23 | 000,001,073 | ---- | C] () -- C:\Users\Allison\Desktop\Spybot - Search & Destroy.lnk
[2010/05/17 20:38:16 | 000,001,031 | ---- | C] () -- C:\Users\Allison\Desktop\RunAlyzer.lnk
[2010/05/17 20:38:11 | 000,001,013 | ---- | C] () -- C:\Users\Allison\Desktop\RegAlyzer.lnk
[2010/05/17 20:38:07 | 000,001,007 | ---- | C] () -- C:\Users\Allison\Desktop\FileAlyzer.lnk
[2010/05/17 19:34:22 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010/05/17 19:34:22 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/05/17 19:34:22 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/05/17 19:34:22 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/05/17 19:34:22 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/05/17 19:31:31 | 003,690,041 | R--- | C] () -- C:\Users\Allison\Desktop\ComboFix.exe
[2010/05/17 19:07:31 | 001,494,626 | ---- | C] () -- C:\Users\Allison\Documents\gays.pptx
[2010/05/17 18:34:03 | 002,318,266 | ---- | C] () -- C:\Users\Allison\Documents\ya.pptx
[2010/05/17 03:25:37 | 000,000,749 | ---- | C] () -- C:\Users\Allison\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskmgr shortcut.lnk
[2010/05/14 14:39:59 | 000,002,855 | ---- | C] () -- C:\Users\Allison\AppData\Local\syssvc.PIF
[2010/05/14 07:00:55 | 000,000,120 | ---- | C] () -- C:\Windows\wininit.ini
[2010/05/14 05:54:18 | 000,000,270 | ---- | C] () -- C:\Windows\tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
[2010/05/14 05:53:54 | 000,000,334 | ---- | C] () -- C:\Windows\tasks\Spybot - Search & Destroy - Scheduled Task.job
[2010/05/14 03:19:55 | 000,001,985 | ---- | C] () -- C:\Users\Allison\Desktop\Windows Live Messenger .lnk
[2010/05/14 03:19:31 | 000,000,873 | ---- | C] () -- C:\Users\Allison\Desktop\World of Warcraft.lnk
[2010/05/14 03:18:44 | 000,000,770 | ---- | C] () -- C:\Users\Allison\Desktop\Ventrilo.lnk
[2010/05/14 02:12:17 | 000,000,913 | ---- | C] () -- C:\Users\Allison\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/05/12 04:17:00 | 000,002,855 | ---- | C] () -- C:\Users\Allison\AppData\Local\asam.PIF
[2010/05/12 03:37:40 | 096,423,952 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/05/01 12:27:06 | 001,103,051 | ---- | C] () -- C:\Users\Allison\Documents\agiienst.pptx
[2010/04/27 17:55:30 | 000,002,560 | ---- | C] () -- C:\Windows\_MSRSTRT.EXE
[2009/12/15 14:09:06 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/11/29 15:29:39 | 000,000,262 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/11/28 23:31:38 | 000,010,240 | ---- | C] () -- C:\Windows\System32\vidx16.dll
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 01:21:54 | 000,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2009/08/03 01:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2009/08/03 01:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2006/11/02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 11:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 136 bytes -> C:\ProgramData\TEMP:100E92DA
@Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:BAC2F271
@Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:77D98D08
@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:B093E177
< End of report >



OTL Extras logfile created on: 18/05/2010 16:05:54 - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Users\Allison\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18882)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 49.00% Memory free
10.00 Gb Paging File | 9.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): c:\pagefile.sys 8500 9500 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 81.25 Gb Free Space | 54.51% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ALLISON-PC
Current User Name: Allison
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

[HKEY_USERS\S-1-5-21-1577944746-1904882149-615149784-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" File not found
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MI1933~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{146DF0C9-9195-4080-B547-2E6AA8944FB8}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{1A8BFD1E-A244-48F5-B9ED-0F03CA874242}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{1C853454-42AF-4CD0-B70E-BDD702E4D306}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{1D13D37C-38E0-46AB-8335-CC6269D800C1}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{2297220E-25C1-488D-B3FA-6D5001D60CF0}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{33D47F18-CD0C-4E0E-9766-B3C9A941EC5B}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{35826F6A-2A84-463D-9143-508E87F2FDC1}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{50E8D92E-59DD-4B85-A7B3-8D82F877DBEB}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{53FF91EE-5AAA-4D27-838B-251EDD7C86C9}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{5EF17781-625F-49D7-B586-8E6FDBAF3C8C}" = lport=3390 | protocol=6 | dir=in | app=system |
"{75FC8DC4-4022-4C54-8EAD-6A7901CEC8E7}" = lport=10244 | protocol=6 | dir=in | app=system |
"{780421CB-8AED-49D0-AB41-F1D8D7C98DFF}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{904AD1F1-61D4-46C9-A9CF-E864512F50DD}" = lport=7777 | protocol=17 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{95A01F69-9DF4-4078-B81B-DE7666D57DEF}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{A08B8472-8B75-434A-814D-9F90FF5EC858}" = lport=2869 | protocol=6 | dir=in | app=system |
"{B5903B8C-B32B-48BC-A0C1-7135E11F8490}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{B763336F-8DE6-429C-823B-A55B92601471}" = lport=2869 | protocol=6 | dir=in | app=system |
"{C063D61C-EF35-4374-AEE6-DC716031D7B2}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{C1237C9A-F2EE-4557-9299-F8BDFF86CF7A}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{C50062E6-ECEF-4EBA-91CC-5457EC7C7AE6}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{DCA63967-113A-4FE8-AF9C-1627F6B1A61E}" = rport=10244 | protocol=6 | dir=out | app=system |
"{E4FAE537-A357-4BE2-ABE6-8FC1D80ED620}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{E65C1B2C-ADDB-43E1-9F3B-B2534DDAFE7E}" = lport=554 | protocol=6 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{F27CD737-C849-4834-AB6E-FFCD1806A70F}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{01B07D78-6FC4-4CA2-8D54-EBDE5B7EB3AF}" = protocol=17 | dir=in | app=c:\program files\windows media player\wmplayer.exe |
"{0CD5D398-BDD0-4DA7-B88D-89BEDDF58BBC}" = protocol=6 | dir=in | app=c:\program files\world of warcraft\wow-3.2.0.10192-to-3.2.0.10314-engb-downloader.exe |
"{1E3124E9-BF86-48DE-A4FD-F5B98339BB29}" = protocol=17 | dir=in | app=c:\program files\world of warcraft\wow-3.2.0-engb-downloader.exe |
"{23B52355-EFE6-437C-AA95-5E66485DF905}" = protocol=6 | dir=out | svc=mcx2svc | app=%systemroot%\system32\svchost.exe |
"{25C72C16-3B46-4F4F-87C2-4AEE4820551E}" = protocol=6 | dir=out | svc=upnphost | app=c:\windows\system32\svchost.exe |
"{266CE7DC-EFB5-442C-97D8-81BC71742E44}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe |
"{2E255E53-AD59-4842-8094-6CF051109C0D}" = protocol=6 | dir=in | app=c:\program files\world of warcraft\wow-3.2.0-engb-downloader.exe |
"{366C4C89-DDEB-49D5-B980-3B76CFFBB075}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\bob came in pieces demo\bob.exe |
"{3820859A-5838-4844-B029-544ED9774EA5}" = protocol=17 | dir=out | app=c:\program files\windows media player\wmplayer.exe |
"{54CEBCB6-494D-40BF-95F3-B21A99D3EDE2}" = protocol=6 | dir=in | app=c:\users\allison\appdata\local\asam.exe |
"{68C6BEF2-6D94-4664-8ADF-47E7A7438552}" = protocol=17 | dir=in | app=c:\program files\world of warcraft\wow-3.2.2.10482-to-3.2.2.10505-engb-downloader.exe |
"{8CB4B2CC-4B92-491C-A506-D7FFCF80D33E}" = protocol=6 | dir=out | app=%systemroot%\ehome\mcx2prov.exe |
"{9090ABFA-3C76-496A-8A57-05C3C4CB2D6B}" = protocol=6 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{9D842554-D7E3-44B8-B262-D85027432B59}" = protocol=17 | dir=in | app=c:\program files\world of warcraft\wow-3.2.0.10314-to-3.2.2.10482-engb-downloader.exe |
"{A61E9F06-A83B-42EE-97B7-7B6EC41B2F6F}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\left 4 dead\left4dead.exe |
"{A6674C22-CFEF-4A75-AE86-133F72A921A0}" = protocol=17 | dir=in | app=c:\users\allison\appdata\local\asam.exe |
"{A68FF2C4-2478-4DA1-A0D8-8AC2B23D1C91}" = protocol=6 | dir=in | app=c:\program files\ventrilo\ventrilo.exe |
"{A702CAFE-5CFB-4FC3-B1F2-941134CF7AC0}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{AC7197F9-F09B-4A71-909B-54590725602E}" = protocol=6 | dir=in | app=c:\program files\world of warcraft\wow-3.2.0.10314-to-3.2.2.10482-engb-downloader.exe |
"{B1788882-8F31-46B3-B7BF-ABA110F82BCE}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\left 4 dead\left4dead.exe |
"{BEDD029B-1CE3-432E-9211-5ECD75E1B1EB}" = protocol=17 | dir=in | app=c:\program files\ventrilo\ventrilo.exe |
"{C36710D6-6573-422F-A578-90536103D1E5}" = protocol=6 | dir=in | app=c:\program files\world of warcraft\wow-3.2.2.10482-to-3.2.2.10505-engb-downloader.exe |
"{C53569BA-260C-4352-A684-A1DF5D8E01C7}" = protocol=17 | dir=in | app=c:\program files\world of warcraft\wow-3.2.0.10192-to-3.2.0.10314-engb-downloader.exe |
"{C779A813-C0D0-4A34-9257-6492C61EE749}" = protocol=6 | dir=out | app=c:\program files\windows media player\wmplayer.exe |
"{D1F66F6D-A747-44F2-9294-C4A686BB989B}" = protocol=6 | dir=out | app=system |
"{F63F77F9-9B00-4FBB-962D-B6745C6F968D}" = protocol=17 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{F88B1B92-A78C-4440-851C-C448C803F9FD}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\bob came in pieces demo\bob.exe |
"{FA85EC5E-8777-4CEE-A787-6B600892F01A}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"TCP Query User{03C2F780-F7C7-4883-A8B9-FD6EB746F93D}C:\program files\bearshare applications\bearshare\bearshare.exe" = protocol=6 | dir=in | app=c:\program files\bearshare applications\bearshare\bearshare.exe |
"TCP Query User{230D753B-817A-4036-92A4-1C0F7B04758E}C:\users\public\downloads\world of warcraft trial\wow-3.2.2.10482-to-3.3.0.10958-engb-trial-downloader.exe" = protocol=6 | dir=in | app=c:\users\public\downloads\world of warcraft trial\wow-3.2.2.10482-to-3.3.0.10958-engb-trial-downloader.exe |
"TCP Query User{2AEF198B-0D85-48B4-9484-8D084D55C8C5}C:\program files\world of warcraft\wow-3.2.2.10505-to-3.3.0.10958-engb-downloader.exe" = protocol=6 | dir=in | app=c:\program files\world of warcraft\wow-3.2.2.10505-to-3.3.0.10958-engb-downloader.exe |
"TCP Query User{35B494A4-2F45-468A-B000-C401081B2A0B}C:\program files\world of warcraft\repair.exe" = protocol=6 | dir=in | app=c:\program files\world of warcraft\repair.exe |
"TCP Query User{5455D629-8CC6-4B18-B63A-8D6BBA7820A7}C:\users\public\documents\blizzard entertainment\world of warcraft trial\launcher.exe" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft trial\launcher.exe |
"TCP Query User{586784A3-3F76-4F42-AA2E-1F05C846CDE4}C:\program files\microsoft office\office12\groove.exe" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"TCP Query User{6346D800-AE53-494C-ACF6-F6BA0D635E4B}C:\users\public\downloads\world of warcraft trial\wow-3.3.0.10958-to-3.3.0.11159-engb-trial-downloader.exe" = protocol=6 | dir=in | app=c:\users\public\downloads\world of warcraft trial\wow-3.3.0.10958-to-3.3.0.11159-engb-trial-downloader.exe |
"TCP Query User{82FFB057-B3E6-48E2-8959-EE667630E298}C:\users\public\downloads\world of warcraft trial\launcher.exe" = protocol=6 | dir=in | app=c:\users\public\downloads\world of warcraft trial\launcher.exe |
"TCP Query User{96EB13C5-BCA5-4D83-BC1E-AF4461AC4B30}C:\program files\world of warcraft\wow-3.3.3.11685-to-3.3.3.11723-engb-downloader.exe" = protocol=6 | dir=in | app=c:\program files\world of warcraft\wow-3.3.3.11685-to-3.3.3.11723-engb-downloader.exe |
"TCP Query User{A03806D4-621B-4533-A80E-B4FDBE883F5C}C:\program files\world of warcraft\launcher.exe" = protocol=6 | dir=in | app=c:\program files\world of warcraft\launcher.exe |
"TCP Query User{A88B80C7-E1A1-481D-B997-F50F9F2F6D2F}C:\program files\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-engb-downloader.exe" = protocol=6 | dir=in | app=c:\program files\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-engb-downloader.exe |
"TCP Query User{B4F2B4A8-07D9-4990-A325-20D0BDC8954A}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{D5D83ED5-AC1E-442A-914D-20DBA5B070D8}C:\program files\java\jre6\bin\java.exe" = protocol=6 | dir=in | app=c:\program files\java\jre6\bin\java.exe |
"TCP Query User{D6962141-4D4B-4D2C-8554-E94F0A669B20}C:\users\public\documents\blizzard entertainment\world of warcraft trial\wow-3.2.2.10482-to-3.3.0.10958-engb-trial-downloader.exe" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft trial\wow-3.2.2.10482-to-3.3.0.10958-engb-trial-downloader.exe |
"TCP Query User{E4A677E7-5004-4873-9BF4-49F2D270E7BC}C:\users\public\documents\blizzard entertainment\world of warcraft trial\wow-3.3.0.10958-to-3.3.0.11159-engb-trial-downloader.exe" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft trial\wow-3.3.0.10958-to-3.3.0.11159-engb-trial-downloader.exe |
"TCP Query User{F1324CE4-5A44-4223-8851-DAD798A37CD1}C:\program files\world of warcraft\backgrounddownloader.exe" = protocol=6 | dir=in | app=c:\program files\world of warcraft\backgrounddownloader.exe |
"TCP Query User{F930905B-C9B7-4C9C-A46C-3F36B946C005}C:\program files\world of warcraft\wow-3.3.0.10958-to-3.3.0.11159-engb-downloader.exe" = protocol=6 | dir=in | app=c:\program files\world of warcraft\wow-3.3.0.10958-to-3.3.0.11159-engb-downloader.exe |
"UDP Query User{02457AA1-01E1-438C-9833-C1A7CE5E5177}C:\program files\world of warcraft\wow-3.3.3.11685-to-3.3.3.11723-engb-downloader.exe" = protocol=17 | dir=in | app=c:\program files\world of warcraft\wow-3.3.3.11685-to-3.3.3.11723-engb-downloader.exe |
"UDP Query User{05C5871C-4762-4132-A674-B568DEC0B690}C:\program files\world of warcraft\launcher.exe" = protocol=17 | dir=in | app=c:\program files\world of warcraft\launcher.exe |
"UDP Query User{0DA8A480-EB48-4B2D-9B0A-9D7E39807624}C:\users\public\documents\blizzard entertainment\world of warcraft trial\wow-3.2.2.10482-to-3.3.0.10958-engb-trial-downloader.exe" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft trial\wow-3.2.2.10482-to-3.3.0.10958-engb-trial-downloader.exe |
"UDP Query User{1793EB3B-82D1-4CE6-BA36-15553D050AD0}C:\program files\world of warcraft\backgrounddownloader.exe" = protocol=17 | dir=in | app=c:\program files\world of warcraft\backgrounddownloader.exe |
"UDP Query User{46D96741-A3C7-4F58-93F5-5159C9423D34}C:\program files\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-engb-downloader.exe" = protocol=17 | dir=in | app=c:\program files\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-engb-downloader.exe |
"UDP Query User{476C461F-DB90-4091-8387-850EA8623FD2}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{5C233055-3D88-4580-A160-36F8FA840C69}C:\program files\world of warcraft\repair.exe" = protocol=17 | dir=in | app=c:\program files\world of warcraft\repair.exe |
"UDP Query User{5CE160E7-6EAE-4EE2-ACA4-9B3A9580AEAA}C:\program files\world of warcraft\wow-3.3.0.10958-to-3.3.0.11159-engb-downloader.exe" = protocol=17 | dir=in | app=c:\program files\world of warcraft\wow-3.3.0.10958-to-3.3.0.11159-engb-downloader.exe |
"UDP Query User{76F8E300-0FE5-4C55-87EE-E4B016B05478}C:\users\public\documents\blizzard entertainment\world of warcraft trial\wow-3.3.0.10958-to-3.3.0.11159-engb-trial-downloader.exe" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft trial\wow-3.3.0.10958-to-3.3.0.11159-engb-trial-downloader.exe |
"UDP Query User{8AB9079E-4FE3-44E7-89DD-8FE16E9EC5C7}C:\program files\bearshare applications\bearshare\bearshare.exe" = protocol=17 | dir=in | app=c:\program files\bearshare applications\bearshare\bearshare.exe |
"UDP Query User{8D805498-2BC3-4123-9793-97D27B3BD7A1}C:\users\public\downloads\world of warcraft trial\launcher.exe" = protocol=17 | dir=in | app=c:\users\public\downloads\world of warcraft trial\launcher.exe |
"UDP Query User{B3A7CF72-94D9-40C6-A17A-A1CFE0DDBC97}C:\program files\java\jre6\bin\java.exe" = protocol=17 | dir=in | app=c:\program files\java\jre6\bin\java.exe |
"UDP Query User{B80FDDEE-48C0-40A9-B779-78CAF352942E}C:\users\public\documents\blizzard entertainment\world of warcraft trial\launcher.exe" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft trial\launcher.exe |
"UDP Query User{D8905423-8060-4F9E-81C1-A2C5C7C85321}C:\users\public\downloads\world of warcraft trial\wow-3.2.2.10482-to-3.3.0.10958-engb-trial-downloader.exe" = protocol=17 | dir=in | app=c:\users\public\downloads\world of warcraft trial\wow-3.2.2.10482-to-3.3.0.10958-engb-trial-downloader.exe |
"UDP Query User{DA551212-5BA3-4CD7-9452-2A1E4C07C809}C:\program files\world of warcraft\wow-3.2.2.10505-to-3.3.0.10958-engb-downloader.exe" = protocol=17 | dir=in | app=c:\program files\world of warcraft\wow-3.2.2.10505-to-3.3.0.10958-engb-downloader.exe |
"UDP Query User{E6BC2DCB-1641-4F6C-B6ED-39F9D2C9EBAC}C:\users\public\downloads\world of warcraft trial\wow-3.3.0.10958-to-3.3.0.11159-engb-trial-downloader.exe" = protocol=17 | dir=in | app=c:\users\public\downloads\world of warcraft trial\wow-3.3.0.10958-to-3.3.0.11159-engb-trial-downloader.exe |
"UDP Query User{E96B2CAE-EF3E-479C-850A-0E9E1AC111D4}C:\program files\microsoft office\office12\groove.exe" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{08E264F0-E675-8E6D-0042-8741FD41E654}" = ATI Catalyst Install Manager
"{093C982A-E1CB-6D32-5FAD-DCE8EA8F86FA}" = ccc-core-static
"{15AE34F8-75D2-3820-825B-C9369549540C}" = CCC Help Japanese
"{1C13AA79-3D17-3A4C-21E7-E28AE817F5CA}" = Catalyst Control Center Graphics Full Existing
"{1FB6ACCC-93CA-7E6F-FD4C-414BD705BD0D}" = CCC Help Greek
"{1FF713E1-FE5E-4AD0-9C8C-B2E877846B45}" = Catalyst Control Center - Branding
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 17
"{2716545E-47C8-6D1C-5182-A882BE07D2B4}" = CCC Help Russian
"{296B2D8E-CE82-92AF-B2E8-A646E7CB78A2}_is1" = RegAlyzer
"{29D3773E-54F4-23C2-D523-236A4453B844}_is1" = FileAlyzer
"{2A2B2DC2-BF12-D4C3-386D-5FBF8805B129}" = CCC Help Thai
"{2D4D2CB9-77D4-92B7-B6CA-1594FA4FBE31}" = CCC Help Swedish
"{2D61AC21-C1AA-1AE9-0B1C-B9B4AEDCBDA1}" = CCC Help Danish
"{35639F85-BC62-499A-5E3A-48E3F770131A}" = Catalyst Control Center Graphics Previews Vista
"{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = eReg
"{41C55712-EC7E-DCD4-4E4E-52BA481B4FFC}" = Catalyst Control Center HydraVision Full
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{470E48DD-CC64-848E-FE2A-321741ED3D63}" = Catalyst Control Center Localization All
"{53AE0DC7-C66C-06C7-4C02-2D7ED00B6376}" = CCC Help French
"{5815C3A7-F712-8112-DB89-720AF9270808}" = CCC Help Spanish
"{5E8B2EC6-9B3B-D4D3-2DD0-1F0F6F07E193}" = Catalyst Control Center Graphics Light
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{6CCD966D-096B-92CE-BDC3-C0324818CA3B}" = ccc-utility
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7AF6E3E3-F22C-E45A-4506-2EFCE136B7A1}" = CCC Help Czech
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8E4F58E4-2F7F-E8E3-47B0-54966E9F6A2B}" = CCC Help Polish
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{92A188E7-5658-0DD8-97FB-CD1B53A3642A}" = Skins
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{958163CC-B654-BE07-152A-00F1275C0C8C}" = Catalyst Control Center Graphics Full New
"{97A0D4C6-0C5E-1DA0-F44D-FC849DF7BE7B}" = CCC Help Chinese Standard
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9E3A95C9-F46B-A65C-A9FC-0E91C8FEC472}" = Catalyst Control Center Core Implementation
"{9FA264A1-65E0-1D70-1AE7-0D58D57DC2CF}" = CCC Help German
"{9FC4BEF6-C475-95F0-B9A2-9FC378B0104B}" = CCC Help Italian
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A498D9EB-927B-459B-85D6-DD6EF8C2C564}" = erLT
"{A5181519-9F3D-4372-ABC6-C333C2F3A816}_is1" = RunAlyzer
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{AC9BAC65-97AC-4F3F-23A0-706169424F59}" = Catalyst Control Center InstallProxy
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BE32AA46-9A6B-6879-F12A-AD1D7A01EBB8}" = CCC Help Finnish
"{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX
"{C88A014F-9E12-CE28-BF50-961B9236A9AC}" = Catalyst Control Center Graphics Previews Common
"{C99EB033-C7F4-28DB-49CB-5BCEA12CE903}" = CCC Help Turkish
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF4FA95B-209B-DA12-F43D-3B825CC1A440}" = CCC Help Korean
"{D1FE5F0C-B041-8BFC-01B4-43F3583B5C64}" = CCC Help Norwegian
"{E590FD1C-E8C6-4D2E-8CA9-77B403F7EE01}" = Microsoft Antimalware
"{E7044E25-3038-4A76-9064-344AC038043E}" = Windows Mobile Device Center Driver Update
"{EBECDE89-4375-8303-F18F-001FE3FD1761}" = CCC Help Hungarian
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{EF98A02A-1748-4762-9B7D-5ED1600520D5}" = Microsoft Security Essentials
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F39FA8E1-0200-0ABB-26A8-6B5022EED38B}" = CCC Help Dutch
"{F5EEFCDD-79A7-0C50-9281-8AAEC00F97EB}" = CCC Help Chinese Traditional
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F754BE19-D1F4-335F-A388-FE23EFD6A543}" = CCC Help Portuguese
"{F96780B8-C287-73B6-4020-297DE0837385}" = CCC Help English
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"BearShare" = BearShare
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"DivX Setup.divx.com" = DivX Setup
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ERUNT_is1" = ERUNT 1.1j
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Essentials" = Microsoft Security Essentials
"Mozilla Firefox (3.5.9)" = Mozilla Firefox (3.5.9)
"SP6" = Logitech SetPoint 6.0
"Steam App 46010" = Bob Came In Pieces Demo
"Steam App 500" = Left 4 Dead
"WinLiveSuite_Wave3" = Windows Live Essentials
"World of Warcraft" = World of Warcraft

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1577944746-1904882149-615149784-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"090215de958f1060" = Curse Client

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

peku006
2010-05-18, 18:47
Hi Allison

do not see anything "suspicious"....only this
"Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!"
and it is not due to malware

1 - Clean temp files


Please download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click Yes to reboot.


NOTE: Save your work.TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

2 - Eset online scannner

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.


Please go here (http://www.eset.com/onlinescan/) then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif
Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.

3 - Status Check
Please reply with

1. the Eset online scannner report

Thanks peku006

lilcrooky
2010-05-18, 22:16
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK

peku006
2010-05-19, 08:47
Hi Allison

That log is not complete. Please post a complete log.

Thanks peku006

lilcrooky
2010-05-19, 10:48
after nearly 2 hours, thats the log it produced... bare with me, ill have to run it again i guess...

peku006
2010-05-19, 11:22
Hi Allison

Let´s try Kaspersky......

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply

Thanks peku006

lilcrooky
2010-05-19, 13:00
frustrating, i did the scan again, another hour and a half (plus) and the same log result, im soory if im doing something wrong, ive done ok to follow instructions and post logs to the prior requests, im baffled, ill try the other one you just suggested instead

lilcrooky
2010-05-19, 16:27
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, May 19, 2010
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, May 19, 2010 06:08:25
Records in database: 4131285
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Objects scanned: 125453
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 02:35:36

No threats found. Scanned area is clean.

Selected area has been scanned.

peku006
2010-05-19, 16:38
Hi Allison

At this stage your machine looks to be clean of malware, so the problems you are experiencing are not likely to be malware related.

Have you tried System File Checker ?

How to use the System File Checker tool to troubleshoot missing or corrupted system files (http://support.microsoft.com/?scid=kb%3Ben-us%3B929833&x=14&y=10)

Thanks peku006

lilcrooky
2010-05-19, 20:55
I got a funny feeling that when i downloaded, installed, updated and set setting for Search & Destroy (before i got help/response here but just after my 1st DSS & (DSS#1 in 1st post/top of post) here) that the S&D has kicked it (probally scheduled scans happing/done when i was unaware) and possibly cleaned up the malware(s)/virus, so im going to post the S&D logs, a fresh DSS (DSS#2) log (accompanied by a fresh Attach.txt((zipped)) attach.txt#2), and the SFC.exe log (couldnt work out the last part oin the linked info page about replacing the missing files, was a tad too complex for me to work that out from looking at SFC.exe log and trying to copy the example on the linked page of replacing these files as file name and paths were so different i couldnt apply it to my logged missing files, and get it right at all) So i hope all this new stuff helps to work out if malware/virus has gone, when comparing DSS#1 (inc with very 1st post here/top of page) to the new DSS#2 (done just now) along with the S&D logsand the SFC.exe logs, dam i need a rest, that was almost like...work...*gasp* lol

peku006
2010-05-20, 08:40
Hi Allison

All your logs are "clean" ,your problem is not due to malware.
I think the best and fastest solution for you is to post on a PC troubleshooting forum like the Browsers, Internet & email forum (http://forums.whatthetech.com/Browsers_Internet_and_email_f123.html) at WhatTheTech (http://forums.whatthetech.com/forums.html). They specialize in handling problems like this so you are certain to get expert assistance and a speedy resolution is very likely.

I'm sorry that I could not be of more help to you, and I wish you the best of luck with solving your computer problems. If you have any questions or require any other assistance please let me know.

Thanks peku006

lilcrooky
2010-05-20, 12:03
Id like to really Thank You for your time, effort, patience and help with dealing with these matters, im stll baffled to why the CPU runs at 100% all the time (esp when Internet Explorer is opened) and why i cannot get to the Windows Udate screen w/out the control panel crashing when i try, but the trojans/virus/malware do all now appear to be gone and me and my pc are happy we are cleaned of them.

Thanks once more for your assistance.

Allison.

peku006
2010-05-22, 09:52
As this issue appears to be resolved, this topic is now closed

We are pleased to have been some help in getting you clean.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)