PDA

View Full Version : Malware problem



derarne
2010-06-27, 14:56
Hi!

I have a problem with malware/spyware..

It is logging somewhere and taking over my gmail and my wow account.
I tried to do virusscan and different scan with programs like your spybot but I can not find anything else then some cookies that I remove.

I read in another forum that it was a good idea to do a log with hijack.
So I am posting it here.

I would appreciate if someone could help me in any way.

/Best regards

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:31:05, on 2010-06-27
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Garmin\ANT Agent\ANT Agent.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files (x86)\Net iD\iid.exe
C:\Program Files (x86)\Voddler\service\VNetManager.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [HDAudDeck] "C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" -r
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Net iD] "C:\Program Files (x86)\Net iD\iid.exe"
O4 - HKLM\..\Run: [VoddlerNet Manager] "C:\Program Files (x86)\Voddler\service\VNetManager.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ANT Agent] C:\Program Files (x86)\Garmin\ANT Agent\ANT Agent.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files (x86)\NETGEAR\WG111v3\WG111v3.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: VoddlerNet - Voddler - C:\Program Files (x86)\Voddler\service\voddler.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 8789 bytes

Dakeyras
2010-06-28, 15:47
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post the appropriate logs in the Malware Removal forum and wait for help.Hi derarne and welcome to Safer Networking. :)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine!
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Refrain from running self fixes as this will hinder the malware removal process.
It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Vista Advice:

All applications I ask to be used will require to be run in Administrator mode. IE: Right click on and select Run as Administrator.

The Operating System(Vista aka Windows 6) in use comes with a inbuilt utility called User Access Control(UAC) when prompted by this with anything I ask you to do carry out please select the option Allow.

64bit Operating System Advice:

Your log shows signs that this is a 64 bit machine. Most of the tools we use don't run on 64 bit machines, so the help I can offer is limited I'm afraid.

HijackThis is not really ideal for a 64 bit system like yours in my humble opinion and the scan results can not be relied upon. I'm going to need you to run a different scan for me in due course.

Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Question:

May I enquire what exactly you are using the software Net iD for?

Next:

Please download OTL (http://oldtimer.geekstogo.com/OTL.exe) and save it to your Desktop.

Right-click on OTL.exe and select Run as Administrator to start OTL.
Ensure Include 64bit Scans is selected.
Under Output, ensure that Minimal Output is selected.
Under Extra Registry section, select Use SafeList.
Click the Scan All Users checkbox.
Click on Run Scan at the top left hand corner.
When done, two Notepad files will open.
OTL.txt <-- Will be opened
Extra.txt <-- Will be minimized
Please post the contents of these 2 Notepad files in your next reply.
When completed the above, please post back the following in the order asked for:
How is you computer performing now, any further symptoms and or problems encountered?
Answer to my Net iD query.
Both OTL logs. <-- Post them individually please, IE: one Log per post/reply.

derarne
2010-06-28, 21:45
First of all thank you for trying to help me..!

Answer 1:

My computer is quite ok.. the problem is that I cant find and get rid of the malware/keylogger thing that someone uses to hack me the only thing I have been finding is some cookies to take away..

The 2 things that have been taken over both times is my gmail account and my wow account and that has happened 3 times.. I have gotten both back through some reset of passwords and phonecalls but I have been hacked again.

I have been afraid to use those application since I wrote this mail so I cant say if they are safe or not now.. but my guess is not since I have not found anything bad.

Answer 2:

Net ID is an application in sweden to verify that you are you then performing tasks towards the goverment or doing some kind of bankbuisness.

Answer 3:

I have run the application you said, here are the logs:

OTL logfile created on: 2010-06-28 20:32:11 - Run 1
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Users\DerArne\Desktop
64bit-Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 0000041d | Country: Sverige | Language: SVE | Date Format: yyyy-MM-dd

4,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 61,00% Memory free
8,00 Gb Paging File | 7,00 Gb Available in Paging File | 79,00% Paging File free
Paging file location(s): ?:\pagefile.sys

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 146,48 Gb Total Space | 88,10 Gb Free Space | 60,14% Space Free | Partition Type: NTFS
Drive D: | 785,03 Gb Total Space | 673,85 Gb Free Space | 85,84% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DERARNE-PC
Current User Name: DerArne
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\DerArne\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\Garmin\ANT Agent\ANT Agent.exe (GARMIN Corp.)
PRC - C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (ALWIL Software)
PRC - C:\Program Files (x86)\Voddler\service\voddler.exe (Voddler)
PRC - C:\Program Files (x86)\Voddler\service\VNetManager.exe ()
PRC - C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)
PRC - C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)
PRC - C:\Program Files (x86)\Net iD\iid.exe (SecMaker AB)
PRC - C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe (Safer Networking Limited)
PRC - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
PRC - C:\Program Files (x86)\NETGEAR\WG111v3\WG111v3.exe ()


========== Modules (SafeList) ==========

MOD - C:\Users\DerArne\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\SysWOW64\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV:[b]64bit: - (avast! Web Scanner) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (ALWIL Software)
SRV:64bit: - (avast! Mail Scanner) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (ALWIL Software)
SRV:64bit: - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (ALWIL Software)
SRV:64bit: - (AMD External Events Utility) -- C:\Windows\SysNative\atiesrxx.exe (AMD)
SRV:64bit: - (UmRdpService) -- C:\Windows\SysNative\umrdp.dll (Microsoft Corporation)
SRV:64bit: - (CscService) -- C:\Windows\SysNative\cscsvc.dll (Microsoft Corporation)
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (VoddlerNet) -- C:\Program Files (x86)\Voddler\service\voddler.exe (Voddler)
SRV - (SBSDWSCService) -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
SRV - (MSDTC) -- C:\Windows\SysWOW64\Msdtc [2006-11-02 15:34:14 | 000,000,000 | ---D | M]
SRV - (vds) -- C:\Windows\SysWOW64\wbem\vds.mof ()
SRV - (VSS) -- C:\Windows\SysWOW64\wbem\vss.mof ()


========== Driver Services (SafeList) ==========

DRV:64bit: - (aswTdi) -- C:\Windows\SysNative\drivers\aswTdi.sys (ALWIL Software)
DRV:64bit: - (aswSP) -- C:\Windows\SysNative\drivers\aswSP.sys (ALWIL Software)
DRV:64bit: - (aswRdr) -- C:\Windows\SysNative\drivers\aswRdr.sys (ALWIL Software)
DRV:64bit: - (aswMonFlt) -- C:\Windows\SysNative\drivers\aswMonFlt.sys (ALWIL Software)
DRV:64bit: - (aswFsBlk) -- C:\Windows\SysNative\drivers\aswFsBlk.sys (ALWIL Software)
DRV:64bit: - (RTL8169) -- C:\Windows\SysNative\DRIVERS\Rtlh64.sys (Realtek )
DRV:64bit: - (atikmdag) -- C:\Windows\SysNative\DRIVERS\atikmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (amdkmdag) -- C:\Windows\SysNative\DRIVERS\atipmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (amdkmdap) -- C:\Windows\SysNative\DRIVERS\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (RTL8187B) -- C:\Windows\SysNative\DRIVERS\wg111v3.sys (NETGEAR Inc. )
DRV:64bit: - (AtiHdmiService) -- C:\Windows\SysNative\drivers\AtiHdmi.sys (ATI Technologies, Inc.)
DRV:64bit: - (VIAHdAudAddService) -- C:\Windows\SysNative\drivers\viahduaa.sys (VIA Technologies, Inc.)
DRV:64bit: - (pavboot) -- C:\Windows\SysNative\drivers\pavboot64.sys (Panda Security, S.L.)
DRV:64bit: - (CSC) -- C:\Windows\SysNative\drivers\csc.sys (Microsoft Corporation)
DRV:64bit: - (DSI_SiUSBXp_3_1) -- C:\Windows\SysNative\drivers\DSI_SiUSBXp_3_1.sys (Silicon Laboratories)
DRV:64bit: - (RtlProt) -- C:\Windows\SysNative\DRIVERS\rtlprot.sys (Windows (R) Codename Longhorn DDK provider)
DRV:64bit: - (MTsensor) -- C:\Windows\SysNative\DRIVERS\ASACPI.sys ()
DRV - (CSC) -- C:\Windows\CSC [2010-01-23 04:57:50 | 000,000,000 | ---D | M]
DRV - (Tcpip) -- C:\Windows\SysWOW64\wbem\tcpip.mof ()
DRV - (mpsdrv) -- C:\Windows\SysWOW64\wbem\mpsdrv.mof ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-778161406-3291420809-1624410804-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
IE - HKU\S-1-5-21-778161406-3291420809-1624410804-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://se.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-778161406-3291420809-1624410804-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = sv
IE - HKU\S-1-5-21-778161406-3291420809-1624410804-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 89 56 DD C1 AC 9B CA 01 [binary data]
IE - HKU\S-1-5-21-778161406-3291420809-1624410804-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2006-09-18 23:37:24 | 000,000,761 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe (VIA)
O4 - HKLM..\Run: [Net iD] C:\Program Files (x86)\Net iD\iid.exe (SecMaker AB)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [VoddlerNet Manager] C:\Program Files (x86)\Voddler\service\VNetManager.exe ()
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-778161406-3291420809-1624410804-1000..\Run: [ANT Agent] C:\Program Files (x86)\Garmin\ANT Agent\ANT Agent.exe (GARMIN Corp.)
O4 - HKU\S-1-5-21-778161406-3291420809-1624410804-1000..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-778161406-3291420809-1624410804-1000..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe File not found
O4 - Startup: C:\Users\DerArne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-778161406-3291420809-1624410804-1000\..Trusted Domains: garmin.com ([buy] https in Trusted sites)
O15 - HKU\S-1-5-21-778161406-3291420809-1624410804-1000\..Trusted Domains: garmin.com ([connect] https in Trusted sites)
O15 - HKU\S-1-5-21-778161406-3291420809-1624410804-1000\..Trusted Domains: garmin.com ([mygarmin] https in Trusted sites)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img18.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img18.jpg
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010-06-28 20:31:03 | 000,574,464 | ---- | C] (OldTimer Tools) -- C:\Users\DerArne\Desktop\OTL.exe
[2010-06-27 12:42:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Trend Micro
[2010-06-27 12:24:44 | 000,033,800 | ---- | C] (Panda Security, S.L.) -- C:\Windows\SysNative\drivers\pavboot64.sys
[2010-06-27 12:24:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Panda Security
[2010-06-27 12:22:04 | 000,000,000 | ---D | C] -- C:\Windows\BDOSCAN8
[2010-06-27 11:55:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\CCleaner
[2010-06-27 11:18:47 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2010-06-27 11:18:43 | 001,071,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MSCOMCTL.OCX
[2010-06-27 11:18:43 | 000,118,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MSSTDFMT.DLL
[2010-06-27 11:18:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SpywareBlaster
[2010-06-26 20:05:13 | 000,000,000 | ---D | C] -- C:\Users\DerArne\AppData\Roaming\Malwarebytes
[2010-06-26 20:05:07 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010-06-26 20:05:06 | 000,024,664 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2010-06-26 20:05:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2010-06-26 20:05:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010-06-26 19:42:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010-06-26 19:42:08 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spybot - Search & Destroy
[2010-06-23 19:34:37 | 001,942,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dfshim.dll
[2010-06-23 19:34:37 | 001,130,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\dfshim.dll
[2010-06-23 19:34:37 | 000,320,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\PresentationHost.exe
[2010-06-23 19:34:37 | 000,295,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\PresentationHost.exe
[2010-06-23 19:34:37 | 000,109,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\PresentationHostProxy.dll
[2010-06-23 19:34:37 | 000,099,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\PresentationHostProxy.dll
[2010-06-23 19:34:37 | 000,049,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\netfxperf.dll
[2010-06-23 19:34:37 | 000,048,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\netfxperf.dll
[2010-06-18 15:04:05 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\DRVSTORE
[2010-06-18 15:04:03 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\Windows\SysNative\drivers\SBREDrv.sys
[2010-06-18 15:01:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2010-06-13 18:50:27 | 000,366,080 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysNative\atmfd.dll
[2010-06-13 18:50:26 | 000,289,792 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\atmfd.dll
[2010-06-13 18:50:26 | 000,048,128 | ---- | C] (Adobe Systems) -- C:\Windows\SysNative\atmlib.dll
[2010-06-13 18:50:26 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\SysWow64\atmlib.dll
[2010-06-13 18:50:21 | 002,334,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iertutil.dll
[2010-06-13 18:50:20 | 000,706,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2010-06-13 18:50:20 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msfeeds.dll
[2010-06-13 18:50:20 | 000,243,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\occache.dll
[2010-06-13 18:50:20 | 000,206,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\occache.dll
[2010-06-13 18:50:19 | 001,538,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2010-06-13 18:50:19 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2010-06-13 18:50:19 | 000,252,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iepeers.dll
[2010-06-13 18:50:19 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iepeers.dll
[2010-06-13 18:50:19 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2010-06-13 18:50:19 | 000,162,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2010-06-13 18:50:19 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2010-06-13 18:50:19 | 000,132,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesysprep.dll
[2010-06-13 18:50:19 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesysprep.dll
[2010-06-13 18:50:19 | 000,070,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ie4uinit.exe
[2010-06-13 18:50:16 | 000,219,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2010-06-13 18:50:16 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ie4uinit.exe
[2010-06-13 18:50:16 | 000,077,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesetup.dll
[2010-06-13 18:50:16 | 000,072,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iernonce.dll
[2010-06-13 18:50:16 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesetup.dll
[2010-06-13 18:50:16 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iernonce.dll
[2010-06-13 18:50:16 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msfeedssync.exe
[2010-06-13 18:50:16 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeedssync.exe
[2010-06-01 15:00:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Levande Böcker
[2010-06-01 15:00:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Knowledge Adventure
[2010-06-01 15:00:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Knowledge Adventure

========== Files - Modified Within 30 Days ==========

[2010-06-28 20:31:23 | 002,359,296 | -HS- | M] () -- C:\Users\DerArne\NTUSER.DAT
[2010-06-28 20:31:18 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Users\DerArne\Desktop\OTL.exe
[2010-06-28 20:28:00 | 000,000,952 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010-06-28 20:22:16 | 000,704,434 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010-06-28 20:22:16 | 000,595,748 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010-06-28 20:22:16 | 000,105,078 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010-06-28 20:16:11 | 000,000,948 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010-06-28 20:16:09 | 000,003,760 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010-06-28 20:16:08 | 000,003,760 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010-06-28 20:16:08 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010-06-28 20:16:03 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010-06-27 22:46:22 | 000,524,288 | -HS- | M] () -- C:\Users\DerArne\NTUSER.DAT{a7bdf3ed-6a85-11db-b5ae-f1534be43d84}.TMContainer00000000000000000001.regtrans-ms
[2010-06-27 22:46:22 | 000,065,536 | -HS- | M] () -- C:\Users\DerArne\NTUSER.DAT{a7bdf3ed-6a85-11db-b5ae-f1534be43d84}.TM.blf
[2010-06-27 18:19:16 | 002,400,192 | -H-- | M] () -- C:\Users\DerArne\AppData\Local\IconCache.db
[2010-06-27 12:42:01 | 000,001,964 | ---- | M] () -- C:\Users\DerArne\Desktop\HiJackThis.lnk
[2010-06-27 11:15:18 | 000,000,394 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2010-06-26 20:38:20 | 000,000,418 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2010-06-26 18:51:48 | 000,000,650 | ---- | M] () -- C:\Users\Public\Desktop\World of Warcraft.lnk
[2010-06-18 15:04:03 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\Windows\SysNative\drivers\SBREDrv.sys
[2010-06-15 19:21:19 | 000,006,144 | ---- | M] () -- C:\Users\DerArne\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010-06-13 18:56:05 | 000,252,640 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010-06-13 18:48:00 | 000,000,680 | ---- | M] () -- C:\Users\DerArne\AppData\Local\d3d9caps.dat
[2010-06-01 17:10:39 | 000,054,560 | ---- | M] () -- C:\Users\DerArne\AppData\Local\GDIPFONTCACHEV1.DAT
[2010-06-01 15:01:16 | 000,001,925 | ---- | M] () -- C:\Users\Public\Desktop\Lek och Lär Andra klass.lnk
[2010-06-01 15:01:16 | 000,000,088 | ---- | M] () -- C:\Windows\ka.ini

========== Files Created - No Company Name ==========

[2010-06-27 12:42:01 | 000,001,964 | ---- | C] () -- C:\Users\DerArne\Desktop\HiJackThis.lnk
[2010-06-26 20:40:10 | 000,000,394 | ---- | C] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2010-06-26 20:38:20 | 000,000,418 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2010-06-01 15:01:16 | 000,001,925 | ---- | C] () -- C:\Users\Public\Desktop\Lek och Lär Andra klass.lnk
[2010-06-01 15:01:16 | 000,000,088 | ---- | C] () -- C:\Windows\ka.ini
[2010-05-29 21:47:28 | 000,012,810 | ---- | C] () -- C:\Users\DerArne\AppData\Local\dd_vcredistUI4BA3.txt
[2010-05-29 21:16:43 | 000,000,680 | ---- | C] () -- C:\Users\DerArne\AppData\Local\d3d9caps.dat
[2010-05-26 23:08:28 | 000,712,798 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010-03-03 02:00:00 | 004,555,278 | ---- | C] () -- C:\Windows\SysWow64\libavcodec.dll
[2010-03-03 02:00:00 | 001,449,935 | ---- | C] () -- C:\Windows\SysWow64\ffmpegmt.dll
[2010-03-03 02:00:00 | 000,882,688 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
[2010-03-03 02:00:00 | 000,877,385 | ---- | C] () -- C:\Windows\SysWow64\ff_x264.dll
[2010-03-03 02:00:00 | 000,556,491 | ---- | C] () -- C:\Windows\SysWow64\libmplayer.dll
[2010-03-03 02:00:00 | 000,336,384 | ---- | C] () -- C:\Windows\SysWow64\ff_libfaad2.dll
[2010-03-03 02:00:00 | 000,324,096 | ---- | C] () -- C:\Windows\SysWow64\TomsMoComp_ff.dll
[2010-03-03 02:00:00 | 000,248,320 | ---- | C] () -- C:\Windows\SysWow64\ff_kernelDeint.dll
[2010-03-03 02:00:00 | 000,216,576 | ---- | C] () -- C:\Windows\SysWow64\ff_libdts.dll
[2010-03-03 02:00:00 | 000,169,984 | ---- | C] () -- C:\Windows\SysWow64\ff_samplerate.dll
[2010-03-03 02:00:00 | 000,151,552 | ---- | C] () -- C:\Windows\SysWow64\ff_libmad.dll
[2010-03-03 02:00:00 | 000,145,408 | ---- | C] () -- C:\Windows\SysWow64\libmpeg2_ff.dll
[2010-03-03 02:00:00 | 000,121,856 | ---- | C] () -- C:\Windows\SysWow64\ff_liba52.dll
[2010-03-03 02:00:00 | 000,116,736 | ---- | C] () -- C:\Windows\SysWow64\ff_tremor.dll
[2010-03-03 02:00:00 | 000,100,864 | ---- | C] () -- C:\Windows\SysWow64\ff_wmv9.dll
[2010-03-03 02:00:00 | 000,097,792 | ---- | C] () -- C:\Windows\SysWow64\ff_unrar.dll
[2010-03-03 02:00:00 | 000,085,504 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll
[2010-01-24 16:03:58 | 000,117,248 | ---- | C] () -- C:\Windows\SysWow64\EhStorAuthn.dll
[2010-01-24 16:03:16 | 000,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2010-01-22 23:57:13 | 000,001,769 | ---- | C] () -- C:\Windows\Language_trs.ini
[2010-01-22 23:57:11 | 000,033,790 | ---- | C] () -- C:\Windows\Ascd_tmp.ini
[2009-11-14 20:37:08 | 000,154,112 | ---- | C] () -- C:\Windows\SysWow64\ts.dll
[2009-11-14 20:33:38 | 000,249,856 | ---- | C] () -- C:\Windows\SysWow64\dxr.dll
[2009-11-14 20:11:50 | 000,093,184 | ---- | C] () -- C:\Windows\SysWow64\avss.dll
[2009-11-14 20:11:42 | 000,150,016 | ---- | C] () -- C:\Windows\SysWow64\mkx.dll
[2009-11-14 20:11:42 | 000,141,824 | ---- | C] () -- C:\Windows\SysWow64\mp4.dll
[2009-11-14 20:11:40 | 000,123,392 | ---- | C] () -- C:\Windows\SysWow64\ogm.dll
[2009-11-14 20:11:40 | 000,109,568 | ---- | C] () -- C:\Windows\SysWow64\avi.dll
[2009-11-14 20:11:38 | 000,097,792 | ---- | C] () -- C:\Windows\SysWow64\avs.dll
[2009-11-14 20:11:32 | 000,080,384 | ---- | C] () -- C:\Windows\SysWow64\mkzlib.dll
[2009-11-14 20:11:32 | 000,024,576 | ---- | C] () -- C:\Windows\SysWow64\mkunicode.dll
[2009-06-07 18:24:04 | 000,180,224 | ---- | C] () -- C:\Windows\SysWow64\xvidvfw.dll
[2009-04-02 14:30:14 | 000,010,296 | ---- | C] () -- C:\Windows\SysWow64\drivers\ASUSHWIO.SYS
[2009-01-11 00:15:44 | 000,159,744 | ---- | C] () -- C:\Windows\SysWow64\mmfinfo.dll
[2009-01-05 15:44:10 | 000,000,453 | ---- | C] () -- C:\Windows\bdoscandellang.ini
[2008-11-06 18:37:32 | 003,596,288 | ---- | C] () -- C:\Windows\SysWow64\qt-dx331.dll
[2008-01-21 04:49:10 | 000,060,124 | ---- | C] () -- C:\Windows\SysWow64\tcpmon.ini
[2007-10-13 11:30:20 | 000,000,137 | ---- | C] () -- C:\Windows\SysWow64\Registration.ini
< End of report >

and the second one..

OTL Extras logfile created on: 2010-06-28 20:32:11 - Run 1
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Users\DerArne\Desktop
64bit-Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 0000041d | Country: Sverige | Language: SVE | Date Format: yyyy-MM-dd

4,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 61,00% Memory free
8,00 Gb Paging File | 7,00 Gb Available in Paging File | 79,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 146,48 Gb Total Space | 88,10 Gb Free Space | 60,14% Space Free | Partition Type: NTFS
Drive D: | 785,03 Gb Total Space | 673,85 Gb Free Space | 85,84% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DERARNE-PC
Current User Name: DerArne
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" File not found
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = C2 FE 8D 6A DC 5B C8 01 [binary data]
"VistaSp2" = 73 0C 5D D5 FF 9C CA 01 [binary data]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"oobe_av" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{238F1663-7964-4C06-9D0C-760422677883}" = lport=138 | protocol=17 | dir=in | app=system |
"{2C36D5D4-5616-47A0-A3E6-932B231316D7}" = lport=445 | protocol=6 | dir=in | app=system |
"{34EE62BC-EB4D-4E99-BC2E-A115206B6CE3}" = lport=3724 | protocol=6 | dir=in | name=blizzard downloader: 3724 |
"{388D6331-BED3-4F59-8198-2455B5E987A5}" = lport=58193 | protocol=17 | dir=in | name=pando media booster |
"{3DF360D7-EE97-43BE-9DF7-03334257B41E}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{6BBDC5B6-1708-49AD-88D7-A725F08D41A4}" = lport=139 | protocol=6 | dir=in | app=system |
"{71E60347-7F56-4DEB-B1D2-F5A2B48AC6CA}" = rport=139 | protocol=6 | dir=out | app=system |
"{79473D43-9C09-4F41-AD67-DAE0F2163FE6}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{91431AD2-E4E9-42FB-909B-D09630087537}" = lport=58193 | protocol=6 | dir=in | name=pando media booster |
"{9E7EE4BF-A47F-485B-A265-44E8D08529B4}" = rport=445 | protocol=6 | dir=out | app=system |
"{B639D690-8D60-4D4D-86B4-FD1DCBAD2B2D}" = rport=137 | protocol=17 | dir=out | app=system |
"{C2214CC1-764A-4858-915E-1397FC3B84CC}" = lport=58193 | protocol=17 | dir=in | name=pando media booster |
"{DE5C0DE6-53B7-48F9-98BB-B6633CDA7EBC}" = rport=138 | protocol=17 | dir=out | app=system |
"{E123C95E-E0DD-4C08-98C2-29FF7A830AF6}" = lport=137 | protocol=17 | dir=in | app=system |
"{FB5B0CFB-0D4D-4E48-8486-34DC4EF29A19}" = lport=58193 | protocol=6 | dir=in | name=pando media booster |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{21DBB8A2-C3E2-4CCD-88E0-C73EEBB18EA2}" = protocol=6 | dir=in | app=d:\spel\world of warcraft\wow-3.2.0-engb-downloader.exe |
"{4C5A84EF-464A-42E3-8614-C24E20DC6949}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{553250DE-53B4-4E9A-9069-9408A9AC3851}" = protocol=17 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |
"{59826B0E-89F0-46DE-8103-C56530E14413}" = dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
"{60FB9370-CB02-425E-8B2A-656F750D74F7}" = protocol=17 | dir=in | app=d:\spel\world of warcraft\backgrounddownloader.exe |
"{66167AC5-EF1A-4C15-B5A0-4E5D063292A2}" = protocol=17 | dir=in | app=c:\program files (x86)\voddler\service\voddler.exe |
"{75418AA0-FA5C-42E7-BE8D-C98992181CEA}" = protocol=17 | dir=in | app=d:\filer\spotify\spotify.exe |
"{7960A10A-FF41-4D89-86EB-39D518E23C31}" = protocol=6 | dir=in | app=c:\program files (x86)\voddler\service\voddler.exe |
"{7B01E08E-7A2A-4F34-BE00-0BB5810CF910}" = protocol=17 | dir=in | app=d:\spel\world of warcraft\wow-3.2.0-engb-downloader.exe |
"{8F0F15DB-18DD-493F-8657-BDE1EAE86103}" = protocol=6 | dir=in | app=d:\filer\spotify\spotify.exe |
"{90D064CB-0069-4932-B849-978B1E8602F0}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{C0BFA6F0-18A0-4031-B044-982D7106DFFD}" = protocol=6 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
"{CE1453D7-6AAD-4DCF-A6C7-22BEDBD6DAFB}" = protocol=6 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |
"{D0BF7251-CF74-45C1-9B94-7EB955FE7BEC}" = protocol=6 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
"{D9D49F30-3000-4E00-B8C2-029804F3C3E8}" = protocol=6 | dir=in | app=d:\spel\world of warcraft\backgrounddownloader.exe |
"{DFBFCA43-794A-4C0E-9B1C-49D6E177FAAB}" = protocol=17 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
"{E476BFE1-6A80-4416-AD04-75EC2E0B54C0}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{E94186ED-28D1-4EBF-A956-7356978CAAF7}" = protocol=17 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
"{FE6C4B15-10D2-45AD-9E28-5EDF738B52C9}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"TCP Query User{188F1644-C08C-44C4-BF4C-63E5C6A2D901}D:\spel\darkfall\lobby.exe" = protocol=6 | dir=in | app=d:\spel\darkfall\lobby.exe |
"TCP Query User{5E070BD5-C262-4635-98F1-8DB985968E2D}D:\spel\runes of magic\client.exe" = protocol=6 | dir=in | app=d:\spel\runes of magic\client.exe |
"TCP Query User{724C992D-1091-4314-B787-C4F4F33EF840}D:\spel\ddo\ddo\dndclient.exe" = protocol=6 | dir=in | app=d:\spel\ddo\ddo\dndclient.exe |
"TCP Query User{91BF5616-7C0F-4A52-8766-9477977ED25A}D:\spel\darkfall\lobby.exe" = protocol=6 | dir=in | app=d:\spel\darkfall\lobby.exe |
"TCP Query User{95DCBB26-20D3-47DB-8540-59DEFB3B2DDF}D:\spel\world of warcraft\launcher.exe" = protocol=6 | dir=in | app=d:\spel\world of warcraft\launcher.exe |
"TCP Query User{9B6F477A-B3AF-4BB0-9ACF-97A8DEC0F83D}D:\spel\runes of magic\client.exe" = protocol=6 | dir=in | app=d:\spel\runes of magic\client.exe |
"UDP Query User{3EF518D9-83A5-4DE5-A02C-B65C5C739556}D:\spel\world of warcraft\launcher.exe" = protocol=17 | dir=in | app=d:\spel\world of warcraft\launcher.exe |
"UDP Query User{5BCE86D9-5A78-4E56-AE56-42CAB881B5BF}D:\spel\darkfall\lobby.exe" = protocol=17 | dir=in | app=d:\spel\darkfall\lobby.exe |
"UDP Query User{9A91774A-EDCE-4266-9199-7A4623668983}D:\spel\runes of magic\client.exe" = protocol=17 | dir=in | app=d:\spel\runes of magic\client.exe |
"UDP Query User{B02EED74-F3E5-454B-B786-60F1DABBD6D1}D:\spel\ddo\ddo\dndclient.exe" = protocol=17 | dir=in | app=d:\spel\ddo\ddo\dndclient.exe |
"UDP Query User{C5834C97-F178-40FF-AE69-4B701A182F9F}D:\spel\darkfall\lobby.exe" = protocol=17 | dir=in | app=d:\spel\darkfall\lobby.exe |
"UDP Query User{EB98CD2E-D4BB-47CD-847E-93C85B56A608}D:\spel\runes of magic\client.exe" = protocol=17 | dir=in | app=d:\spel\runes of magic\client.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{350AA351-21FA-3270-8B7A-835434E766AD}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022
"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
"{5F94D3B9-2B02-9C37-740B-A59C7B8D17CC}" = ATI Catalyst Install Manager
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{8DA5428C-3D35-317C-2FBA-485AAC49E9C0}" = ccc-utility64
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"24DA573F901348FFDFF7717497830D45BE0C362E" = Windows Driver Package - Dynastream Innovations (libusb0) LibUsbDevices (07/07/2009 1.12.2)
"49CF605F02C7954F4E139D18828DE298CD59217C" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"WinRAR archiver" = WinRAR

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0A5DAE9E-DD2A-40D1-9AEB-06F31133A9DE}" = OpenOffice.org 3.2
"{0BDE949A-3CF5-3852-B4F7-92EAE4F25F73}" = CCC Help English
"{18C15B50-19A3-4F25-8916-D7453B5D75F0}" = Darkfall
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
"{26A24AE4-039D-4CA4-87B4-2F83216018F0}" = Java(TM) 6 Update 18
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20
"{45350494-82B7-3E53-85B7-79A1AD9AE080}" = Catalyst Control Center Graphics Light
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{510D2239-6C2E-457B-9590-485EC552D94D}" = Garmin USB Drivers
"{525E7F71-67C1-806E-69D0-892CC3CE2F8E}" = Catalyst Control Center Graphics Full Existing
"{537306C2-CDAC-F606-5D46-D5727F58FAD3}" = Catalyst Control Center Graphics Previews Vista
"{5396FBD8-8BD7-47F9-92AE-F62F13D5A11D}" = NETGEAR WG111v3 wireless USB 2.0 adapter
"{63AD9C5C-A4E4-43A2-BBB7-B16B4E20AE27}" = Garmin Training Center
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8136 8168 8169 Ethernet Driver
"{88DDBE5E-8AC0-F463-AC50-E56FAA2E3CEB}" = Catalyst Control Center Graphics Previews Common
"{897B3B21-8691-26F5-97E8-A9955C20BB20}" = Catalyst Control Center HydraVision Full
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ACC73AA-6511-7C55-B1A9-8E5D1DEAFAA3}" = The Lord of the Rings FREE Trial
"{8D7133DE-27D2-47E5-B248-4180278D32AA}" = Catalyst Control Center - Branding
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A2F166A0-F031-4E27-A057-C69733219434}_is1" = Runes of Magic
"{A842C34B-2083-6947-BC0E-5654BDBADCDA}" = Catalyst Control Center Graphics Full New
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1053-7B44-A93000000001}" = Adobe Reader 9.3.2 - Svenska
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C2CE8D52-BD18-4D4B-A3B0-4FDFD7CCC34F}" = Garmin ANT Agent
"{C3847366-B0A5-7444-8E71-F49ED092F486}" = VoddlerPlayer
"{CB166F48-6219-2DFD-8800-191BE6F5923A}" = ccc-core-static
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{E0B71631-6AA8-C596-A485-8480E92DD745}" = Catalyst Control Center Core Implementation
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
"15b35190-c6f9-11d9-9669-0800200c9a66_is1" = Dungeons & Dragons Online ®: Eberron Unlimited ™ v01.11.00.812
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Apselut spunk" = Apselut spunk
"avast5" = avast! Free Antivirus
"Big City Adventure - Vancouver Deluxe" = Big City Adventure - Vancouver Deluxe
"Cake Mania Main Street Deluxe" = Cake Mania Main Street Deluxe
"CCleaner" = CCleaner
"Hotel Dash - Suite Success Deluxe" = Hotel Dash - Suite Success Deluxe
"iid" = Net iD 5.3 (32-bit Edition)
"ImgBurn" = ImgBurn
"InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Plattform för enhetshanterare
"InstallShield_{5396FBD8-8BD7-47F9-92AE-F62F13D5A11D}" = NETGEAR WG111v3 wireless USB 2.0 adapter
"Lek och Lär Andra klass" = Lek och Lär Andra klass
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Media Player - Codec Pack" = Media Player Codec Pack 3.9.5
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mumble" = Mumble and Murmur
"Spotify" = Spotify
"SpywareBlaster_is1" = SpywareBlaster 4.3
"uTorrent" = µTorrent
"Voddler" = VoddlerNet
"VoddlerPlayer.22AA32E1C519F8FB77514A36DC6C2AE2C623240F.1" = VoddlerPlayer
"World of Warcraft" = World of Warcraft

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2010-05-24 13:52:57 | Computer Name = DerArne-PC | Source = Application Error | ID = 1000
Description = Faulting application Apselut spunk.exe, version 10.1.0.11, time stamp
0x413ffc3a, faulting module Apselut spunk.exe, version 10.1.0.11, time stamp 0x413ffc3a,
exception code 0xc0000005, fault offset 0x00003d70, process id 0xd8, application
start time 0x01cafb69f1240540.

Error - 2010-05-24 13:54:21 | Computer Name = DerArne-PC | Source = Application Error | ID = 1000
Description = Faulting application Apselut spunk.exe, version 10.1.0.11, time stamp
0x413ffc3a, faulting module Apselut spunk.exe, version 10.1.0.11, time stamp 0x413ffc3a,
exception code 0xc0000005, fault offset 0x00003737, process id 0x13f0, application
start time 0x01cafb6a23318ee0.

Error - 2010-05-24 14:04:34 | Computer Name = DerArne-PC | Source = Application Error | ID = 1000
Description = Faulting application Apselut spunk.exe, version 10.1.0.11, time stamp
0x413ffc3a, faulting module Apselut spunk.exe, version 10.1.0.11, time stamp 0x413ffc3a,
exception code 0xc0000005, fault offset 0x00003737, process id 0xc1c, application
start time 0x01cafb6b908d3470.

Error - 2010-05-24 14:04:48 | Computer Name = DerArne-PC | Source = Application Error | ID = 1000
Description = Faulting application Apselut spunk.exe, version 10.1.0.11, time stamp
0x413ffc3a, faulting module Apselut spunk.exe, version 10.1.0.11, time stamp 0x413ffc3a,
exception code 0xc0000005, fault offset 0x00003737, process id 0x1014, application
start time 0x01cafb6b98c573f0.

Error - 2010-05-29 08:09:58 | Computer Name = DerArne-PC | Source = Application Error | ID = 1000
Description = Faulting application googleearth.exe, version 5.1.3535.3218, time
stamp 0x4bc68e0b, faulting module googleearth.exe, version 5.1.3535.3218, time stamp
0x4bc68e0b, exception code 0xc0000005, fault offset 0x00004041, process id 0x494,
application start time 0x01caff275a558d20.

Error - 2010-06-01 11:12:54 | Computer Name = DerArne-PC | Source = Application Error | ID = 1000
Description = Faulting application googleearth.exe, version 5.1.3535.3218, time
stamp 0x4bc68e0b, faulting module googleearth.exe, version 5.1.3535.3218, time stamp
0x4bc68e0b, exception code 0xc0000005, fault offset 0x00004041, process id 0x390,
application start time 0x01cb019cb275f17f.

Error - 2010-06-16 03:19:19 | Computer Name = DerArne-PC | Source = Application Error | ID = 1000
Description = Faulting application javaw.exe, version 6.0.200.2, time stamp 0x4bc398b3,
faulting module java.dll, version 6.0.200.2, time stamp 0x4bc3c8dc, exception code
0xc0000005, fault offset 0x00005875, process id 0xacc, application start time 0x01cb0d243c7c41c9.

Error - 2010-06-17 12:43:42 | Computer Name = DerArne-PC | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 8.0.6001.18928 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: 738 Start Time: 01cb0e372c2aea0e Termination Time: 0

Error - 2010-06-18 09:01:43 | Computer Name = DerArne-PC | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 2010-06-19 13:58:09 | Computer Name = DerArne-PC | Source = Application Error | ID = 1000
Description = Faulting application javaw.exe, version 6.0.200.2, time stamp 0x4bc398b3,
faulting module java.dll, version 6.0.200.2, time stamp 0x4bc3c8dc, exception code
0xc0000005, fault offset 0x00005875, process id 0x12ec, application start time 0x01cb0fd8f9d29840.

[ Media Center Events ]
Error - 2010-04-21 12:05:34 | Computer Name = DerArne-PC | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.SqmFlushSession failed; Win32 GetLastError
returned 0D Process: DefaultDomain Object Name: Media Center Guide

[ System Events ]
Error - 2010-04-04 09:43:57 | Computer Name = DerArne-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 15:41:58 on 2010-04-04 was unexpected.

Error - 2010-04-07 15:49:15 | Computer Name = DerArne-PC | Source = DCOM | ID = 10010
Description =

Error - 2010-04-08 12:49:49 | Computer Name = DerArne-PC | Source = DCOM | ID = 10005
Description =

Error - 2010-04-08 12:49:49 | Computer Name = DerArne-PC | Source = Service Control Manager | ID = 7009
Description =

Error - 2010-04-08 12:49:49 | Computer Name = DerArne-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 2010-04-12 13:30:16 | Computer Name = DerArne-PC | Source = DCOM | ID = 10010
Description =

Error - 2010-04-16 13:21:09 | Computer Name = DerArne-PC | Source = DCOM | ID = 10005
Description =

Error - 2010-04-16 13:21:09 | Computer Name = DerArne-PC | Source = Service Control Manager | ID = 7009
Description =

Error - 2010-04-16 13:21:09 | Computer Name = DerArne-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 2010-04-16 13:59:03 | Computer Name = DerArne-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 19:57:00 on 2010-04-16 was unexpected.


< End of report >

Ok think that was it.. thanks again for trying to help.. I will do my best to follow your instructions though I am not that good at stuff like this.

/DerArne

Dakeyras
2010-06-29, 00:22
Hi. :)


First of all thank you for trying to help me..!You're most welcome and thanks for the update/answering my question!

P2P Advice:

I would like for you to read this forum topic please:-

File Sharing, otherwise known as Peer To Peer. (P2P) (http://forums.spybot.info/showthread.php?t=282)

My only condition before I continue assisting you is that you please uninstall uTorrent. If you have used this, you can be fairly confident this is a principal reason your computer is infected.

It's really important, if you value your PC at all, to stay away from P2P file sharing programs, like utorrent, Bittorrent, Azureus, Limewire, Vuze.
Criminals have "planted" thousands upon thousands of infections in the "free" shared files. Some of the recent infections can turn your machine into a doorstop.
It's also very important to avoid any "cracks" or "Keygens" that allow unauthorized use of programs. Besides being illegal, these files also are loaded with "planted" malware.

So please let myself know if you are willing to uninstall uTorrent or not, thank you.

derarne
2010-06-29, 20:17
Hi again!

No problem..

I have not used it that much.

It is unistalled.

Dakeyras
2010-06-30, 00:55
Hi. :)


No problem..

I have not used it that much.

It is unistalled. A prudent course of action I assure you and do I suggest you never use such again.


I will do my best to follow your instructions though I am not that good at stuff like this.
Fine and any problems what so ever merely inform myself as I mentioned in my first post. :bigthumb:

I notice you are a gamer and fair play. I am not myself but I am aware of the say friendly rivalry that may ensue between such and that you sometimes swap tips and files pertaining to a game. Someone you may think trustworthy may not be above planting a hidden executable in what you may think is something useful and thus that way gain access to your relevant Email and Gaming accounts.

I will be asking you to uninstall Spybot - Search & Destroy shortly because the registry Guard feature is active and this will actually hinder the malware removal process. Also it will be in conflict with the active Windows Defender and lesson overall online protection. By all means re-install Spybot once I give the all clear but do keep as a on-demand scanner only or if you prefer to use its real time protection features I will advise how to disable Windows Defender correctly.

Windows defender is a dire application in my humble opinion and far from effective, unfortunately it cannot be uninstalled as it is a integral part of the Vista Operating System.

Also some of the online scans you have used are not really ideal for a 64bit operating system regardless the fact they state they are.

Next:

Now please go to Start >> Control Panel >> Programs and Features and remove the following (if present):

Java(TM) 6 Update 18
HiJackThis
Spybot - Search & Destroy

To do so click once on each of the above and click on Uninstall/Change and follow the prompts.

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.


Please go here (http://www.aumha.org/downloads/erunt-setup.exe) and download ERUNT.
ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
Right-click on erunt-setup.exe and select Run as Administrator to Install ERUNT by following the prompts.
Use the default install settings but say no to the portion that asks you to add ERUNT to the Start-Up folder.
Start ERUNT either by right clicking on the desktop icon and selecting Run as Administrator or choosing to start the program at the end of the setup process.
Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
Make sure that at least the first two check boxes are selected.
Click on OK
Then click on YES to create the folder.
Note: If it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Custom OTL Script:

Right-click OTL.exe and select Run as Administrator to start the program.
Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:OTL
O15 - HKU\S-1-5-21-778161406-3291420809-1624410804-1000\..Trusted Domains: garmin.com ( https in Trusted sites)
O15 - HKU\S-1-5-21-778161406-3291420809-1624410804-1000\..Trusted Domains: garmin.com ([connect] https in Trusted sites)
O15 - HKU\S-1-5-21-778161406-3291420809-1624410804-1000\..Trusted Domains: garmin.com ([mygarmin] https in Trusted
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/reso...an8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoftware.com/actives.../as2stubie.cab (ActiveScan 2.0
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/...nAxControl.CAB (Reg Error: Key error.)
[2010-06-18 15:04:03 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\Windows\SysNative\drivers\SBREDrv.sys
[2010-06-18 15:01:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft

:Files
c:\program files (x86)\utorrent

:Commands
[Purity]
[ResetHosts]
[EmptyTemp]
[Reboot]
Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
Then click the red [b]Run Fix button.
Let the program run unhindered.
If OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
Note: The logfile can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.

Malwarebytes Anti-Malware:

Note: Remember to right click MBAM and select Run As Administrator.

Launch the application, Check for Updates >> Perform a Quick Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

When completed the above, please post back the following:

Inform myself how your computer is running. Any problems encountered?
OTL Log.
Malwarebytes Anti-Malware Log.

derarne
2010-06-30, 19:56
Hi again...

I think I was able to follow all your instructions.

The computer is running ok but I still have not dared to log in to my mail account or my game, I am afraid I have to reset all again.

I have mostly been playing games with real-life friends and I dont think anyone would attack my computer.. but you can never be sure.

I uninstalled the 3 things you told me to.
I backed up the registry.

Here are the 2 logs:

OTL:

All processes killed
========== OTL ==========
Registry key HKEY_USERS\S-1-5-21-778161406-3291420809-1624410804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\garmin.com\buy\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-778161406-3291420809-1624410804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\garmin.com\connect\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-778161406-3291420809-1624410804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\garmin.com\mygarmin\ deleted successfully.
Starting removal of ActiveX control {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}
C:\Windows\Downloaded Program Files\oscan8.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}\ not found.
Starting removal of ActiveX control {9191F686-7F0A-441D-8A98-2FE3AC1BD913}
C:\Windows\Downloaded Program Files\as2stubie.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9191F686-7F0A-441D-8A98-2FE3AC1BD913}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9191F686-7F0A-441D-8A98-2FE3AC1BD913}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9191F686-7F0A-441D-8A98-2FE3AC1BD913}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9191F686-7F0A-441D-8A98-2FE3AC1BD913}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\Windows\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Starting removal of ActiveX control Garmin Communicator Plug-In
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Garmin Communicator Plug-In\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Garmin Communicator Plug-In\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Garmin Communicator Plug-In\ not found.
C:\Windows\SysNative\drivers\SBREDrv.sys moved successfully.
C:\ProgramData\Lavasoft\License folder moved successfully.
C:\ProgramData\Lavasoft folder moved successfully.
========== FILES ==========
File\Folder c:\program files (x86)\utorrent not found.
========== COMMANDS ==========
File move failed. C:\Windows\System32\drivers\etc\Hosts scheduled to be moved on reboot.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 41620 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: DerArne
->Temp folder emptied: 840958 bytes
->Temporary Internet Files folder emptied: 59940348 bytes
->Java cache emptied: 9278133 bytes
->Flash cache emptied: 43422 bytes

User: Gabriel
->Temp folder emptied: 2126756 bytes
->Temporary Internet Files folder emptied: 46695102 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 13425 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3242 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 114,00 mb


OTL by OldTimer - Version 3.2.7.0 log created on 06302010_183918

Files\Folders moved on Reboot...
File move failed. C:\Windows\System32\drivers\etc\Hosts scheduled to be moved on reboot.
C:\Users\DerArne\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\Users\DerArne\AppData\Local\Temp\~DFB738.tmp not found!
File\Folder C:\Users\DerArne\AppData\Local\Temp\~DFB742.tmp not found!
File\Folder C:\Users\DerArne\AppData\Local\Temp\~DFB7BD.tmp not found!
File\Folder C:\Users\DerArne\AppData\Local\Temp\~DFB7C7.tmp not found!
File\Folder C:\Users\DerArne\AppData\Local\Temp\~DFB956.tmp not found!
File\Folder C:\Users\DerArne\AppData\Local\Temp\~DFB9BF.tmp not found!
C:\Users\DerArne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5QJOUNAJ\showthread[1].htm moved successfully.
C:\Users\DerArne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Users\DerArne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
File move failed. C:\Windows\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...


Malwarebytes:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4261

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

2010-06-30 18:47:45
mbam-log-2010-06-30 (18-47-45).txt

Scan type: Quick scan
Objects scanned: 129675
Time elapsed: 2 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Think that was it this time..

Thanks again for trying to help..

/DerArne

Dakeyras
2010-07-01, 00:39
Hi. :)


I am afraid I have to reset all again.
Actually it would be prudent once I give the all clear to change both the secret questions(plus answers) and passwords associated. Also if a Router is in use it would be advisable to reset that and apply a admin password.

How to create a secure password:

When creating a new password use a series of both random upper/lower case letters and include some random alpha numerics also.

A example would be: THi85S13IsA7Eg4u2tWMg4r <---Do not use this one DerArne, merely a invented example for yourself. ;)

This is a good test for the strength of any passwords created: Password Checker (http://www.microsoft.com/protect/yourself/password/checker.mspx)

Note: Remember do not reset anything until I give the all clear.

Reset Vista SP2 Firewall:

Click on Start(Vista Orb) >> Run...(or the Windows key and R together)and cut/paste in the following and click on OK

firewall.cplOr Start(Vista Orb) >> Control Panel >> Windows Firewall

Click on the Change Settings >> Advanced >> Restore Defaults >> At the prompt click on Yes >> OK

Now click back on Change Settings again >> General >> and select On(recommended) >> Apply >> OK.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here (http://www.bleepingcomputer.com/forums/topic114351.html).

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.


Please go here (http://www.eset.com/onlinescan/) then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif

Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox. Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

When completed the above, please post back the following:

Inform myself how your computer is running. Any problems encountered and or further symptoms?
Eset results.
A new OTL Log. <-- Only one log will be produced this time.

derarne
2010-07-01, 20:18
Hey!

I reseted the firewall.

I ran the eset scan.. but I managed to get rid of the log.. It did not find anything though., but if you need the log I will run it again.
It took about 50minutes and checked about 130000 files but did not find anything wrong.

Here are the new OTL log:

OTL logfile created on: 2010-07-01 19:11:42 - Run 2
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Users\DerArne\Desktop
64bit-Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 0000041d | Country: Sverige | Language: SVE | Date Format: yyyy-MM-dd

4,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 54,00% Memory free
8,00 Gb Paging File | 6,00 Gb Available in Paging File | 77,00% Paging File free
Paging file location(s): ?:\pagefile.sys

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 146,48 Gb Total Space | 89,88 Gb Free Space | 61,36% Space Free | Partition Type: NTFS
Drive D: | 785,03 Gb Total Space | 673,85 Gb Free Space | 85,84% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DERARNE-PC
Current User Name: DerArne
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
PRC - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
PRC - C:\Users\DerArne\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe (Adobe Systems, Inc.)
PRC - C:\Program Files (x86)\Garmin\ANT Agent\ANT Agent.exe (GARMIN Corp.)
PRC - C:\Program Files (x86)\Voddler\service\voddler.exe (Voddler)
PRC - C:\Program Files (x86)\Voddler\service\VNetManager.exe ()
PRC - C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)
PRC - C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)
PRC - C:\Program Files (x86)\Net iD\iid.exe (SecMaker AB)
PRC - C:\Windows\SysWOW64\conime.exe (Microsoft Corporation)
PRC - C:\Program Files (x86)\NETGEAR\WG111v3\WG111v3.exe ()


========== Modules (SafeList) ==========

MOD - C:\Users\DerArne\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\SysWOW64\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV:[b]64bit: - (avast! Web Scanner) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
SRV:64bit: - (avast! Mail Scanner) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
SRV:64bit: - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
SRV:64bit: - (AMD External Events Utility) -- C:\Windows\SysNative\atiesrxx.exe (AMD)
SRV:64bit: - (UmRdpService) -- C:\Windows\SysNative\umrdp.dll (Microsoft Corporation)
SRV:64bit: - (CscService) -- C:\Windows\SysNative\cscsvc.dll (Microsoft Corporation)
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (VoddlerNet) -- C:\Program Files (x86)\Voddler\service\voddler.exe (Voddler)
SRV - (MSDTC) -- C:\Windows\SysWOW64\Msdtc [2006-11-02 15:34:14 | 000,000,000 | ---D | M]
SRV - (vds) -- C:\Windows\SysWOW64\wbem\vds.mof ()
SRV - (VSS) -- C:\Windows\SysWOW64\wbem\vss.mof ()


========== Driver Services (SafeList) ==========

DRV:64bit: - (aswTdi) -- C:\Windows\SysNative\drivers\aswTdi.sys (ALWIL Software)
DRV:64bit: - (aswSP) -- C:\Windows\SysNative\drivers\aswSP.sys (ALWIL Software)
DRV:64bit: - (aswRdr) -- C:\Windows\SysNative\drivers\aswRdr.sys (ALWIL Software)
DRV:64bit: - (aswMonFlt) -- C:\Windows\SysNative\drivers\aswMonFlt.sys (ALWIL Software)
DRV:64bit: - (aswFsBlk) -- C:\Windows\SysNative\drivers\aswFsBlk.sys (ALWIL Software)
DRV:64bit: - (RTL8169) -- C:\Windows\SysNative\DRIVERS\Rtlh64.sys (Realtek )
DRV:64bit: - (atikmdag) -- C:\Windows\SysNative\DRIVERS\atikmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (amdkmdag) -- C:\Windows\SysNative\DRIVERS\atipmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (amdkmdap) -- C:\Windows\SysNative\DRIVERS\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (RTL8187B) -- C:\Windows\SysNative\DRIVERS\wg111v3.sys (NETGEAR Inc. )
DRV:64bit: - (AtiHdmiService) -- C:\Windows\SysNative\drivers\AtiHdmi.sys (ATI Technologies, Inc.)
DRV:64bit: - (VIAHdAudAddService) -- C:\Windows\SysNative\drivers\viahduaa.sys (VIA Technologies, Inc.)
DRV:64bit: - (pavboot) -- C:\Windows\SysNative\drivers\pavboot64.sys (Panda Security, S.L.)
DRV:64bit: - (CSC) -- C:\Windows\SysNative\drivers\csc.sys (Microsoft Corporation)
DRV:64bit: - (DSI_SiUSBXp_3_1) -- C:\Windows\SysNative\drivers\DSI_SiUSBXp_3_1.sys (Silicon Laboratories)
DRV:64bit: - (RtlProt) -- C:\Windows\SysNative\DRIVERS\rtlprot.sys (Windows (R) Codename Longhorn DDK provider)
DRV:64bit: - (MTsensor) -- C:\Windows\SysNative\DRIVERS\ASACPI.sys ()
DRV - (CSC) -- C:\Windows\CSC [2010-01-23 04:57:50 | 000,000,000 | ---D | M]
DRV - (Tcpip) -- C:\Windows\SysWOW64\wbem\tcpip.mof ()
DRV - (mpsdrv) -- C:\Windows\SysWOW64\wbem\mpsdrv.mof ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-778161406-3291420809-1624410804-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
IE - HKU\S-1-5-21-778161406-3291420809-1624410804-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://se.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-778161406-3291420809-1624410804-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = sv
IE - HKU\S-1-5-21-778161406-3291420809-1624410804-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 89 56 DD C1 AC 9B CA 01 [binary data]
IE - HKU\S-1-5-21-778161406-3291420809-1624410804-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2010-06-30 18:39:22 | 000,000,098 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
O4 - HKLM..\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe (VIA)
O4 - HKLM..\Run: [Net iD] C:\Program Files (x86)\Net iD\iid.exe (SecMaker AB)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [VoddlerNet Manager] C:\Program Files (x86)\Voddler\service\VNetManager.exe ()
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-778161406-3291420809-1624410804-1000..\Run: [ANT Agent] C:\Program Files (x86)\Garmin\ANT Agent\ANT Agent.exe (GARMIN Corp.)
O4 - HKU\S-1-5-21-778161406-3291420809-1624410804-1000..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe File not found
O4 - Startup: C:\Users\DerArne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img18.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img18.jpg
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010-07-01 18:13:11 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2010-06-30 18:39:18 | 000,000,000 | ---D | C] -- C:\_OTL
[2010-06-30 18:37:33 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010-06-30 18:36:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ERUNT
[2010-06-30 18:16:56 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\Windows\avastSS.scr
[2010-06-28 20:31:03 | 000,574,464 | ---- | C] (OldTimer Tools) -- C:\Users\DerArne\Desktop\OTL.exe
[2010-06-27 12:42:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Trend Micro
[2010-06-27 12:24:44 | 000,033,800 | ---- | C] (Panda Security, S.L.) -- C:\Windows\SysNative\drivers\pavboot64.sys
[2010-06-27 12:24:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Panda Security
[2010-06-27 12:22:04 | 000,000,000 | ---D | C] -- C:\Windows\BDOSCAN8
[2010-06-27 11:55:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\CCleaner
[2010-06-27 11:18:47 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2010-06-27 11:18:43 | 001,071,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MSCOMCTL.OCX
[2010-06-27 11:18:43 | 000,118,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MSSTDFMT.DLL
[2010-06-27 11:18:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SpywareBlaster
[2010-06-26 20:05:13 | 000,000,000 | ---D | C] -- C:\Users\DerArne\AppData\Roaming\Malwarebytes
[2010-06-26 20:05:07 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010-06-26 20:05:06 | 000,024,664 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2010-06-26 20:05:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2010-06-26 20:05:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010-06-26 19:42:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010-06-26 19:42:08 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spybot - Search & Destroy
[2010-06-23 19:34:37 | 001,942,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dfshim.dll
[2010-06-23 19:34:37 | 001,130,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\dfshim.dll
[2010-06-23 19:34:37 | 000,320,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\PresentationHost.exe
[2010-06-23 19:34:37 | 000,295,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\PresentationHost.exe
[2010-06-23 19:34:37 | 000,109,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\PresentationHostProxy.dll
[2010-06-23 19:34:37 | 000,099,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\PresentationHostProxy.dll
[2010-06-23 19:34:37 | 000,049,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\netfxperf.dll
[2010-06-23 19:34:37 | 000,048,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\netfxperf.dll
[2010-06-18 15:04:05 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\DRVSTORE
[2010-06-13 18:50:27 | 000,366,080 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysNative\atmfd.dll
[2010-06-13 18:50:26 | 000,289,792 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\atmfd.dll
[2010-06-13 18:50:26 | 000,048,128 | ---- | C] (Adobe Systems) -- C:\Windows\SysNative\atmlib.dll
[2010-06-13 18:50:26 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\SysWow64\atmlib.dll
[2010-06-13 18:50:21 | 002,334,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iertutil.dll
[2010-06-13 18:50:20 | 000,706,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2010-06-13 18:50:20 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msfeeds.dll
[2010-06-13 18:50:20 | 000,243,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\occache.dll
[2010-06-13 18:50:20 | 000,206,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\occache.dll
[2010-06-13 18:50:19 | 001,538,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2010-06-13 18:50:19 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2010-06-13 18:50:19 | 000,252,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iepeers.dll
[2010-06-13 18:50:19 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iepeers.dll
[2010-06-13 18:50:19 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2010-06-13 18:50:19 | 000,162,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2010-06-13 18:50:19 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2010-06-13 18:50:19 | 000,132,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesysprep.dll
[2010-06-13 18:50:19 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesysprep.dll
[2010-06-13 18:50:19 | 000,070,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ie4uinit.exe
[2010-06-13 18:50:16 | 000,219,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2010-06-13 18:50:16 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ie4uinit.exe
[2010-06-13 18:50:16 | 000,077,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesetup.dll
[2010-06-13 18:50:16 | 000,072,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iernonce.dll
[2010-06-13 18:50:16 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesetup.dll
[2010-06-13 18:50:16 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iernonce.dll
[2010-06-13 18:50:16 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msfeedssync.exe
[2010-06-13 18:50:16 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeedssync.exe

========== Files - Modified Within 30 Days ==========

[2010-07-01 19:11:02 | 002,359,296 | -HS- | M] () -- C:\Users\DerArne\NTUSER.DAT
[2010-07-01 18:28:15 | 000,000,952 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010-07-01 17:33:09 | 000,704,434 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010-07-01 17:33:09 | 000,595,748 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010-07-01 17:33:09 | 000,105,078 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010-07-01 17:25:55 | 000,000,948 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010-07-01 17:25:54 | 000,003,760 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010-07-01 17:25:54 | 000,003,760 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010-07-01 17:25:53 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010-07-01 17:25:48 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010-06-30 23:06:12 | 000,524,288 | -HS- | M] () -- C:\Users\DerArne\NTUSER.DAT{a7bdf3ed-6a85-11db-b5ae-f1534be43d84}.TMContainer00000000000000000001.regtrans-ms
[2010-06-30 23:06:12 | 000,065,536 | -HS- | M] () -- C:\Users\DerArne\NTUSER.DAT{a7bdf3ed-6a85-11db-b5ae-f1534be43d84}.TM.blf
[2010-06-30 23:06:05 | 002,483,427 | -H-- | M] () -- C:\Users\DerArne\AppData\Local\IconCache.db
[2010-06-30 18:36:30 | 000,000,744 | ---- | M] () -- C:\Users\DerArne\Desktop\ERUNT.lnk
[2010-06-30 18:16:56 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\config.nt
[2010-06-28 22:57:33 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\Windows\avastSS.scr
[2010-06-28 22:57:12 | 000,165,032 | ---- | M] (AVAST Software) -- C:\Windows\SysWow64\aswBoot.exe
[2010-06-28 22:37:56 | 000,051,280 | ---- | M] (ALWIL Software) -- C:\Windows\SysNative\drivers\aswTdi.sys
[2010-06-28 22:37:36 | 000,121,936 | ---- | M] (ALWIL Software) -- C:\Windows\SysNative\drivers\aswSP.sys
[2010-06-28 22:33:17 | 000,028,752 | ---- | M] (ALWIL Software) -- C:\Windows\SysNative\drivers\aswRdr.sys
[2010-06-28 22:33:00 | 000,061,008 | ---- | M] (ALWIL Software) -- C:\Windows\SysNative\drivers\aswMonFlt.sys
[2010-06-28 22:32:36 | 000,020,048 | ---- | M] (ALWIL Software) -- C:\Windows\SysNative\drivers\aswFsBlk.sys
[2010-06-28 20:31:18 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Users\DerArne\Desktop\OTL.exe
[2010-06-27 11:15:18 | 000,000,394 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2010-06-26 20:38:20 | 000,000,418 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2010-06-26 18:51:48 | 000,000,650 | ---- | M] () -- C:\Users\Public\Desktop\World of Warcraft.lnk
[2010-06-15 19:21:19 | 000,006,144 | ---- | M] () -- C:\Users\DerArne\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010-06-13 18:56:05 | 000,252,640 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010-06-13 18:48:00 | 000,000,680 | ---- | M] () -- C:\Users\DerArne\AppData\Local\d3d9caps.dat

========== Files Created - No Company Name ==========

[2010-06-30 18:36:30 | 000,000,744 | ---- | C] () -- C:\Users\DerArne\Desktop\ERUNT.lnk
[2010-06-26 20:40:10 | 000,000,394 | ---- | C] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2010-06-26 20:38:20 | 000,000,418 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2010-06-01 15:01:16 | 000,000,088 | ---- | C] () -- C:\Windows\ka.ini
[2010-05-26 23:08:28 | 000,712,798 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010-03-03 02:00:00 | 004,555,278 | ---- | C] () -- C:\Windows\SysWow64\libavcodec.dll
[2010-03-03 02:00:00 | 001,449,935 | ---- | C] () -- C:\Windows\SysWow64\ffmpegmt.dll
[2010-03-03 02:00:00 | 000,882,688 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
[2010-03-03 02:00:00 | 000,877,385 | ---- | C] () -- C:\Windows\SysWow64\ff_x264.dll
[2010-03-03 02:00:00 | 000,556,491 | ---- | C] () -- C:\Windows\SysWow64\libmplayer.dll
[2010-03-03 02:00:00 | 000,336,384 | ---- | C] () -- C:\Windows\SysWow64\ff_libfaad2.dll
[2010-03-03 02:00:00 | 000,324,096 | ---- | C] () -- C:\Windows\SysWow64\TomsMoComp_ff.dll
[2010-03-03 02:00:00 | 000,248,320 | ---- | C] () -- C:\Windows\SysWow64\ff_kernelDeint.dll
[2010-03-03 02:00:00 | 000,216,576 | ---- | C] () -- C:\Windows\SysWow64\ff_libdts.dll
[2010-03-03 02:00:00 | 000,169,984 | ---- | C] () -- C:\Windows\SysWow64\ff_samplerate.dll
[2010-03-03 02:00:00 | 000,151,552 | ---- | C] () -- C:\Windows\SysWow64\ff_libmad.dll
[2010-03-03 02:00:00 | 000,145,408 | ---- | C] () -- C:\Windows\SysWow64\libmpeg2_ff.dll
[2010-03-03 02:00:00 | 000,121,856 | ---- | C] () -- C:\Windows\SysWow64\ff_liba52.dll
[2010-03-03 02:00:00 | 000,116,736 | ---- | C] () -- C:\Windows\SysWow64\ff_tremor.dll
[2010-03-03 02:00:00 | 000,100,864 | ---- | C] () -- C:\Windows\SysWow64\ff_wmv9.dll
[2010-03-03 02:00:00 | 000,097,792 | ---- | C] () -- C:\Windows\SysWow64\ff_unrar.dll
[2010-03-03 02:00:00 | 000,085,504 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll
[2010-01-24 16:03:58 | 000,117,248 | ---- | C] () -- C:\Windows\SysWow64\EhStorAuthn.dll
[2010-01-24 16:03:16 | 000,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2010-01-22 23:57:13 | 000,001,769 | ---- | C] () -- C:\Windows\Language_trs.ini
[2010-01-22 23:57:11 | 000,033,790 | ---- | C] () -- C:\Windows\Ascd_tmp.ini
[2009-11-14 20:37:08 | 000,154,112 | ---- | C] () -- C:\Windows\SysWow64\ts.dll
[2009-11-14 20:33:38 | 000,249,856 | ---- | C] () -- C:\Windows\SysWow64\dxr.dll
[2009-11-14 20:11:50 | 000,093,184 | ---- | C] () -- C:\Windows\SysWow64\avss.dll
[2009-11-14 20:11:42 | 000,150,016 | ---- | C] () -- C:\Windows\SysWow64\mkx.dll
[2009-11-14 20:11:42 | 000,141,824 | ---- | C] () -- C:\Windows\SysWow64\mp4.dll
[2009-11-14 20:11:40 | 000,123,392 | ---- | C] () -- C:\Windows\SysWow64\ogm.dll
[2009-11-14 20:11:40 | 000,109,568 | ---- | C] () -- C:\Windows\SysWow64\avi.dll
[2009-11-14 20:11:38 | 000,097,792 | ---- | C] () -- C:\Windows\SysWow64\avs.dll
[2009-11-14 20:11:32 | 000,080,384 | ---- | C] () -- C:\Windows\SysWow64\mkzlib.dll
[2009-11-14 20:11:32 | 000,024,576 | ---- | C] () -- C:\Windows\SysWow64\mkunicode.dll
[2009-06-07 18:24:04 | 000,180,224 | ---- | C] () -- C:\Windows\SysWow64\xvidvfw.dll
[2009-04-02 14:30:14 | 000,010,296 | ---- | C] () -- C:\Windows\SysWow64\drivers\ASUSHWIO.SYS
[2009-01-11 00:15:44 | 000,159,744 | ---- | C] () -- C:\Windows\SysWow64\mmfinfo.dll
[2009-01-05 15:44:10 | 000,000,453 | ---- | C] () -- C:\Windows\bdoscandellang.ini
[2008-11-06 18:37:32 | 003,596,288 | ---- | C] () -- C:\Windows\SysWow64\qt-dx331.dll
[2008-01-21 04:49:10 | 000,060,124 | ---- | C] () -- C:\Windows\SysWow64\tcpmon.ini
[2007-10-13 11:30:20 | 000,000,137 | ---- | C] () -- C:\Windows\SysWow64\Registration.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:5C321E34
< End of report >

Think that was it.. beside the log sorry about that..

/DerArne

Dakeyras
2010-07-01, 23:52
Hi. :)


I ran the eset scan.. but I managed to get rid of the log.. It did not find anything though., but if you need the log I will run it again.
It took about 50minutes and checked about 130000 files but did not find anything wrong.
OK not ideal because as a rule I would prefer to review a report but I am sure if anything would have been flagged you would have informed me. So no further action will be required on your behalf.


Think that was it.. beside the log sorry about that.. Not a problem I assure you.

Next:


Right-click OTL.exe and select Run as Administrator to start the program.
Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:OTL
[2010-06-27 12:24:44 | 000,033,800 | ---- | C] (Panda Security, S.L.) -- C:\Windows\SysNative\drivers\pavboot64.sys
[2010-06-27 12:24:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Panda Security
[2010-06-27 12:22:04 | 000,000,000 | ---D | C] -- C:\Windows\BDOSCAN8
[2010-06-26 19:42:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010-06-26 19:42:08 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spybot - Search & Destroy
@Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:5C321E34

:Commands
[EmptyTemp]
[Reboot]


Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
Then click the red Run Fix button.
Let the program run unhindered.
If OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
Note: The logfile can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.

When completed the above, please post back the following:

Inform myself how your computer is running. Any problems encountered and or further issues?
OTL Log.

derarne
2010-07-02, 15:37
Hi!

The computer is working fine.

I ran the fix in OTL here are the log:

All processes killed
========== OTL ==========
C:\Windows\SysNative\drivers\pavboot64.sys moved successfully.
C:\Program Files (x86)\Panda Security\ActiveScan 2.0\psqstore folder moved successfully.
C:\Program Files (x86)\Panda Security\ActiveScan 2.0 folder moved successfully.
C:\Program Files (x86)\Panda Security folder moved successfully.
C:\Windows\BDOSCAN8 folder moved successfully.
C:\ProgramData\Spybot - Search & Destroy\Recovery folder moved successfully.
C:\ProgramData\Spybot - Search & Destroy\Logs folder moved successfully.
C:\ProgramData\Spybot - Search & Destroy folder moved successfully.
C:\Program Files (x86)\Spybot - Search & Destroy folder moved successfully.
ADS C:\ProgramData\TEMP:5C321E34 deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: DerArne
->Temp folder emptied: 158610 bytes
->Temporary Internet Files folder emptied: 49825009 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 1169 bytes

User: Gabriel
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3262 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 48,00 mb


OTL by OldTimer - Version 3.2.7.0 log created on 07022010_143107

Files\Folders moved on Reboot...
C:\Users\DerArne\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\Users\DerArne\AppData\Local\Temp\~DF2C21.tmp not found!
File\Folder C:\Users\DerArne\AppData\Local\Temp\~DF2C2B.tmp not found!
File\Folder C:\Users\DerArne\AppData\Local\Temp\~DF2C8B.tmp not found!
File\Folder C:\Users\DerArne\AppData\Local\Temp\~DF2C95.tmp not found!
File\Folder C:\Users\DerArne\AppData\Local\Temp\~DF2CC5.tmp not found!
File\Folder C:\Users\DerArne\AppData\Local\Temp\~DF2CCF.tmp not found!
C:\Users\DerArne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NHOXIJD4\showthread[1].htm moved successfully.
C:\Users\DerArne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Users\DerArne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
File move failed. C:\Windows\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...


Ok.. fine so far.. looking forward to the next step!

/DerArne

Dakeyras
2010-07-02, 17:01
Hi. :)


The computer is working fine.Good to know.


Ok.. fine so far.. looking forward to the next step!I am going to ask your good-self to install what is known as a Host-File and lock it to prevent malware from compromising it as follows.

A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your computer will look up the website's IP address before you can view the website.

The Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Host File Reset/Replace:

Please Download HostsXpert (http://majorgeeks.com/Hoster_d4626.html)and unzip it to your computer, somewhere where you can find it.

The root of the system drive would be a ideal location EG: C:\

Note: This is Vista 64bit compatible and have used the exact same methodology on my own Vista 64bit machine.

Right click on HostsXpert.exe and select Run as Administrator to launch the programme.
Check to see if top button on left hand side says Make Writable?

If it does. click on it then proceed to next instruction.
If not, just proceed to next instruction

Click on Restore MS Hosts File to restore your Hosts file to its default condition
When prompted to confirm, click OK.
Click on the Download button (lower left hand side)

Click on MVPs Hosts... button.
Click on Replace button.
Press OK in the box that pops up. (HostsXpert will now download and update your Hosts file)

When finished.

Click on File Handling button.
Click on Make Read Only? to secure it against infection.

Exit the programme.
Next:

Now reboot(restart) your machine and let myself know when completed the above and if any further issues remaining, thank you.

derarne
2010-07-02, 18:09
Hi again..

The computer seems fine..

I went through the hosts file section and everything went ok.


But here comes a hard part..
I think I might have left out a important information to you..

I am running on a wireless network and I have one more computer on it.. It is a laptop.. mainly used by my girlfriend.. but sometimes I use it as well.

I never thought to question it.. but now I have started to make some protection on it as well.. right now I am running The eset scan on it.. and so far it has found 3 threats.

I am sorry if this causes problems for us.. I just did not think about it.

I do hope you will continue your work anyway..
If possible can it include the other computer as well!?

I do understand if you have not got the time or stamina to stay with me but I hope you will!

/DerArne

derarne
2010-07-02, 19:54
Here are the 3 files the esetscan found on the laptop

I still cant find that log but this time I managed to paste them into a textdocument.

C:\Program Files\myphotobook\xtras\process.exe Win32/PrcView application
C:\Users\Anders\AppData\Local\Temp\NERO14399\Toolbar.exe Win32/Toolbar.AskSBar application
C:\Users\Anders\Documents\Downloads\Nero 8 Ultra Edition 8.2.8.0+Keymaker\Nero-8.2.8.0_eng_trial.exe Win32/Toolbar.AskSBar application

Dakeyras
2010-07-02, 21:20
Hi. :)


The computer seems fine..

I went through the hosts file section and everything went ok.
OK.


But here comes a hard part..
I think I might have left out a important information to you..

I am running on a wireless network and I have one more computer on it.. It is a laptop.. mainly used by my girlfriend.. but sometimes I use it as well.

I never thought to question it.. but now I have started to make some protection on it as well.. right now I am running The eset scan on it.. and so far it has found 3 threats.

I am sorry if this causes problems for us.. I just did not think about it.

I do hope you will continue your work anyway..
If possible can it include the other computer as well!?

I do understand if you have not got the time or stamina to stay with me but I hope you will!As I mentioned in a prior post it would be prudent to reset a Router if in use and based upon this information I am surmising it is a wireless Router.

So this should be done and a new Admin password created/changed and the same for the Pre-shared Key (PSK) if used as in created/changed. However do not do so yet until I specify otherwise. If not sure how to do so merely inform myself the exact make/modal of wireless router in use and I will gladly provide instructions to do so.

Normally I would say create a new topic for the extra assistance. However in this instance I am prepared to check your girlfriends computer but please be aware from the 7th July I will be unavailable but hopefully I will have no need to ask for cover. We can do so in this topic, so no need to create a new one.

With regard to your girlfriends computer I will need to know which operating system is in use and if it is a 64 bit version. Easy way to do so is:

Depress the Windows and R key together to bring up the Run... box and type in the following:-

winver

And click on OK. Make a note of the relevant information and post that in your next reply.

From a preliminary research of what the Eset scan flagged on your girlfriends computer, all three flagged may be what as known as a false positive detection but we can verify such in due course.

--------------

The below pertains to your computer only we have been working on:

Congratulations your computer appears to be malware free!

Now I have some tasks for your good self to carry out as part of a clean up process and some advice about online safety.

Importance of Regular System Maintenance:

I advice you read both of the below listed topics as this will go a long way to keeping your Computer performing well.

Help! My computer is slow! (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html)

Also so is this:

What to do if your Computer is running slowly (http://www.malwareremoval.com/tutorials/runningslowly.php)

Clean up with OTL:

Right-click OTL and select Run as Administrator to start the program.
Close all other programs apart from OTL as this step will require a reboot.
On the OTL main screen, depress the CleanUp button.
Say Yes to the prompt and then allow the program to reboot your computer.
The above process should clean up and remove the vast majority of scanners used and logs created etc.

Any left over merely delete yourself and empty the Recycle Bin.

Reset the System Restore points:

Create a new, clean System Restore point:-

Right click on Computer and select Properties >> System protection >> Create.
Give this restore point a descriptive name and click Create.
When done, click Apply >> OK.
Note: Do not clear infected/old System Restore points before creating a new System Restore point first!

Flush Old System Restore points:-

Right click on Computer and select Properties >> System protection.
(untick) Vista C system box an click Turn off system restore then Apply >> OK.
Restart your computer.
Navigate back to System protection >> (tick) Vista C system box >> Apply >> OK
Now some advice for on-line safety:

Malwarebyte's Anti-Malware:

This is a excellent application and I advise you keep this installed. Check for updates and run a scan once a week.

Other installed security software:

Your presently installed security application, avast! Free Antivirus automatically checks for updates and downloads/installs them with every system reboot and or periodically if the machine is left running providing a internet connection is active.

I advise you also run a complete scan with this also once per week.

Erunt:

Emergency Recovery Utility NT, I advice you keep this installed as a means to keep a complete backup of your registry and restore it when needed.

Myself I would actually create a new back up once per week as this along with System Restore may prove to be invaluable if something unforeseen occurs!

Keep your system updated:

Microsoft releases patches for Windows and other products regularly:

Click on Start(Vista Orb) >> All Programs >> Windows Update.
In the navigation pane, click Check for updates.
After Windows Update has finished checking for updates, click View available updates.
Click to select the check box for any found, then click Install.
When completed Reboot(restart) your computer if not prompted to do so.
Be careful when opening attachments and downloading files:

Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
Never open emails from unknown senders.
Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge (http://sourceforge.net/) or Pricelessware (http://www.pricelesswarehome.org/).

Stop malicious scripts:

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript (http://www.symantec.com/avcenter/noscript.exe) by Symantec or Script Defender (http://www.analogx.com/contents/download/system/sdefend.htm) by AnalogX to handle these scripts.

Avoid Peer to Peer software:

P2P may be a great way to get lots of seemingly freeware, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. My advice is avoid these types of software applications.

Install WinPatrol:

WinPatrol alerts you about possible system hijacks, malware attacks and critical changes made to your computer without your permission.

Download it from here (http://www.winpatrol.com/download.html).

You can find information about how WinPatrol works here (http://www.winpatrol.com/features.html).

Next:

Now change all the passwords etc for your various email/gaming accounts as I outlined here (http://forums.spybot.info/showpost.php?p=376120&postcount=8) prior.

derarne
2010-07-03, 01:36
Hi!

First of all..

Thank you very much for sticking with me.

I have added your post of tips to my favourites.. I have read some and will read more later.. by the way my computer is now faster since you helped me clean it up.

I have cleaned up with OTL

I have reset the system restore point and emptied and put it up again.

I will keep the programs I had with the new ones you suggested (downloaded and installed) and try to remember to run all once a week.

Now to the problems..

Someone had been into my gmail account again .. from china 17 hours ago..
I dont know how but I guess it must come from my girlfriends computer.. I hope.. I used that one when I thought it was safe then I reset last time..

I got my gmail account back using another email.. and reseted both passwords on those account added new questions as well.

Do you think it is safe to reset my gaming account from my computer as well.. it is much harder to get back then the email accounts?

I could not find out how to chnge pass on my router..
It is a thomson tg787.

Here are the info you wanted from my girfriends laptop..
Thank you for trying that as well.

The windows version is:

Microsoft windows vista home premium
version 6.0 (build 6002 servicepack 2)
Licenced to Ulrika, Toshiba
2gb memory.

Hope I am not taking up all your time..
I actually think I am learning some stuff as we go along.
And I will never download weird stuff again if the computers make their way out of this alive.

Best Regards DerArne

Dakeyras
2010-07-03, 02:42
Hi. :)


First of all..

Thank you very much for sticking with me.
You're welcome!


Someone had been into my gmail account again .. from china 17 hours ago..
I dont know how but I guess it must come from my girlfriends computer.. I hope.. I used that one when I thought it was safe then I reset last time..

I got my gmail account back using another email.. and reseted both passwords on those account added new questions as well.
Hmmm not good at all that, as far as I could tell your actual machine is not the source for this continued problem.

I highly suggest you consider contacting Google anyway via this (http://www.google.com/support/accounts/bin/request.py?hl=en&contact_type=ara&ctx=accounts) explain the situation and they may just be able to identify the source. Though unfortunately if based from China I doubt if anything could be done but worth a try non the less.

A thought though do you use a secondary email address for the account? If so and this has been changed to what ever the hacker wants, will always gain access again unless you either change it or delete the option.

If you do use any form of social networking sites, say like Facebook for example with the accounts in question it would be prudent to change all password associated etc as a precaution.


Do you think it is safe to reset my gaming account from my computer as well.. it is much harder to get back then the email accounts?
From your machine yes I do and I would do so soon as possible.


I could not find out how to chnge pass on my router..
It is a thomson tg787. Is this (http://www.thomsonbroadbandpartner.com/dsl-modems-gateways/products/product-detail.php?id=164) the Router you have? If so I can research exactly how to access the router etc as pointless myself posting the most common methodology for accessing in-case it is completely different as some do have.


Hope I am not taking up all your time..Not at all. I genuinely enjoy assisting people with malware related issues.


I actually think I am learning some stuff as we go along.
And I will never download weird stuff again if the computers make their way out of this alive.Good.

OK the below pertains too your girlfriends machine:-

Please download OTL (http://oldtimer.geekstogo.com/OTL.exe) and save it to the Desktop.

Note: When you run OTL if there is a option for Include 64bit Scans make sure it is selected before scanning.


Right-click on OTL.exe and select Run as Administrator to start OTL.
Under Output, ensure that Minimal Output is selected.
Under Extra Registry section, select Use SafeList.
Click the Scan All Users checkbox.
Click on Run Scan at the top left hand corner.
When done, two Notepad files will open.
OTListIt.txt <-- Will be opened
Extra.txt <-- Will be minimized
Please post the contents of these 2 Notepad files in your next reply.
When completed the above, please post back the following in the order asked for:

How is your girlfriends computer performing now, any further symptoms and or problems encountered?
Answer to my router query.
Both OTL logs. <-- Post them individually please, IE: one Log per post/reply.

derarne
2010-07-03, 11:17
Hey!

The laptop is very slow.. but it has been for a while.
Otherwise no big problems.

I wrote google a message, we will se what happens.. right now I seem to have control of everything but they had been in both my gmail and wow account at the time I told you before..

I think it can be like you said they came from the backupemail.. the backup is a hotmailaccount.. is that safe enough? I have chnanged that accounts pass and questions as well.

That link you gave me helped I have changed the pass for my router and added the best cryptation I know works.

Here are the logs from the laptop:

OTL logfile created on: 2010-07-03 10:04:46 - Run 1
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Users\Anders\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 0000041D | Country: Sverige | Language: SVE | Date Format: yyyy-MM-dd

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 46,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 64,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 74,52 Gb Total Space | 23,86 Gb Free Space | 32,02% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 73,06 Gb Total Space | 37,99 Gb Free Space | 52,00% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ULRIKA-DATOR
Current User Name: Anders
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\Anders\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe (Google Inc.)
PRC - C:\Program Files\Net iD\iid.exe (SecMaker AB)
PRC - C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
PRC - C:\Program Files\DAEMON Tools Lite\daemon.exe (DT Soft Ltd)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
PRC - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\Program Files\Synaptics\SynTP\SynToshiba.exe (Synaptics, Inc.)
PRC - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe (Nero AG)
PRC - C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe (TOSHIBA Corporation)
PRC - C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
PRC - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe (TOSHIBA Corporation)
PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
PRC - C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe ()
PRC - C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe (Chicony)
PRC - C:\Program Files\TOSHIBA\Toshiba Online Product Information\TOPI.exe (TOSHIBA)
PRC - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe (TOSHIBA Corporation)
PRC - C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (Symantec Corporation)
PRC - c:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\TosBtSrv.exe (TOSHIBA CORPORATION)
PRC - C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe (TOSHIBA CORPORATION)
PRC - C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe (TOSHIBA CORPORATION)
PRC - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)
PRC - C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe (TOSHIBA)
PRC - C:\Program Files\TOSHIBA\Utilities\KeNotify.exe ()
PRC - C:\Windows\System32\agrsmsvc.exe (Agere Systems)
PRC - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (Ulead Systems, Inc.)
PRC - C:\Windows\System32\TODDSrv.exe (TOSHIBA Corporation)


========== Modules (SafeList) ==========

MOD - C:\Users\Anders\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll (Microsoft Corporation)
MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (LiveUpdate Notice Ex) -- File not found
SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
SRV - (avast! Mail Scanner) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
SRV - (avast! Web Scanner) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
SRV - (aswUpdSv) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)
SRV - (fsssvc) -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe (Microsoft Corporation)
SRV - (SBSDWSCService) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE (Symantec Corporation)
SRV - (TNaviSrv) -- C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe (TOSHIBA Corporation)
SRV - (TosCoSrv) -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe (TOSHIBA Corporation)
SRV - (LiveUpdate Notice Service) -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (Symantec Corporation)
SRV - (TOSHIBA Bluetooth Service) -- c:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\TosBtSrv.exe (TOSHIBA CORPORATION)
SRV - (CFSvcs) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)
SRV - (AgereModemAudio) -- C:\Windows\System32\agrsmsvc.exe (Agere Systems)
SRV - (UleadBurningHelper) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (Ulead Systems, Inc.)
SRV - (TODDSrv) -- C:\Windows\System32\TODDSrv.exe (TOSHIBA Corporation)


========== Driver Services (SafeList) ==========

DRV - (aswTdi) -- C:\Windows\System32\drivers\aswTdi.sys (ALWIL Software)
DRV - (aswRdr) -- C:\Windows\System32\drivers\aswRdr.sys (ALWIL Software)
DRV - (aswSP) -- C:\Windows\System32\drivers\aswSP.sys (ALWIL Software)
DRV - (aswFsBlk) -- C:\Windows\System32\drivers\aswFsBlk.sys (ALWIL Software)
DRV - (aswMonFlt) -- C:\Windows\System32\drivers\aswMonFlt.sys (ALWIL Software)
DRV - (fssfltr) -- C:\Windows\System32\drivers\fssfltr.sys (Microsoft Corporation)
DRV - (sptd) -- C:\Windows\System32\Drivers\sptd.sys ()
DRV - (athr) -- C:\Windows\System32\drivers\athr.sys (Atheros Communications, Inc.)
DRV - (SynTP) -- C:\Windows\System32\drivers\SynTP.sys (Synaptics, Inc.)
DRV - (TVALZ) -- C:\Windows\system32\DRIVERS\TVALZ_O.SYS (TOSHIBA Corporation)
DRV - (atikmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (tos_sps32) -- C:\Windows\system32\DRIVERS\tos_sps32.sys (TOSHIBA Corporation)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\Windows\System32\drivers\RTKVHDA.sys (Realtek Semiconductor Corp.)
DRV - (UVCFTR) -- C:\Windows\System32\drivers\UVCFTR_S.SYS (Chicony Electronics Co., Ltd.)
DRV - (Tosrfhid) -- C:\Windows\System32\drivers\Tosrfhid.sys (TOSHIBA Corporation.)
DRV - (Tosrfusb) -- C:\Windows\System32\drivers\tosrfusb.sys (TOSHIBA CORPORATION)
DRV - (tosrfbd) -- C:\Windows\System32\drivers\tosrfbd.sys (TOSHIBA CORPORATION)
DRV - (tifm21) -- C:\Windows\System32\drivers\tifm21.sys (Texas Instruments)
DRV - (KR10N) -- C:\Windows\system32\drivers\kr10n.sys (TOSHIBA CORPORATION)
DRV - (KR10I) -- C:\Windows\system32\drivers\kr10i.sys (TOSHIBA CORPORATION)
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation)
DRV - (AgereSoftModem) -- C:\Windows\System32\drivers\AGRSM.sys (Agere Systems)
DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (SiSRaid2) -- C:\Windows\system32\drivers\sisraid2.sys (Silicon Integrated Systems Corp.)
DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Logic Corporation)
DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
DRV - (E1G60) Intel(R) -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)
DRV - (tosrfec) -- C:\Windows\System32\drivers\tosrfec.sys (TOSHIBA Corporation)
DRV - (tdcmdpst) -- C:\Windows\System32\drivers\tdcmdpst.sys (TOSHIBA Corporation.)
DRV - (LPCFilter) -- C:\Windows\system32\DRIVERS\LPCFilter.sys (COMPAL ELECTRONIC INC.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2002946825-3677852132-797418189-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
IE - HKU\S-1-5-21-2002946825-3677852132-797418189-1001\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2002946825-3677852132-797418189-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2010-07-02 18:11:16 | 000,411,423 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 14218 more lines...
O2 - BHO: (Länkhjälp till Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-2002946825-3677852132-797418189-1001\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [00TCrdMain] C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [Camera Assistant Software] C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe (Chicony)
O4 - HKLM..\Run: [HSON] C:\Program Files\TOSHIBA\TBS\HSON.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [HWSetup] File not found
O4 - HKLM..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe ()
O4 - HKLM..\Run: [NBKeyScan] C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe (Nero AG)
O4 - HKLM..\Run: [NDSTray.exe] File not found
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [Net iD] C:\Program Files\Net iD\iid.exe (SecMaker AB)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Skytel] C:\Windows\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O4 - HKLM..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe (TOSHIBA)
O4 - HKLM..\Run: [Symantec PIF AlertEng] C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (Symantec Corporation)
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe (TOSHIBA)
O4 - HKLM..\Run: [Toshiba Registration] C:\Program Files\TOSHIBA\Registration\ToshibaRegistration.exe (Toshiba)
O4 - HKLM..\Run: [TPwrMain] C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-2002946825-3677852132-797418189-1001..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\daemon.exe (DT Soft Ltd)
O4 - HKU\S-1-5-21-2002946825-3677852132-797418189-1001..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe (Nero AG)
O4 - HKU\S-1-5-21-2002946825-3677852132-797418189-1001..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - HKU\S-1-5-21-2002946825-3677852132-797418189-1001..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\S-1-5-21-2002946825-3677852132-797418189-1001..\Run: [TOSCDSPD] File not found
O4 - Startup: C:\Users\Ulrika\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll (Google Inc.)
O9 - Extra Button: Tradera - Köp och sälj - {76577871-04EC-495E-A12B-91F7C3600AFA} - File not found
O9 - Extra Button: Amazon.co.uk - {8A918C1D-E123-4E36-B562-5C1519E434CE} - File not found
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O13 - gopher Prefix: missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {3B36B017-7E49-426B-95B0-B5CECD83C2E2} http://fika-web.ifolor.net/OrderingGeneral/LowRes/app_support/ActiveX/IfolorUploader_fika.cab (IfolorUploader Control)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx2.hotmail.com/mail/w2/resources/VistaMSNPUpldsv-se.cab (MSN Photo Upload Tool)
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} http://www.fujidirekt.se/aurigma/ImageUploader5.cab (Image Uploader Control)
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} http://www.fujidirekt.se/aurigma/ImageUploader4.cab (Image Uploader Control)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} http://game03.zylom.com/activex/zylomgamesplayer.cab (Zylom Games Player)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUpldsv-se.cab (Windows Live Hotmail Photo Upload Tool)
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} http://www.fujidirekt.se/aurigma2/ImageUploader4.cab (Image Uploader Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img35.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img35.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006-09-18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{84f7d4ee-306b-11df-97b8-001b383fab7f}\Shell - "" = AutoRun
O33 - MountPoints2\{84f7d4ee-306b-11df-97b8-001b383fab7f}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- File not found
O33 - MountPoints2\{84f7d4fd-306b-11df-97b8-001b383fab7f}\Shell - "" = AutoRun
O33 - MountPoints2\{84f7d4fd-306b-11df-97b8-001b383fab7f}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010-07-03 10:03:36 | 000,574,464 | ---- | C] (OldTimer Tools) -- C:\Users\Anders\Desktop\OTL.exe
[2010-07-03 09:40:34 | 000,000,000 | ---D | C] -- C:\Users\Anders\AppData\Roaming\Malwarebytes
[2010-07-03 09:40:26 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010-07-03 09:40:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010-07-03 09:40:24 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010-07-03 09:40:23 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010-07-02 18:06:26 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\NSS
[2010-07-02 18:06:26 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\NSS\0207000.034
[2010-07-02 18:05:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Norton
[2010-07-02 18:05:37 | 000,000,000 | ---D | C] -- C:\ProgramData\NortonInstaller
[2010-07-02 18:05:37 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2010-07-02 18:00:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010-07-02 18:00:14 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010-07-02 15:26:17 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010-07-01 20:26:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Artifex Mundi
[2010-06-29 20:20:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Kristanix Games
[2010-06-26 20:08:14 | 000,099,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHostProxy.dll
[2010-06-26 20:08:13 | 000,295,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHost.exe
[2010-06-26 20:08:13 | 000,049,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\netfxperf.dll
[2010-06-26 19:24:31 | 004,240,384 | ---- | C] (Microsoft) -- C:\Windows\System32\GameUXLegacyGDFs.dll
[2010-06-26 19:24:31 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Apphlpdm.dll
[2010-06-21 21:31:48 | 000,000,000 | ---D | C] -- C:\ProgramData\The Mirror Mysteries
[2010-06-14 13:17:32 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\asycfilt.dll
[2010-06-14 13:17:02 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2010-06-14 13:17:02 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2010-06-14 13:17:01 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2010-06-14 13:17:01 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2010-06-14 13:17:00 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2010-06-14 13:17:00 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2010-06-14 13:17:00 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2010-06-14 13:17:00 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2010-06-14 13:17:00 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2010-06-14 13:17:00 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2010-06-14 13:17:00 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2010-06-14 13:17:00 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2010-06-14 13:17:00 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2010-06-14 13:16:59 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2010-06-14 13:16:59 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2010-06-14 13:16:47 | 000,289,792 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll
[2010-06-14 13:16:47 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\System32\atmlib.dll
[2010-06-14 13:16:38 | 002,037,248 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2010-06-09 20:48:29 | 000,000,000 | ---D | C] -- C:\ProgramData\BanzaiInteractive
[2010-06-09 11:28:32 | 000,090,112 | ---- | C] (MindVision Software) -- C:\Windows\unvise32.exe
[2010-06-09 11:26:28 | 000,000,000 | ---D | C] -- C:\Program Files\Josefin - Expedition Sverige
[2010-06-08 20:18:59 | 000,000,000 | ---D | C] -- C:\ProgramData\rionix
[2010-06-07 18:04:42 | 000,000,000 | ---D | C] -- C:\ProgramData\GOA
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010-07-03 10:04:57 | 005,505,024 | -HS- | M] () -- C:\Users\Anders\NTUSER.DAT
[2010-07-03 10:03:43 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Users\Anders\Desktop\OTL.exe
[2010-07-03 09:57:43 | 000,000,934 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010-07-03 09:56:41 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010-07-03 09:56:41 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010-07-03 09:56:40 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010-07-03 09:56:30 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010-07-03 09:56:26 | 2145,435,648 | -HS- | M] () -- C:\hiberfil.sys
[2010-07-03 09:55:16 | 000,524,288 | -HS- | M] () -- C:\Users\Anders\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010-07-03 09:55:16 | 000,065,536 | -HS- | M] () -- C:\Users\Anders\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010-07-03 09:54:56 | 003,051,707 | -H-- | M] () -- C:\Users\Anders\AppData\Local\IconCache.db
[2010-07-03 09:40:29 | 000,000,783 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010-07-03 09:15:03 | 000,000,938 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010-07-02 18:57:24 | 000,000,560 | -H-- | M] () -- C:\Windows\tasks\Norton Security Scan for Anders.job
[2010-07-02 18:11:16 | 000,411,423 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010-07-02 18:06:29 | 000,001,353 | ---- | M] () -- C:\Users\Public\Desktop\Norton Security Scan.lnk
[2010-07-02 18:06:26 | 000,000,172 | ---- | M] () -- C:\Windows\System32\drivers\NSS\0207000.034\isolate.ini
[2010-07-02 18:00:22 | 000,001,084 | ---- | M] () -- C:\Users\Anders\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010-07-02 18:00:22 | 000,001,060 | ---- | M] () -- C:\Users\Anders\Desktop\Spybot - Search & Destroy.lnk
[2010-06-16 22:14:47 | 000,315,752 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010-07-03 09:40:29 | 000,000,783 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010-07-02 19:30:59 | 000,000,120 | ---- | C] () -- C:\Users\Anders\fupp.txt
[2010-07-02 18:06:26 | 000,000,172 | ---- | C] () -- C:\Windows\System32\drivers\NSS\0207000.034\isolate.ini
[2010-07-02 18:04:44 | 000,000,560 | -H-- | C] () -- C:\Windows\tasks\Norton Security Scan for Anders.job
[2010-07-02 18:00:22 | 000,001,084 | ---- | C] () -- C:\Users\Anders\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010-07-02 18:00:22 | 000,001,060 | ---- | C] () -- C:\Users\Anders\Desktop\Spybot - Search & Destroy.lnk
[2010-06-09 11:28:32 | 000,007,794 | ---- | C] () -- C:\Program Files\uninstal.log
[2009-07-12 21:42:20 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009-04-27 20:01:18 | 000,721,904 | ---- | C] () -- C:\Windows\System32\drivers\sptd.sys
[2008-11-29 17:10:05 | 000,000,023 | ---- | C] () -- C:\Windows\Disney.ini
[2007-10-30 19:46:33 | 000,128,113 | ---- | C] () -- C:\Windows\System32\csellang.ini
[2007-10-30 19:46:33 | 000,045,056 | ---- | C] () -- C:\Windows\System32\csellang.dll
[2007-10-30 19:46:33 | 000,010,161 | ---- | C] () -- C:\Windows\System32\tosmreg.ini
[2007-10-30 19:46:33 | 000,007,671 | ---- | C] () -- C:\Windows\System32\cseltbl.ini
[2007-06-06 17:19:06 | 000,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll
[2007-06-06 17:19:06 | 000,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll
[2007-06-06 17:19:06 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll
[2007-06-06 17:19:06 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll
[2007-06-06 17:19:06 | 000,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll
[2007-06-06 17:19:06 | 000,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll
[2007-06-06 17:09:50 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI
[2007-06-06 16:57:50 | 000,036,864 | ---- | C] () -- C:\Windows\System32\HWS_Ctrl.dll
[2007-06-06 16:33:56 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2007-06-06 16:27:41 | 000,000,291 | ---- | C] () -- C:\Windows\RtDefLvl.ini
[2007-06-06 16:26:35 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006-12-05 14:05:06 | 000,114,688 | ---- | C] () -- C:\Windows\System32\TosBtAcc.dll
[2006-11-02 14:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006-11-02 09:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2005-11-23 14:55:42 | 000,024,576 | ---- | C] () -- C:\Windows\System32\SPCtl.dll
[2005-07-22 22:30:20 | 000,065,536 | ---- | C] () -- C:\Windows\System32\TosCommAPI.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 100 bytes -> C:\ProgramData\TEMP:949483BD
< End of report >

derarne
2010-07-03, 11:20
and here are the second log:

OTL Extras logfile created on: 2010-07-03 10:04:46 - Run 1
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Users\Anders\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 0000041D | Country: Sverige | Language: SVE | Date Format: yyyy-MM-dd

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 46,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 64,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 74,52 Gb Total Space | 23,86 Gb Free Space | 32,02% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 73,06 Gb Total Space | 37,99 Gb Free Space | 52,00% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ULRIKA-DATOR
Current User Name: Anders
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"UacDisableNotify" = 1
"InternetSettingsDisableNotify" = 1
"AutoUpdateDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0036315A-731B-463B-8041-8A30B7CD815E}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{011FCBE0-2F50-4D36-A73E-41E68B9B1983}" = lport=137 | protocol=17 | dir=in | app=system |
"{0B18DCE7-7F46-4932-B6F2-DDC6AD1C1883}" = lport=3724 | protocol=6 | dir=in | name=blizzard downloader: 3724 |
"{1A084919-9E86-4AE9-8116-ECFA0461EA92}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{349C533E-257B-4CF2-950B-6E831EE5EFCD}" = rport=137 | protocol=17 | dir=out | app=system |
"{438E732A-14ED-4361-919B-966B6434A732}" = lport=139 | protocol=6 | dir=in | app=system |
"{532B5240-9230-4006-B674-A174A02B4C5C}" = rport=445 | protocol=6 | dir=out | app=system |
"{650304E1-2B54-4905-9A25-CD552F2D9401}" = rport=139 | protocol=6 | dir=out | app=system |
"{CB1C1C63-5645-4B82-B34D-D2E5D91437CB}" = lport=445 | protocol=6 | dir=in | app=system |
"{D8E65E42-BF8A-4FA8-95EA-B27E28AB19CB}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{EFB2C22E-6022-4F13-91BA-7E850062D52E}" = lport=138 | protocol=17 | dir=in | app=system |
"{F96A5B94-2478-4344-88B8-6326EF63F393}" = lport=2869 | protocol=6 | dir=in | app=system |
"{FA771E45-AEAF-4EE0-97E7-C3548E604802}" = rport=138 | protocol=17 | dir=out | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{181F844F-CD7A-4797-9838-97CFBFBFA44A}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0-engb-downloader.exe |
"{263B7E4E-D237-4241-8564-43CEB17182A1}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{2B354393-0FE5-4A38-817A-8C224E67A9E5}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10314-to-3.2.2.10482-engb-downloader.exe |
"{2D45A087-1EDF-4590-9D9F-310CCB414B17}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10192-to-3.2.0.10314-engb-downloader.exe |
"{31F89A00-E62E-479C-BA9D-C67420C50F9E}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10314-to-3.2.2.10482-engb-downloader.exe |
"{35529235-A8B0-43CE-8EC1-FE26D8B0DD88}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10192-to-3.2.0.10314-engb-downloader.exe |
"{3C72368C-BC76-4752-8BEE-7879CA51CED6}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.2.10482-to-3.2.2.10505-engb-downloader.exe |
"{62B1D891-A257-48FE-A668-D2DCCAE51C70}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10314-to-3.2.2.10482-engb-downloader.exe |
"{723DD7B4-4840-4431-A6FE-6A7622A99FD9}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.2.10482-to-3.2.2.10505-engb-downloader.exe |
"{7B014DFA-EE65-4B0F-AB8B-18C395EC01C7}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10314-to-3.2.2.10482-engb-downloader.exe |
"{8A3468DD-D905-43E2-9739-FDEED783D541}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{9078D6C3-6D62-4338-87DF-C2E3A535863D}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe |
"{95C0BA6D-2215-46A5-8A70-07DE5E11465C}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-engb-downloader.exe |
"{983963C0-A717-411A-AADC-CFF0CB66B7E4}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{A984C585-375E-4488-B6DA-5E8131239A4C}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0-engb-downloader.exe |
"{C4ED8513-5EE5-432C-A38D-3F6C134F66DC}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{DDF6C202-D5E1-4DF1-9BBE-1911F5ADABC2}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{EE36136B-1CAA-479E-AF41-7A6BF7E65369}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-engb-downloader.exe |
"TCP Query User{41266F7B-8D18-4CAF-9A94-E0E73A5DCDD0}E:\spel\world of warcraft\wow-3.2.2.10505-to-3.3.0.10958-engb-downloader.exe" = protocol=6 | dir=in | app=e:\spel\world of warcraft\wow-3.2.2.10505-to-3.3.0.10958-engb-downloader.exe |
"TCP Query User{6B364D11-968A-46DD-A668-081197E6E4DC}E:\spel\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-engb-downloader.exe" = protocol=6 | dir=in | app=e:\spel\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-engb-downloader.exe |
"TCP Query User{775A584D-E560-440D-8794-CDC51BF9C728}E:\spel\world of warcraft\launcher.exe" = protocol=6 | dir=in | app=e:\spel\world of warcraft\launcher.exe |
"TCP Query User{9AF5C77E-64C6-401C-9FCA-4D599F294AF8}E:\spel\world of warcraft\launcher.exe" = protocol=6 | dir=in | app=e:\spel\world of warcraft\launcher.exe |
"TCP Query User{A64901D7-06AF-46D9-BB88-7C02E079D3ED}E:\spel\world of warcraft\wow-3.3.3.11685-to-3.3.3.11723-engb-downloader.exe" = protocol=6 | dir=in | app=e:\spel\world of warcraft\wow-3.3.3.11685-to-3.3.3.11723-engb-downloader.exe |
"TCP Query User{A64E4AED-BBFF-4368-B631-96A3F15419DD}E:\spel\world of warcraft\wow-3.3.0.10958-to-3.3.0.11159-engb-downloader.exe" = protocol=6 | dir=in | app=e:\spel\world of warcraft\wow-3.3.0.10958-to-3.3.0.11159-engb-downloader.exe |
"TCP Query User{B7B18C33-E8CB-4246-A93F-04418786D666}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{CA63D75D-ADCD-4F18-B9DE-B47FB1C90A3D}E:\spel\world of warcraft\wow-3.3.0.11159-to-3.3.2.11403-engb-downloader.exe" = protocol=6 | dir=in | app=e:\spel\world of warcraft\wow-3.3.0.11159-to-3.3.2.11403-engb-downloader.exe |
"UDP Query User{0752B633-04F9-47DA-9860-43A8F9E4A775}E:\spel\world of warcraft\launcher.exe" = protocol=17 | dir=in | app=e:\spel\world of warcraft\launcher.exe |
"UDP Query User{07738ACE-B374-4E93-93FF-6DB266B17634}E:\spel\world of warcraft\wow-3.3.3.11685-to-3.3.3.11723-engb-downloader.exe" = protocol=17 | dir=in | app=e:\spel\world of warcraft\wow-3.3.3.11685-to-3.3.3.11723-engb-downloader.exe |
"UDP Query User{39560D0F-DFA1-4575-ABE6-F850006C6C6B}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{433B9046-BAAB-4942-BDC3-65563BE280A4}E:\spel\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-engb-downloader.exe" = protocol=17 | dir=in | app=e:\spel\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-engb-downloader.exe |
"UDP Query User{9151213F-E1E2-46F8-8077-964FB50F21B8}E:\spel\world of warcraft\wow-3.2.2.10505-to-3.3.0.10958-engb-downloader.exe" = protocol=17 | dir=in | app=e:\spel\world of warcraft\wow-3.2.2.10505-to-3.3.0.10958-engb-downloader.exe |
"UDP Query User{93AF98F3-5FA4-4D15-8667-6D63FD548B86}E:\spel\world of warcraft\wow-3.3.0.11159-to-3.3.2.11403-engb-downloader.exe" = protocol=17 | dir=in | app=e:\spel\world of warcraft\wow-3.3.0.11159-to-3.3.2.11403-engb-downloader.exe |
"UDP Query User{EB271040-FE0A-424E-BE23-2C1263426A52}E:\spel\world of warcraft\launcher.exe" = protocol=17 | dir=in | app=e:\spel\world of warcraft\launcher.exe |
"UDP Query User{FE11AD28-AA0F-4793-9C57-93F1EB748669}E:\spel\world of warcraft\wow-3.3.0.10958-to-3.3.0.11159-engb-downloader.exe" = protocol=17 | dir=in | app=e:\spel\world of warcraft\wow-3.3.0.10958-to-3.3.0.11159-engb-downloader.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0323731F-5EFF-C9AE-B398-6077AE9C67D9}" = Catalyst Control Center Localization Chinese Standard
"{084D94A9-D67E-D41B-6B4E-B6A481384D27}" = CCC Help Finnish
"{08A247F5-E34F-4D17-8731-0906DF56947E}" = Windows Live Sync
"{0A8DA20B-1F01-D1C5-A24F-91EEE7A94A59}" = Catalyst Control Center Localization Korean
"{0E93710D-31E5-477C-8A4B-5032B484BE74}" = Windows Live inloggningsassistenten
"{0FEBE468-714C-9191-D5D0-9D117BAE0A55}" = Skins
"{10004416-C81D-E8DB-5E92-5990D66F0B6D}" = Catalyst Control Center Localization Danish
"{11D49772-0D06-0B31-DC09-CE413F9B0C93}" = CCC Help Chinese Traditional
"{12688FD7-CB92-4A5B-BEE4-5C8E0574434F}" = Utility Common Driver
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{169F0C17-F535-4C59-AFCD-719B248A8383}" = TOSHIBA-handböcker
"{17C253E6-1A31-45CC-8A1D-CBBCC8D1E8AE}" = OpenOffice.org 3.1
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1C570C5E-FC8A-9BCD-10EA-ADA2AD35A513}" = ATI Catalyst Install Manager
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22721B8E-8D36-C102-8C79-925C221DD9B4}" = Catalyst Control Center Localization Russian
"{2290A680-4083-410A-ADCC-7092C67FC052}" = Toshiba Online Product Information
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{24A9C9A9-9749-0206-1E7E-BD32AA946D35}" = Catalyst Control Center Graphics Full New
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 20
"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Driver Installation Program
"{2D1B9BD2-C430-C5D6-6A40-BD00956F9CA4}" = Catalyst Control Center Graphics Previews Vista
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java(TM) SE Runtime Environment 6
"{34E2872D-1493-25E6-FBD8-98FCC1A96645}" = CCC Help Portuguese
"{37C866E4-AA67-4725-9E95-A39968DD7960}" = Camera Assistant Software for Toshiba
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3BF34856-1A5F-2AD8-7D50-66BE8A82B5C1}" = CCC Help Spanish
"{45F00029-0A50-43AA-497A-67EFFF1E06F7}" = CCC Help Swedish
"{478A4948-C6E9-E3BE-6353-ECCA1DD65CF4}" = Catalyst Control Center Localization Czech
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5034E4E7-A8E7-7BCA-0014-1534C77A7A5C}" = Catalyst Control Center Localization Turkish
"{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE}" = TOSHIBA Supervisor Password
"{5279374D-87FE-4879-9385-F17278EBB9D3}" = TOSHIBA Hardware Setup
"{52EC92CA-771A-F8C8-95A2-37AFB43798B7}" = Catalyst Control Center Localization Spanish
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5980B928-1C95-4B3E-957B-B02D8147FF9E}" = Desktop SMS
"{5A70922D-9365-43CC-ADA9-CB84E4A54E4E}" = Windows Live Essentials
"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
"{5FCCD531-1B38-4A94-924C-127F722F1053}" = Nero 8
"{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"{620BBA5E-F848-4D56-8BDA-584E44584C5E}" = TOSHIBA Flash Cards Support Utility
"{64FA2F4C-F61D-9A7C-318D-711C63308A61}" = CCC Help German
"{65F6D25C-2B2B-4673-A81D-E7D7D72B29E4}" = Windows Live Family Safety
"{6C5F3BDC-0A1B-4436-A696-5939629D5C31}" = TOSHIBA DVD PLAYER
"{72E710CD-51E2-D3BA-108C-F00C54E5B7B0}" = CCC Help Japanese
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{788064B6-AF54-4E8A-BB76-971D762FEB16}" = Backpacker 3 Mediterraneo
"{78C6A78A-8B03-48C8-A47C-78BA1FCA2307}" = TOSHIBA ConfigFree
"{796A8F45-C24A-F0C7-2114-FAABC5DA8367}" = Catalyst Control Center Graphics Full Existing
"{79A4C5D0-EF1A-752A-43F9-C4E79341628A}" = Catalyst Control Center Localization Italian
"{7AC09EE2-08B0-7C97-B8ED-961C58AA9E96}" = Catalyst Control Center Localization Greek
"{7BD5E0A6-DB75-B763-CE09-0D883E97F5DF}" = Catalyst Control Center Localization Thai
"{7CF70E3E-BDC7-5F46-F806-49D8D104A0E3}" = CCC Help Danish
"{7D61830A-1867-6DFA-11FE-A64752B4658D}" = CCC Help Greek
"{7D7152AF-581B-316F-8CA4-15342C3EFA4B}" = Microsoft .NET Framework 3.5 Language Pack SP1 - sve
"{80FEE630-084D-50F6-9FC8-75757A87F015}" = Catalyst Control Center Localization Polish
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
"{8BA42EAE-19AD-4bf2-88C0-0232B1FBFDE2}" = Microsoft Works
"{8E8780B8-2924-B51D-976B-59EE97713659}" = CCC Help Russian
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95AEBA1F-23F4-3751-73FA-CFCFB962F789}" = CCC Help Polish
"{977D59F6-C638-B0AC-5CE4-D6A615D62033}" = Catalyst Control Center Localization Dutch
"{98FB128F-1462-6AF5-471C-4512232E9478}" = ccc-core-static
"{9954B400-AEB7-638D-E753-BB4ECE1064EE}" = CCC Help English
"{9A1EFCBB-5E3C-7E13-2AAD-7AFA4FD9DBD9}" = Catalyst Control Center Localization Swedish
"{9BBE7AA1-AFA8-4D76-8FC2-1FDFD9BD3371}" = Windows Live Mail
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A6D4234C-CB02-4048-AC3E-AD09404FA35A}" = Emdedded IR Driver
"{A73730D7-1D88-3DAB-9A3B-3959093347CC}" = CCC Help Chinese Standard
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AAD49C89-CA9D-911E-0407-8EE0521EA24D}" = CCC Help Dutch
"{AC76BA86-7AD7-1053-7B44-A81000000003}" = Adobe Reader 8.1.1 - Svenska
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{BBF8FA9C-23D9-4310-9AC7-A3A9AE7EE4D7}" = Backpacker 3
"{BF49AD34-C4F3-115A-CACE-E06EA0B59EDC}" = CCC Help Korean
"{C3075CFB-4EFE-AD80-587A-3FB74338A44D}" = Catalyst Control Center Localization Finnish
"{C3FE3DD5-92E1-4EC3-BD6B-822DD99E8991}" = Windows Live Photo Gallery
"{C705D235-051D-B65E-DAF2-E4D104F640A6}" = CCC Help Norwegian
"{C985DD31-E62E-E121-D918-E7CDE78B523B}" = Catalyst Control Center Core Implementation
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
"{CEDFF4EA-DFCF-312A-773A-4F743AAF78E2}" = Catalyst Control Center Localization Japanese
"{D55BA1E9-0517-C325-00BD-B68087923AE9}" = CCC Help Hungarian
"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser
"{DB780B85-B4B5-4864-A49C-9B706B169C93}" = TIPCI
"{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}" = LiveUpdate Notice (Symantec Corporation)
"{DD3D3F5A-BFB9-CEC4-1A86-619E7FF83300}" = Catalyst Control Center Localization Chinese Traditional
"{DE64DACB-B8EA-BF73-EB87-67C22FFA0C52}" = ccc-utility
"{E1B530E5-3515-AC68-CA75-0932BA837A1A}" = CCC Help Thai
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E54F065A-4DCB-1875-222D-CF27620AF646}" = Catalyst Control Center Localization Portuguese
"{E6802BDF-0F93-6DB7-E542-B1B36BAA9FFF}" = Catalyst Control Center Localization French
"{E858ECF5-7644-33F3-EBE5-1A6D4E606F5B}" = CCC Help Turkish
"{EA6DCFC6-BCA2-D901-7417-19261C50802A}" = Catalyst Control Center Localization Hungarian
"{EBFF48F5-3CFA-436F-8FD5-94FB01D3A0A7}" = TOSHIBA SD Memory Utilities
"{EC928237-A3BD-4640-ABD0-E49E758F2315}" = Windows Live Messenger
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1A77E14-33CE-438D-BBF9-DDF41FFC6FE5}" = Backpacker 3 Americana
"{F214EAA4-A069-4BAF-9DA4-4DB8BEEDE485}" = DVD MovieFactory for TOSHIBA
"{F6527F8D-F203-CD41-7D39-2C6FBB91DCAD}" = CCC Help Italian
"{FBB22939-6AAD-A6EB-5AA1-BAA166F2D032}" = CCC Help Czech
"{FDC08E4B-F82B-6183-D0B5-A5F89678AB82}" = Catalyst Control Center Graphics Light
"{FE890808-EE76-63DF-6D0E-4609D2520DF0}" = Catalyst Control Center Localization German
"{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"{FEDD8B8B-6EA0-A35C-6CB4-06F1AF4D7769}" = Catalyst Control Center Localization Norwegian
"{FF62A079-FE47-C34A-AB88-C61CA838B007}" = CCC Help French
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"avast!" = avast! Antivirus
"CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
"Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
"DAEMON Tools Toolbar" = DAEMON Tools Toolbar
"ESET Online Scanner" = ESET Online Scanner v3
"Ifolor-Designer21" = ifolor Designer
"iid" = Net iD 5.3
"InstallShield_{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE}" = TOSHIBA Administratörslösenord
"InstallShield_{5279374D-87FE-4879-9385-F17278EBB9D3}" = TOSHIBAs maskinvaruinstallningar
"InstallShield_{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"InstallShield_{620BBA5E-F848-4D56-8BDA-584E44584C5E}" = TOSHIBA Flash Cards Support Utility
"InstallShield_{621C02EA-AAFF-4026-A903-165D59529A16}" = Driver Detective
"InstallShield_{A6D4234C-CB02-4048-AC3E-AD09404FA35A}" = Emdedded IR Driver
"InstallShield_{DB780B85-B4B5-4864-A49C-9B706B169C93}" = Texas Instruments PCIxx21/x515/xx12 drivers.
"InstallShield_{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"Josefin - Expedition Sverige" = Josefin - Expedition Sverige
"LiveUpdate" = LiveUpdate 3.2 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 Language Pack SP1 - sve" = Språkpaket för Microsoft .NET Framework 3.5 SP 1 - sve
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"myphotobook" = myphotobook 3.1
"NSS" = Norton Security Scan
"PhotoStitch" = Canon Utilities PhotoStitch
"QuickTime" = QuickTime
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR
"World of Warcraft" = World of Warcraft
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"Zylom Games Player Plugin" = Zylom Games Player Plugin

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2002946825-3677852132-797418189-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"XBMC" = XBMC Media Center

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2010-05-16 16:28:40 | Computer Name = Ulrika-dator | Source = EventSystem | ID = 4621
Description =

Error - 2010-05-23 04:46:20 | Computer Name = Ulrika-dator | Source = Application Error | ID = 1000
Description = Felet uppstod i programmet javaw.exe, version 6.0.200.2, tidsstämpel
0x4bc398b3, felet uppstod i modulen java.dll, version 6.0.200.2, tidsstämpel 0x4bc3c8dc,
undantagskod 0xc0000005, felförskjutning 0x00005875, process-ID 0x1d4, programmets
starttid 0x01cafa5466d7d4ed.

Error - 2010-05-24 08:40:24 | Computer Name = Ulrika-dator | Source = Application Error | ID = 1000
Description = Felet uppstod i programmet Apselut spunk.exe, version 10.1.0.11, tidsstämpel
0x413ffc3a, felet uppstod i modulen Apselut spunk.exe, version 10.1.0.11, tidsstämpel
0x413ffc3a, undantagskod 0xc0000005, felförskjutning 0x00003d70, process-ID 0x1464,
programmets starttid 0x01cafb3e46ba2970.

Error - 2010-05-24 08:40:44 | Computer Name = Ulrika-dator | Source = Application Error | ID = 1000
Description = Felet uppstod i programmet Apselut spunk.exe, version 10.1.0.11, tidsstämpel
0x413ffc3a, felet uppstod i modulen Apselut spunk.exe, version 10.1.0.11, tidsstämpel
0x413ffc3a, undantagskod 0xc0000005, felförskjutning 0x00003d70, process-ID 0x14b0,
programmets starttid 0x01cafb3e5235eb90.

Error - 2010-05-24 08:41:27 | Computer Name = Ulrika-dator | Source = Application Error | ID = 1000
Description = Felet uppstod i programmet Apselut spunk.exe, version 10.1.0.11, tidsstämpel
0x413ffc3a, felet uppstod i modulen Apselut spunk.exe, version 10.1.0.11, tidsstämpel
0x413ffc3a, undantagskod 0xc0000005, felförskjutning 0x00003d70, process-ID 0x10fc,
programmets starttid 0x01cafb3e6ad1b1c0.

Error - 2010-05-24 08:41:41 | Computer Name = Ulrika-dator | Source = Application Error | ID = 1000
Description = Felet uppstod i programmet Inställningar.exe, version 10.1.0.11, tidsstämpel
0x413ffc3a, felet uppstod i modulen Inställningar.exe, version 10.1.0.11, tidsstämpel
0x413ffc3a, undantagskod 0xc0000005, felförskjutning 0x00003e6f, process-ID 0xa04,
programmets starttid 0x01cafb3e73692840.

Error - 2010-05-24 08:42:50 | Computer Name = Ulrika-dator | Source = EventSystem | ID = 4621
Description =

Error - 2010-06-07 14:27:32 | Computer Name = Ulrika-dator | Source = Application Error | ID = 1000
Description = Felet uppstod i programmet javaw.exe, version 6.0.200.2, tidsstämpel
0x4bc398b3, felet uppstod i modulen java.dll, version 6.0.200.2, tidsstämpel 0x4bc3c8dc,
undantagskod 0xc0000005, felförskjutning 0x00005875, process-ID 0xb14, programmets
starttid 0x01cb066f15757183.

Error - 2010-06-09 03:48:05 | Computer Name = Ulrika-dator | Source = EventSystem | ID = 4621
Description =

Error - 2010-06-14 07:06:42 | Computer Name = Ulrika-dator | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

[ Media Center Events ]
Error - 2008-04-18 10:31:57 | Computer Name = Ulrika-dator | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: det gick inte att hämta paketet
MCESpotlight.

[ System Events ]
Error - 2010-07-02 09:30:42 | Computer Name = Ulrika-dator | Source = BROWSER | ID = 8032
Description =

Error - 2010-07-02 12:55:49 | Computer Name = Ulrika-dator | Source = DCOM | ID = 10010
Description =

Error - 2010-07-02 12:57:30 | Computer Name = Ulrika-dator | Source = Service Control Manager | ID = 7000
Description =

Error - 2010-07-02 13:29:43 | Computer Name = Ulrika-dator | Source = BROWSER | ID = 8032
Description =

Error - 2010-07-02 18:41:31 | Computer Name = Ulrika-dator | Source = BROWSER | ID = 8032
Description =

Error - 2010-07-02 19:35:38 | Computer Name = Ulrika-dator | Source = DCOM | ID = 10010
Description =

Error - 2010-07-03 02:38:30 | Computer Name = Ulrika-dator | Source = Service Control Manager | ID = 7000
Description =

Error - 2010-07-03 02:39:43 | Computer Name = Ulrika-dator | Source = netbt | ID = 4321
Description = Namnet WORKGROUP :1d kunde inte registreras på det gränssnitt
som har IP-adressen 192.168.1.67. Den dator som har IP-adressen 192.168.1.64 tillät
inte att den här datorn använder namnet.

Error - 2010-07-03 03:55:11 | Computer Name = Ulrika-dator | Source = DCOM | ID = 10010
Description =

Error - 2010-07-03 03:56:47 | Computer Name = Ulrika-dator | Source = Service Control Manager | ID = 7000
Description =


< End of report >


and a malewarebyteslog:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Databasversion: 4269

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

2010-07-03 09:54:08
mbam-log-2010-07-03 (09-54-08).txt

Skanningstyp: Snabbskanning
Antal skannade objekt: 150044
Förfluten tid: 11 minut(er), 11 sekund(er)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 0
Infekterade registervärden: 1
Infekterade registerdataposter: 0
Infekterade mappar: 0
Infekterade filer: 0

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
(Inga illasinnade poster hittades)

Infekterade registervärden:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\desktop sms (Worm.P2P) -> Quarantined and deleted successfully.

Infekterade registerdataposter:
(Inga illasinnade poster hittades)

Infekterade mappar:
(Inga illasinnade poster hittades)

Infekterade filer:
(Inga illasinnade poster hittades)

Dakeyras
2010-07-03, 13:35
Hi. :)


The laptop is very slow.. but it has been for a while.
Otherwise no big problems.OK, no problem and we can address this in due course.


I think it can be like you said they came from the backupemail.. the backup is a hotmailaccount.. is that safe enough? I have chnanged that accounts pass and questions as well.Hotmail is fine to use and as long as you have used a strong password as I mentioned prior and the secret question is not something obvious and the answer pertaining is completely random should be fine.


That link you gave me helped I have changed the pass for my router and added the best cryptation I know works.
Good. I use a wireless router myself and you would be surprised how many individuals in my locale used a unprotected network, it is very unsafe to say the least. Plus when I do not need the wireless mode I deactivate it as my main machine is connected directly to the router.

Did you also set a Pre-shared Key (PSK) password so no machine can join your wireless network without such?

Next:

Now please go to Start >> Control Panel >> Programs and Features and remove the following (if present):

DAEMON Tools Toolbar
Spybot - Search & Destroy <-- This may be reinstalled when I give the all clear.
Java(TM) SE Runtime Environment 6
LiveUpdate 3.2 (Symantec Corporation)

To do so click once on each of the above and click on Uninstall/Change and follow the prompts.

Next:

Please download DeFogger (http://www.jpshortstuff.247fixes.com/Defogger.exe) to your desktop.

Right click DeFogger and select Run as Administrator to run the tool.


The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.


Please go here (http://www.aumha.org/downloads/erunt-setup.exe) and download ERUNT.
ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
Right-click on erunt-setup.exe and select Run as Administrator to Install ERUNT by following the prompts.
Use the default install settings but say no to the portion that asks you to add ERUNT to the Start-Up folder.
Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
Make sure that at least the first two check boxes are selected.
Click on OK
Then click on YES to create the folder.
Note: If it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Custom OTL Script:

Right-click OTL.exe and select Run as Administrator to start the program.
Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:OTL
SRV - (LiveUpdate Notice Ex) -- File not found
SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE (Symantec Corporation)
O4 - HKLM..\Run: [HWSetup] File not found
O4 - HKLM..\Run: [NDSTray.exe] File not found
O4 - HKLM..\Run: [Symantec PIF AlertEng] C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (Symantec Corporation)
O4 - HKU\S-1-5-21-2002946825-3677852132-797418189-1001..\Run: [TOSCDSPD] File not found
O9 - Extra Button: Tradera - Köp och sälj - {76577871-04EC-495E-A12B-91F7C3600AFA} - File not found
O9 - Extra Button: Amazon.co.uk - {8A918C1D-E123-4E36-B562-5C1519E434CE} - File not found
O16 - DPF: {3B36B017-7E49-426B-95B0-B5CECD83C2E2} http://fika-web.ifolor.net/OrderingG...oader_fika.cab (IfolorUploader Control)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)
O33 - MountPoints2\{84f7d4ee-306b-11df-97b8-001b383fab7f}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- File not found
O33 - MountPoints2\{84f7d4fd-306b-11df-97b8-001b383fab7f}\Shell - "" = AutoRun
O33 - MountPoints2\{84f7d4fd-306b-11df-97b8-001b383fab7f}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- File not found
[2010-07-02 18:05:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Norton
[2010-07-02 18:05:37 | 000,000,000 | ---D | C] -- C:\ProgramData\NortonInstaller
[2010-07-02 18:05:37 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2010-07-02 18:00:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010-07-02 18:00:14 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010-06-09 20:48:29 | 000,000,000 | ---D | C] -- C:\ProgramData\BanzaiInteractive
[2010-06-09 11:28:32 | 000,090,112 | ---- | C] (MindVision Software) -- C:\Windows\unvise32.exe
[2010-07-02 18:57:24 | 000,000,560 | -H-- | M] () -- C:\Windows\tasks\Norton Security Scan for Anders.job
[2010-07-02 18:06:29 | 000,001,353 | ---- | M] () -- C:\Users\Public\Desktop\Norton Security Scan.lnk
2010-07-02 18:00:22 | 000,001,060 | ---- | M] () -- C:\Users\Anders\Desktop\Spybot - Search & Destroy.lnk
@Alternate Data Stream - 100 bytes -> C:\ProgramData\TEMP:949483BD

:Files
C:\Program Files\DAEMON Tools Lite

:Commands
[Purity]
[ResetHosts]
[EmptyTemp]
[Reboot]
Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
Then click the red Run Fix button.
Let the program run unhindered.
If OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
Note: The logfile can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.

Scan with GMER:

Please download GMER Rootkit Scanner from here (http://www.gmer.net/download.php).

Right-click on the .exe file . and select Run as Administrator. If asked to allow gmer.sys driver to load, please consent
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

http://i28.photobucket.com/albums/c227/tetonbob/gmer_th.gif (http://i28.photobucket.com/albums/c227/tetonbob/gmer_screen2-1.gif)

Click the image to enlarge it


In the right panel, you will see several boxes that have been checked. Uncheck the following ...

IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
Then click the Scan button & wait for it to finish
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.

When completed the above, please post back the following:

Inform myself how your girlfriends computer is running. Any problems encountered?
OTL Log.
GMER Log.

derarne
2010-07-03, 16:02
Hi again!


Yes I reset the password you need to log into the router as well.

I unistalled the programs you said..

I got this log from defogger:

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 13:35 on 03/07/2010 (Anders)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
HKCU:DAEMON Tools Lite -> Removed

Checking for services/drivers...
Unable to read sptd.sys
SPTD -> Disabled (Service running -> reboot required)


-=E.O.F=-


I saved the registry and ran the OTL fix..

The computer seems ok.. it is already a bit faster.

Here are the OTL log:

All processes killed
========== OTL ==========
Error: No service named LiveUpdate Notice Ex was found to stop!
Service\Driver key LiveUpdate Notice Ex not found.
File File not found not found.
Error: No service named LiveUpdate was found to stop!
Service\Driver key LiveUpdate not found.
File C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\HWSetup not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\NDSTray.exe not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Symantec PIF AlertEng not found.
File C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe not found.
Registry value HKEY_USERS\S-1-5-21-2002946825-3677852132-797418189-1001\Software\Microsoft\Windows\CurrentVersion\Run\\TOSCDSPD not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{76577871-04EC-495E-A12B-91F7C3600AFA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76577871-04EC-495E-A12B-91F7C3600AFA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{8A918C1D-E123-4E36-B562-5C1519E434CE}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A918C1D-E123-4E36-B562-5C1519E434CE}\ not found.
Starting removal of ActiveX control {3B36B017-7E49-426B-95B0-B5CECD83C2E2}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{3B36B017-7E49-426B-95B0-B5CECD83C2E2}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3B36B017-7E49-426B-95B0-B5CECD83C2E2}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3B36B017-7E49-426B-95B0-B5CECD83C2E2}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3B36B017-7E49-426B-95B0-B5CECD83C2E2}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{84f7d4ee-306b-11df-97b8-001b383fab7f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{84f7d4ee-306b-11df-97b8-001b383fab7f}\ not found.
File G:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{84f7d4fd-306b-11df-97b8-001b383fab7f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{84f7d4fd-306b-11df-97b8-001b383fab7f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{84f7d4fd-306b-11df-97b8-001b383fab7f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{84f7d4fd-306b-11df-97b8-001b383fab7f}\ not found.
File G:\AutoRun.exe not found.
Folder C:\ProgramData\Norton\ not found.
Folder C:\ProgramData\NortonInstaller\ not found.
Folder C:\Program Files\NortonInstaller\ not found.
Folder C:\ProgramData\Spybot - Search & Destroy\ not found.
Folder C:\Program Files\Spybot - Search & Destroy\ not found.
Folder C:\ProgramData\BanzaiInteractive\ not found.
File C:\Windows\unvise32.exe not found.
File C:\Windows\tasks\Norton Security Scan for Anders.job not found.
File C:\Users\Public\Desktop\Norton Security Scan.lnk not found.
Unable to delete ADS C:\ProgramData\TEMP:949483BD .
========== FILES ==========
File\Folder C:\Program Files\DAEMON Tools Lite not found.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Anders
->Temp folder emptied: 152557 bytes
->Temporary Internet Files folder emptied: 4813749 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Gabriel
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 283094218 bytes
->Java cache emptied: 37606889 bytes
->Flash cache emptied: 62814 bytes

User: Public

User: Ulrika
->Temp folder emptied: 1773391166 bytes
->Temporary Internet Files folder emptied: 1315520988 bytes
->Java cache emptied: 50872974 bytes
->Flash cache emptied: 58228 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 66106 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 3*305,00 mb

Error: Unable to interpret <[Reboot]Return to OTL, right-click in the Custom Scans/Fixes window (under the > in the current context!

OTL by OldTimer - Version 3.2.7.0 log created on 07032010_140049

Files\Folders moved on Reboot...
C:\Users\Anders\AppData\Local\Temp\Low\Google Toolbar\GoogleToolbarWelcome.log moved successfully.
File\Folder C:\Users\Anders\AppData\Local\Temp\~DF221D.tmp not found!
File\Folder C:\Users\Anders\AppData\Local\Temp\~DF222C.tmp not found!
File\Folder C:\Users\Anders\AppData\Local\Temp\~DF228B.tmp not found!
File\Folder C:\Users\Anders\AppData\Local\Temp\~DF229A.tmp not found!
File\Folder C:\Users\Anders\AppData\Local\Temp\~DF22D9.tmp not found!
File\Folder C:\Users\Anders\AppData\Local\Temp\~DF22E8.tmp not found!
C:\Users\Anders\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BD2JGTFM\showthread[1].htm moved successfully.
C:\Users\Anders\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
File move failed. C:\Windows\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...


and the gmer log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-03 14:48:02
Windows 6.0.6002 Service Pack 2
Running: kbw31mtj.exe; Driver: C:\Users\Anders\AppData\Local\Temp\pwtdqpog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x88159000, 0x4036D, 0xE8000020]
.dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x881A2000, 0x510, 0x40000040]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe[3004] ntdll.dll!DbgBreakPoint 770A8B2E 1 Byte [90]
.text C:\Program Files\Internet Explorer\iexplore.exe[4300] USER32.dll!CreateWindowExW 76091305 5 Bytes JMP 6AE2DB1C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4300] USER32.dll!DialogBoxParamW 760B10B0 5 Bytes JMP 6AD554C5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4300] USER32.dll!DialogBoxIndirectParamW 760B2EF5 5 Bytes JMP 6AF2480F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4300] USER32.dll!DialogBoxParamA 760C8152 5 Bytes JMP 6AF247AC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4300] USER32.dll!DialogBoxIndirectParamA 760C847D 5 Bytes JMP 6AF24872 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4300] USER32.dll!MessageBoxIndirectA 760DD4D9 5 Bytes JMP 6AF24741 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4300] USER32.dll!MessageBoxIndirectW 760DD5D3 5 Bytes JMP 6AF246D6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4300] USER32.dll!MessageBoxExA 760DD639 5 Bytes JMP 6AF24674 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4300] USER32.dll!MessageBoxExW 760DD65D 5 Bytes JMP 6AF24612 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] USER32.dll!CreateDialogParamW 760872A2 5 Bytes JMP 6AE2DEA8 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] USER32.dll!GetAsyncKeyState 7608863C 5 Bytes JMP 6AD48EFF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] USER32.dll!SetWindowsHookExW 760887AD 5 Bytes JMP 6AE29AC9 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] USER32.dll!CallNextHookEx 76088E3B 5 Bytes JMP 6AE1D0ED C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] USER32.dll!UnhookWindowsHookEx 760898DB 5 Bytes JMP 6AD9467C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] USER32.dll!EnableWindow 7608CD8B 5 Bytes JMP 6AE2DD35 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] USER32.dll!CreateWindowExW 76091305 5 Bytes JMP 6AE2DB1C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] USER32.dll!GetKeyState 76098CB1 5 Bytes JMP 6AE2D2E3 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] USER32.dll!IsDialogMessageW 760A0745 5 Bytes JMP 6AD559D7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] USER32.dll!CreateDialogParamA 760A17AA 5 Bytes JMP 6AF2547B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] USER32.dll!IsDialogMessage 760A1847 5 Bytes JMP 6AF24D17 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] USER32.dll!CreateDialogIndirectParamA 760A26F1 5 Bytes JMP 6AF254B2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] USER32.dll!CreateDialogIndirectParamW 760A9A62 5 Bytes JMP 6AF254E9 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] USER32.dll!SetKeyboardState 760B0987 5 Bytes JMP 6AF25086 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] USER32.dll!DialogBoxParamW 760B10B0 5 Bytes JMP 6AD554C5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] USER32.dll!DialogBoxIndirectParamW 760B2EF5 5 Bytes JMP 6AF2480F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] USER32.dll!SendInput 760B2F75 5 Bytes JMP 6AF25C43 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] USER32.dll!EndDialog 760B326E 5 Bytes JMP 6AD57E7E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] USER32.dll!SetCursorPos 760C6FB2 5 Bytes JMP 6AF25C97 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] USER32.dll!DialogBoxParamA 760C8152 5 Bytes JMP 6AF247AC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] USER32.dll!DialogBoxIndirectParamA 760C847D 5 Bytes JMP 6AF24872 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] USER32.dll!MessageBoxIndirectA 760DD4D9 5 Bytes JMP 6AF24741 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] USER32.dll!MessageBoxIndirectW 760DD5D3 5 Bytes JMP 6AF246D6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] USER32.dll!MessageBoxExA 760DD639 5 Bytes JMP 6AF24674 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] USER32.dll!MessageBoxExW 760DD65D 5 Bytes JMP 6AF24612 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] USER32.dll!keybd_event 760DD972 5 Bytes JMP 6AF25FC7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] SHELL32.dll!SHRestricted + D95 761A8988 4 Bytes [4D, 30, 6A, 63] {DEC EBP; XOR [EDX+0x63], CH}
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] SHELL32.dll!SHRestricted + D9D 761A8990 8 Bytes [57, 2F, 6A, 63, 9C, 5B, 69, ...]
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] ole32.dll!OleLoadFromStream 759D1E12 5 Bytes JMP 6AF24B77 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4400] ole32.dll!CoCreateInstance 75A09EA6 5 Bytes JMP 6AE2DB78 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x89 0x0C 0xE5 0xA6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xDE 0x47 0x58 0xB4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x68 0xD6 0x98 0x44 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x89 0x0C 0xE5 0xA6 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xDE 0x47 0x58 0xB4 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x68 0xD6 0x98 0x44 ...

---- EOF - GMER 1.0.15 ----

Ok..

Have a nice day..

Best Regards DerArne

Dakeyras
2010-07-03, 21:55
Hi. :)

Check Hard Disk For Errors:


Open Notepad.
Copy and Paste everything from the Code Box below into Notepad: <-- Start(Vista Orb) >> Run... (or depress the Windows and R key together) type in notepad and select OK

@Echo off
cmd /c chkdsk c: |find /v "percent" >> "%userprofile%\desktop\checkhd.txt"
del %0
Go to File >> Save As
Save File name as "Dakeyras.bat" <-- Make sure to include the quotes.
Change Save as Type to All Files and save the file to your Desktop.
It should look similar to this: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/vista-rh.gif


Now right-click on the desktop Dakeyras.bat and select Run as Administrator to run the batch file. It will self-delete when completed.

A file icon named checkhd.txt should appear on your Desktop. Please post the contents of this file in your next reply.

Reset Vista SP2 Firewall:

Click on Start(Vista Orb) >> Run... and cut/paste in the following and click on OK

firewall.cplOr Start(Vista Orb) >> Control Panel >> Windows Firewall

Click on the Change Settings >> Advanced >> Restore Defaults >> At the prompt click on Yes >> OK

Now click back on Change Settings again >> General >> and select On(recommended) >> Apply >> OK.

When completed the above, please post back the following:

checkhd.txt.
A new OTL Log. <-- Only one log will be produced this time.

derarne
2010-07-03, 23:50
Hi!

First you got a thanks coming from my girlfriend hehe..
The computer is starting much faster now.

I reseted the firewall.

Here are the 2 new logs:

sorry for the first one being in swedish dont know how to get it in english..

Filsystemet „r av typen NTFS.
Volymetiketten „r Vista.

Varning! Parametern /F har inte angetts.
CHKDSK k”rs i skrivskyddat l„ge.

CHKDSK verifierar filer (steg 1 av 3)...
0 procent klart. (0 av 194112 filposter har behandlats)
0 procent klart. (1807 av 194112 filposter har behandlats)
0 procent klart. (4225 av 194112 filposter har behandlats)
0 procent klart. (8868 av 194112 filposter har behandlats)
1 procent klart. (19412 av 194112 filposter har behandlats)
1 procent klart. (36070 av 194112 filposter har behandlats)
2 procent klart. (38823 av 194112 filposter har behandlats)
2 procent klart. (40070 av 194112 filposter har behandlats)
3 procent klart. (58234 av 194112 filposter har behandlats)
3 procent klart. (75009 av 194112 filposter har behandlats)
4 procent klart. (77645 av 194112 filposter har behandlats)
4 procent klart. (92673 av 194112 filposter har behandlats)
5 procent klart. (97056 av 194112 filposter har behandlats)
6 procent klart. (116468 av 194112 filposter har behandlats)
6 procent klart. (129822 av 194112 filposter har behandlats)
6 procent klart. (135200 av 194112 filposter har behandlats)
7 procent klart. (135879 av 194112 filposter har behandlats)
7 procent klart. (149991 av 194112 filposter har behandlats)
7 procent klart. (155265 av 194112 filposter har behandlats)
8 procent klart. (155290 av 194112 filposter har behandlats)
8 procent klart. (163585 av 194112 filposter har behandlats)
9 procent klart. (174701 av 194112 filposter har behandlats)
9 procent klart. (187496 av 194112 filposter har behandlats)
194112 filposter har behandlats.

Filverifieringen „r klar.
906 stora filposter har behandlats.

0 skadade filposter har behandlats.

0 EA-poster har behandlats.

101 referensposter har behandlats.

CHKDSK verifierar index (steg 2 av 3)...
10 procent klart. (1808 av 247552 indexposter har behandlats)
11 procent klart. (5055 av 247552 indexposter har behandlats)
12 procent klart. (10446 av 247552 indexposter har behandlats)
13 procent klart. (15837 av 247552 indexposter har behandlats)
14 procent klart. (21227 av 247552 indexposter har behandlats)
15 procent klart. (26618 av 247552 indexposter har behandlats)
16 procent klart. (32008 av 247552 indexposter har behandlats)
16 procent klart. (37040 av 247552 indexposter har behandlats)
17 procent klart. (37399 av 247552 indexposter har behandlats)
17 procent klart. (39686 av 247552 indexposter har behandlats)
18 procent klart. (42790 av 247552 indexposter har behandlats)
19 procent klart. (48180 av 247552 indexposter har behandlats)
20 procent klart. (53571 av 247552 indexposter har behandlats)
21 procent klart. (58962 av 247552 indexposter har behandlats)
22 procent klart. (64352 av 247552 indexposter har behandlats)
23 procent klart. (69743 av 247552 indexposter har behandlats)
24 procent klart. (75133 av 247552 indexposter har behandlats)
25 procent klart. (80524 av 247552 indexposter har behandlats)
26 procent klart. (85915 av 247552 indexposter har behandlats)
27 procent klart. (91305 av 247552 indexposter har behandlats)
28 procent klart. (96696 av 247552 indexposter har behandlats)
29 procent klart. (102086 av 247552 indexposter har behandlats)
30 procent klart. (107477 av 247552 indexposter har behandlats)
31 procent klart. (112868 av 247552 indexposter har behandlats)
32 procent klart. (118258 av 247552 indexposter har behandlats)
33 procent klart. (123649 av 247552 indexposter har behandlats)
34 procent klart. (129039 av 247552 indexposter har behandlats)
34 procent klart. (133506 av 247552 indexposter har behandlats)
35 procent klart. (134430 av 247552 indexposter har behandlats)
36 procent klart. (139821 av 247552 indexposter har behandlats)
37 procent klart. (145211 av 247552 indexposter har behandlats)
38 procent klart. (150602 av 247552 indexposter har behandlats)
39 procent klart. (155992 av 247552 indexposter har behandlats)
40 procent klart. (161383 av 247552 indexposter har behandlats)
41 procent klart. (166774 av 247552 indexposter har behandlats)
42 procent klart. (172164 av 247552 indexposter har behandlats)
43 procent klart. (177555 av 247552 indexposter har behandlats)
44 procent klart. (182945 av 247552 indexposter har behandlats)
45 procent klart. (188336 av 247552 indexposter har behandlats)
46 procent klart. (193727 av 247552 indexposter har behandlats)
46 procent klart. (194115 av 247552 indexposter har behandlats)
46 procent klart. (194123 av 247552 indexposter har behandlats)
46 procent klart. (194311 av 247552 indexposter har behandlats)
46 procent klart. (194427 av 247552 indexposter har behandlats)
46 procent klart. (194600 av 247552 indexposter har behandlats)
46 procent klart. (194998 av 247552 indexposter har behandlats)
46 procent klart. (195122 av 247552 indexposter har behandlats)
46 procent klart. (195445 av 247552 indexposter har behandlats)
46 procent klart. (195719 av 247552 indexposter har behandlats)
46 procent klart. (196377 av 247552 indexposter har behandlats)
46 procent klart. (196688 av 247552 indexposter har behandlats)
46 procent klart. (196824 av 247552 indexposter har behandlats)
46 procent klart. (196943 av 247552 indexposter har behandlats)
46 procent klart. (197210 av 247552 indexposter har behandlats)
46 procent klart. (197268 av 247552 indexposter har behandlats)
46 procent klart. (197380 av 247552 indexposter har behandlats)
46 procent klart. (197467 av 247552 indexposter har behandlats)
46 procent klart. (197617 av 247552 indexposter har behandlats)
46 procent klart. (197694 av 247552 indexposter har behandlats)
46 procent klart. (197744 av 247552 indexposter har behandlats)
46 procent klart. (197748 av 247552 indexposter har behandlats)
46 procent klart. (198380 av 247552 indexposter har behandlats)
46 procent klart. (199050 Indexverifieringen „r klar.
0 oindexerade filer har behandlats.

CHKDSK verifierar s„kerhetsbeskrivare (steg 3 av 3)...
55 procent klart. (0 av 194112 beskrivare har behandlats)
56 procent klart. (241 av 194112 beskrivare har behandlats)
56 procent klart. (12033 av 194112 beskrivare har behandlats)
57 procent klart. (16413 av 194112 beskrivare har behandlats)
58 procent klart. (32585 av 194112 beskrivare har behandlats)
59 procent klart. (48757 av 194112 beskrivare har behandlats)
60 procent klart. (64929 av 194112 beskrivare har behandlats)
61 procent klart. (81100 av 194112 beskrivare har behandlats)
62 procent klart. (97272 av 194112 beskrivare har behandlats)
63 procent klart. (113444 av 194112 beskrivare har behandlats)
64 procent klart. (129616 av 194112 beskrivare har behandlats)
65 procent klart. (145788 av 194112 beskrivare har behandlats)
66 procent klart. (161960 av 194112 beskrivare har behandlats)
67 procent klart. (178131 av 194112 beskrivare har behandlats)
194112 s„kerhetsbeskrivare har behandlats.

Verifieringen av s„kerhetsbeskrivare „r klar.
26721 datafiler har behandlats.

CHKDSK verifierar USN-journalen...
99 procent klart. (0 av 34281320 USN-byte har behandlats)
99 procent klart. (11997184 av 34281320 USN-byte har behandlats)
99 procent klart. (22142976 av 34281320 USN-byte har behandlats)
99 procent klart. (30871552 av 34281320 USN-byte har behandlats)
100 procent klart. (34275328 av 34281320 USN-byte har behandlats)
34281320 USN-byte har behandlats.

Verifieringen av USN-journalen „r klar.
Filsystemet har kontrollerats. Inga problem p†tr„ffades.

78144511 kB diskutrymme totalt.
49700960 kB i 120831 filer.
68432 kB i 26722 index.
0 kB i skadade sektorer.
308587 kB anv„nds av operativsystemet.
65536 kB h†rddisksutrymme anv„nds av loggfilen.
28066532 kB ledigt utrymme.

4096 byte i varje allokeringsenhet.
19536127 allokeringsenheter finns totalt p† disken.
7016633 allokeringsenheter „r tillg„ngliga p† disken.


and the otl log:

OTL logfile created on: 2010-07-03 22:42:33 - Run 2
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Users\Anders\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 0000041D | Country: Sverige | Language: SVE | Date Format: yyyy-MM-dd

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 55,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 69,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 74,52 Gb Total Space | 27,91 Gb Free Space | 37,45% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 73,06 Gb Total Space | 37,99 Gb Free Space | 52,00% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ULRIKA-DATOR
Current User Name: Anders
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\Anders\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe (Google Inc.)
PRC - C:\Program Files\Net iD\iid.exe (SecMaker AB)
PRC - C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\conime.exe (Microsoft Corporation)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\Program Files\Synaptics\SynTP\SynToshiba.exe (Synaptics, Inc.)
PRC - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe (Nero AG)
PRC - C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe (TOSHIBA Corporation)
PRC - C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
PRC - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe (TOSHIBA Corporation)
PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
PRC - C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe ()
PRC - C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe (Chicony)
PRC - C:\Program Files\TOSHIBA\Toshiba Online Product Information\TOPI.exe (TOSHIBA)
PRC - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe (TOSHIBA Corporation)
PRC - C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
PRC - c:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\TosBtSrv.exe (TOSHIBA CORPORATION)
PRC - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)
PRC - C:\Program Files\TOSHIBA\Utilities\KeNotify.exe ()
PRC - C:\Windows\System32\agrsmsvc.exe (Agere Systems)
PRC - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (Ulead Systems, Inc.)
PRC - C:\Windows\System32\TODDSrv.exe (TOSHIBA Corporation)


========== Modules (SafeList) ==========

MOD - C:\Users\Anders\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll (Microsoft Corporation)
MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (LiveUpdate Notice Service) -- File not found
SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
SRV - (avast! Mail Scanner) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
SRV - (avast! Web Scanner) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
SRV - (aswUpdSv) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)
SRV - (fsssvc) -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (TNaviSrv) -- C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe (TOSHIBA Corporation)
SRV - (TosCoSrv) -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe (TOSHIBA Corporation)
SRV - (TOSHIBA Bluetooth Service) -- c:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\TosBtSrv.exe (TOSHIBA CORPORATION)
SRV - (CFSvcs) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)
SRV - (AgereModemAudio) -- C:\Windows\System32\agrsmsvc.exe (Agere Systems)
SRV - (UleadBurningHelper) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (Ulead Systems, Inc.)
SRV - (TODDSrv) -- C:\Windows\System32\TODDSrv.exe (TOSHIBA Corporation)


========== Driver Services (SafeList) ==========

DRV - (aswTdi) -- C:\Windows\System32\drivers\aswTdi.sys (ALWIL Software)
DRV - (aswRdr) -- C:\Windows\System32\drivers\aswRdr.sys (ALWIL Software)
DRV - (aswSP) -- C:\Windows\System32\drivers\aswSP.sys (ALWIL Software)
DRV - (aswFsBlk) -- C:\Windows\System32\drivers\aswFsBlk.sys (ALWIL Software)
DRV - (aswMonFlt) -- C:\Windows\System32\drivers\aswMonFlt.sys (ALWIL Software)
DRV - (fssfltr) -- C:\Windows\System32\drivers\fssfltr.sys (Microsoft Corporation)
DRV - (sptd) -- C:\Windows\System32\Drivers\sptd.sys (Duplex Secure Ltd.)
DRV - (athr) -- C:\Windows\System32\drivers\athr.sys (Atheros Communications, Inc.)
DRV - (SynTP) -- C:\Windows\System32\drivers\SynTP.sys (Synaptics, Inc.)
DRV - (TVALZ) -- C:\Windows\system32\DRIVERS\TVALZ_O.SYS (TOSHIBA Corporation)
DRV - (atikmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (tos_sps32) -- C:\Windows\system32\DRIVERS\tos_sps32.sys (TOSHIBA Corporation)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\Windows\System32\drivers\RTKVHDA.sys (Realtek Semiconductor Corp.)
DRV - (UVCFTR) -- C:\Windows\System32\drivers\UVCFTR_S.SYS (Chicony Electronics Co., Ltd.)
DRV - (Tosrfhid) -- C:\Windows\System32\drivers\Tosrfhid.sys (TOSHIBA Corporation.)
DRV - (Tosrfusb) -- C:\Windows\System32\drivers\tosrfusb.sys (TOSHIBA CORPORATION)
DRV - (tosrfbd) -- C:\Windows\System32\drivers\tosrfbd.sys (TOSHIBA CORPORATION)
DRV - (tifm21) -- C:\Windows\System32\drivers\tifm21.sys (Texas Instruments)
DRV - (KR10N) -- C:\Windows\system32\drivers\kr10n.sys (TOSHIBA CORPORATION)
DRV - (KR10I) -- C:\Windows\system32\drivers\kr10i.sys (TOSHIBA CORPORATION)
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation)
DRV - (AgereSoftModem) -- C:\Windows\System32\drivers\AGRSM.sys (Agere Systems)
DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (SiSRaid2) -- C:\Windows\system32\drivers\sisraid2.sys (Silicon Integrated Systems Corp.)
DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Logic Corporation)
DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
DRV - (E1G60) Intel(R) -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)
DRV - (tosrfec) -- C:\Windows\System32\drivers\tosrfec.sys (TOSHIBA Corporation)
DRV - (tdcmdpst) -- C:\Windows\System32\drivers\tdcmdpst.sys (TOSHIBA Corporation.)
DRV - (LPCFilter) -- C:\Windows\system32\DRIVERS\LPCFilter.sys (COMPAL ELECTRONIC INC.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2002946825-3677852132-797418189-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
IE - HKU\S-1-5-21-2002946825-3677852132-797418189-1001\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2002946825-3677852132-797418189-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2010-07-03 14:00:51 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Länkhjälp till Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-2002946825-3677852132-797418189-1001\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [00TCrdMain] C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [Camera Assistant Software] C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe (Chicony)
O4 - HKLM..\Run: [HSON] C:\Program Files\TOSHIBA\TBS\HSON.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe ()
O4 - HKLM..\Run: [NBKeyScan] C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe (Nero AG)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [Net iD] C:\Program Files\Net iD\iid.exe (SecMaker AB)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Skytel] C:\Windows\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe File not found
O4 - HKLM..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe (TOSHIBA)
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe (TOSHIBA)
O4 - HKLM..\Run: [Toshiba Registration] C:\Program Files\TOSHIBA\Registration\ToshibaRegistration.exe (Toshiba)
O4 - HKLM..\Run: [TPwrMain] C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-2002946825-3677852132-797418189-1001..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe (Nero AG)
O4 - HKU\S-1-5-21-2002946825-3677852132-797418189-1001..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Users\Ulrika\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll (Google Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx2.hotmail.com/mail/w2/resources/VistaMSNPUpldsv-se.cab (MSN Photo Upload Tool)
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} http://www.fujidirekt.se/aurigma/ImageUploader5.cab (Image Uploader Control)
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} http://www.fujidirekt.se/aurigma/ImageUploader4.cab (Image Uploader Control)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} http://game03.zylom.com/activex/zylomgamesplayer.cab (Zylom Games Player)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUpldsv-se.cab (Windows Live Hotmail Photo Upload Tool)
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} http://www.fujidirekt.se/aurigma2/ImageUploader4.cab (Image Uploader Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img35.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img35.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006-09-18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010-07-03 13:46:09 | 000,000,000 | ---D | C] -- C:\_OTL
[2010-07-03 13:44:29 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010-07-03 13:43:11 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010-07-03 13:42:14 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Users\Anders\erunt-setup.exe
[2010-07-03 10:03:36 | 000,574,464 | ---- | C] (OldTimer Tools) -- C:\Users\Anders\Desktop\OTL.exe
[2010-07-03 09:40:34 | 000,000,000 | ---D | C] -- C:\Users\Anders\AppData\Roaming\Malwarebytes
[2010-07-03 09:40:26 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010-07-03 09:40:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010-07-03 09:40:24 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010-07-03 09:40:23 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010-07-02 18:06:26 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\NSS
[2010-07-02 18:06:26 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\NSS\0207000.034
[2010-07-02 15:26:17 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010-07-01 20:26:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Artifex Mundi
[2010-06-29 20:20:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Kristanix Games
[2010-06-26 20:08:14 | 000,099,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHostProxy.dll
[2010-06-26 20:08:13 | 000,295,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHost.exe
[2010-06-26 20:08:13 | 000,049,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\netfxperf.dll
[2010-06-26 19:24:31 | 004,240,384 | ---- | C] (Microsoft) -- C:\Windows\System32\GameUXLegacyGDFs.dll
[2010-06-26 19:24:31 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Apphlpdm.dll
[2010-06-21 21:31:48 | 000,000,000 | ---D | C] -- C:\ProgramData\The Mirror Mysteries
[2010-06-14 13:17:32 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\asycfilt.dll
[2010-06-14 13:17:02 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2010-06-14 13:17:02 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2010-06-14 13:17:01 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2010-06-14 13:17:01 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2010-06-14 13:17:00 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2010-06-14 13:17:00 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2010-06-14 13:17:00 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2010-06-14 13:17:00 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2010-06-14 13:17:00 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2010-06-14 13:17:00 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2010-06-14 13:17:00 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2010-06-14 13:17:00 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2010-06-14 13:17:00 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2010-06-14 13:16:59 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2010-06-14 13:16:59 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2010-06-14 13:16:47 | 000,289,792 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll
[2010-06-14 13:16:47 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\System32\atmlib.dll
[2010-06-14 13:16:38 | 002,037,248 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2010-06-09 11:26:28 | 000,000,000 | ---D | C] -- C:\Program Files\Josefin - Expedition Sverige
[2010-06-08 20:18:59 | 000,000,000 | ---D | C] -- C:\ProgramData\rionix
[2010-06-07 18:04:42 | 000,000,000 | ---D | C] -- C:\ProgramData\GOA

========== Files - Modified Within 30 Days ==========

[2010-07-03 22:42:20 | 005,505,024 | -HS- | M] () -- C:\Users\Anders\NTUSER.DAT
[2010-07-03 22:30:20 | 000,000,934 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010-07-03 22:30:18 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010-07-03 22:30:14 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010-07-03 22:30:14 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010-07-03 22:30:05 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010-07-03 22:29:59 | 2145,435,648 | -HS- | M] () -- C:\hiberfil.sys
[2010-07-03 15:02:39 | 000,524,288 | -HS- | M] () -- C:\Users\Anders\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010-07-03 15:02:39 | 000,065,536 | -HS- | M] () -- C:\Users\Anders\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010-07-03 15:02:32 | 003,236,098 | -H-- | M] () -- C:\Users\Anders\AppData\Local\IconCache.db
[2010-07-03 14:15:02 | 000,000,938 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010-07-03 14:14:55 | 000,293,376 | ---- | M] () -- C:\Users\Anders\kbw31mtj.exe
[2010-07-03 14:00:51 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
[2010-07-03 13:43:11 | 000,000,698 | ---- | M] () -- C:\Users\Anders\Desktop\NTREGOPT.lnk
[2010-07-03 13:43:11 | 000,000,679 | ---- | M] () -- C:\Users\Anders\Desktop\ERUNT.lnk
[2010-07-03 13:42:21 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Users\Anders\erunt-setup.exe
[2010-07-03 13:36:16 | 000,000,176 | ---- | M] () -- C:\Users\Anders\defogger_reenable
[2010-07-03 13:35:23 | 000,050,477 | ---- | M] () -- C:\Users\Anders\Desktop\Defogger.exe
[2010-07-03 10:03:43 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Users\Anders\Desktop\OTL.exe
[2010-07-03 09:40:29 | 000,000,783 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010-07-02 18:06:26 | 000,000,172 | ---- | M] () -- C:\Windows\System32\drivers\NSS\0207000.034\isolate.ini
[2010-06-16 22:14:47 | 000,315,752 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

========== Files Created - No Company Name ==========

[2010-07-03 14:14:52 | 000,293,376 | ---- | C] () -- C:\Users\Anders\kbw31mtj.exe
[2010-07-03 13:43:11 | 000,000,698 | ---- | C] () -- C:\Users\Anders\Desktop\NTREGOPT.lnk
[2010-07-03 13:43:11 | 000,000,679 | ---- | C] () -- C:\Users\Anders\Desktop\ERUNT.lnk
[2010-07-03 13:35:51 | 000,000,176 | ---- | C] () -- C:\Users\Anders\defogger_reenable
[2010-07-03 13:35:22 | 000,050,477 | ---- | C] () -- C:\Users\Anders\Desktop\Defogger.exe
[2010-07-03 09:40:29 | 000,000,783 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010-07-02 19:30:59 | 000,000,120 | ---- | C] () -- C:\Users\Anders\fupp.txt
[2010-07-02 18:06:26 | 000,000,172 | ---- | C] () -- C:\Windows\System32\drivers\NSS\0207000.034\isolate.ini
[2010-06-09 11:28:32 | 000,007,794 | ---- | C] () -- C:\Program Files\uninstal.log
[2009-07-12 21:42:20 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2008-11-29 17:10:05 | 000,000,023 | ---- | C] () -- C:\Windows\Disney.ini
[2007-10-30 19:46:33 | 000,128,113 | ---- | C] () -- C:\Windows\System32\csellang.ini
[2007-10-30 19:46:33 | 000,045,056 | ---- | C] () -- C:\Windows\System32\csellang.dll
[2007-10-30 19:46:33 | 000,010,161 | ---- | C] () -- C:\Windows\System32\tosmreg.ini
[2007-10-30 19:46:33 | 000,007,671 | ---- | C] () -- C:\Windows\System32\cseltbl.ini
[2007-06-06 17:19:06 | 000,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll
[2007-06-06 17:19:06 | 000,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll
[2007-06-06 17:19:06 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll
[2007-06-06 17:19:06 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll
[2007-06-06 17:19:06 | 000,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll
[2007-06-06 17:19:06 | 000,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll
[2007-06-06 17:09:50 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI
[2007-06-06 16:57:50 | 000,036,864 | ---- | C] () -- C:\Windows\System32\HWS_Ctrl.dll
[2007-06-06 16:33:56 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2007-06-06 16:27:41 | 000,000,291 | ---- | C] () -- C:\Windows\RtDefLvl.ini
[2007-06-06 16:26:35 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006-12-05 14:05:06 | 000,114,688 | ---- | C] () -- C:\Windows\System32\TosBtAcc.dll
[2006-11-02 14:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006-11-02 09:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2005-11-23 14:55:42 | 000,024,576 | ---- | C] () -- C:\Windows\System32\SPCtl.dll
[2005-07-22 22:30:20 | 000,065,536 | ---- | C] () -- C:\Windows\System32\TosCommAPI.dll
< End of report >

Dakeyras
2010-07-04, 11:12
Hi. :)


First you got a thanks coming from my girlfriend hehe..
The computer is starting much faster now.Good and she is most welcome!


sorry for the first one being in swedish dont know how to get it in english..Not a problem actually, a few of my colleagues here in Safer Networking could translate if the need and my own wife is a linguist by profession. Plus I myself am trilingual(English/German & Irish).

OK the below will most probably take some time but I assure you it is worth it. I did notice from the first custom OTL script I asked your good self to run on your girlfriends computers that a distinct lack of system maintenance was evident. Basically every time a computer is used it creates a series of temporary files to enable quick loading of the most used applications and if used online similar for say the most visited sites in the form of what is known as cookies. A lot more is created also but to keep it simple rule of thumb after every session a machine is used regardless the purpose it is prudent to run some form system maintenance, the windows in-built utilities are fine to a extent but fairly basic to be honest. Performing such though may be tedious will actually go a long way to-wards keeping the health if you will of a machines hard-drive optimal and overall performance at its best within the the actual specifications of a individual machine. What I posted here (http://forums.spybot.info/showpost.php?p=376290&postcount=15) explains it far better to be perfectly honest as I am far from any form of say a word smith(Importance of Regular System Maintenance).

The below as mentioned may take some time and will involve a series of system reboots:-

TFC(Temp File Cleaner):


Please download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop,
Save any unsaved work. TFC will close all open application windows.
Right-click TFC.exe and select Run as Administrator to run the program.
Click the Start button in the bottom left of TFC
If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.

Vista Check-Disk:

I am sorry I do not have a specific set of instructions for this but I do have a tutorial here (http://forums.whatthetech.com/index.php?showtopic=102348) pertaining to XP and the overall process is quite similar.

Please visit this webpage (http://www.vistax64.com/tutorials/67612-check-disk-chkdsk.html) and scroll down to:

METHOD ONE:
Run Check Disk from within Vista

Then follow the instructions through 1 - 10 and then reboot your computer and let the Check-Disk perform its tasks. This may take some time.

Note: Please make sure you do carry out the above as it is vital!

Run Kaspersky Online AV Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable the current installed Anti-Virus, how to do so can be read here (http://www.bleepingcomputer.com/forums/topic114351.html).

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.


Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
This online tuturial (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif) will help explain how to use the aforementioned online scan.

Note: Do not forget to re-enable the Anti-Virus application after running the above scan!

When completed the above, please post back the following:

Inform myself how the computer is running. Any problems encountered and or further symptoms?
Kaspersky results.

derarne
2010-07-04, 14:07
Hi!

I ran the temp cleaner

I did the checkdisk took about 1.5 hours.

But I dont manage to run the kaspersky online scanner..
says something about the key is expired at the end of the update and wont run..

The computer runs ok..

/DerArne

Dakeyras
2010-07-04, 14:38
Hi. :)


I did the checkdisk took about 1.5 hours.
Good, far quicker than I was anticipating to be honest.


But I dont manage to run the kaspersky online scanner..
says something about the key is expired at the end of the update and wont run..OK not a problem and though I would have preferred the log from that scan as a second opinion if you will regarding the initial results from the Eset scan you ran. Plus unfortunately the Kaspersky online scan can be temperamental and does not always work as it should and sometimes just down to Murphy's law which basically means the unexpected can and will happen were anything online is concerned.

OK please run the ESET online scan instead as follows and if the same files are flagged again we can actually check them if I deem it necessary.

Note: You will however need to disable the current installed Anti-Virus, how to do so can be read here (http://www.bleepingcomputer.com/forums/topic114351.html).

Vista users: You will need to to right-click on the either the Internet Explorer icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.


Please go here (http://www.eset.com/onlinescan/) then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif
Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.Note: Do not forget to re-enable the Anti-Virus application after running the above scan!

derarne
2010-07-04, 20:19
Hi!

Ran the eset scanner..

still cant find those logs.. but I created a textfile:

C:\Program Files\myphotobook\xtras\process.exe Win32/PrcView application

Only one thing left.. I think I must have gotten rid of the other 2 when I through away utorrent and some downloaded stuff.

/Best regards Anders

Dakeyras
2010-07-05, 00:31
Hi. :)

One question before we proceed any further. Did you actually right-click on the IE executable and run as administrator for the scan?

derarne
2010-07-05, 18:52
Hi

Yes,at least I think I have all the time but some times I have had this window up first without administrator.. does that matter?

Dakeyras
2010-07-05, 21:32
Hi. :)

Thank you for answering my query, should be fine.

Next:

I would like a second opinion about what was flagged by the ESET online scan. I actually suspect this is what as known as a false positive.

However to err on the side of caution I would like for it to be checked again.

Please go to my file submission channel here (http://www.bleepingcomputer.com/submit-malware.php?channel=87).

Next to the box:- Link to topic where this file was requested: Add in the below:-


http://forums.spybot.info/showthread.php?t=58270
Next to the box: Browse to the file you want to submit: click on the Browse... tab and navigate to the below:-

C:\Program Files\myphotobook\xtras\process.exe

Then click on the Send File tab. I will be notified when the file has been uploaded and checked.

Host File Reset/Replace:

Please Download HostsXpert (http://majorgeeks.com/Hoster_d4626.html)and unzip it to the computer, somewhere where you can find it.

The root of the system drive would be a ideal location EG: C:\

Right-click on HostsXpert.exe and select Run as Administrator to launch the programme.
Check to see if top button on left hand side says Make Writable?

If it does. click on it then proceed to next instruction.
If not, just proceed to next instruction

Click on Restore MS Hosts File to restore your Hosts file to its default condition
When prompted to confirm, click OK.
Click on the Download button (lower left hand side)

Click on MVPs Hosts... button.
Click on Replace button.
Press OK in the box that pops up. (HostsXpert will now download and update your Hosts file)

When finished.

Click on File Handling button.
Click on Make Read Only? to secure it against infection.

Exit the programme.

derarne
2010-07-05, 22:16
Hey!

Submitted the file.

Ran the hostexpert program.

/Best Regards DerArne

Dakeyras
2010-07-05, 23:35
Hi. :)

I have checked the file submission and further analysed the file myself. It appears to be a false positive detection so no further action will be required.

Any other issues remaining with your girlfriends machine and or any instances of the original problems overall?

derarne
2010-07-05, 23:42
Hi!

I have not dared to log in on any of the applications from my girlfriends computer so far, but I have logged in a couple of times from mine without finding anything weird.

My girlfriends computer seems to run ok.. faster than before.

The only thing that worries me a bit is that we have not really found anything to know that we have gotten rid of the problem or have we!?

But things seems fine at the moment .. not intrusions for a couple of days.

Which programs should I ad to the laptop!?

/DerArne

Dakeyras
2010-07-06, 00:06
Hi. :)


I have not dared to log in on any of the applications from my girlfriends computer so far, but I have logged in a couple of times from mine without finding anything weird.
OK.


My girlfriends computer seems to run ok.. faster than before.
:bigthumb:


The only thing that worries me a bit is that we have not really found anything to know that we have gotten rid of the problem or have we!?
We have removed very minor malware related files from both machines but overall I suspect it was your Router not being secure at the time coupled with the fact someone had gained access to your accounts and not necessarily via actually accessing either machines persay. Though also the distinct possibility that this infection (http://www.malwarebytes.org/malwarenet.php?name=Worm.P2P) on your girlfriends machine was the culprit also.

You have changed all passwords associated and when completed my instructions below both machines should be both safe and secure to use online. As long as you follow my advice there may always be chance of infection but as long as you observe safe online practises and both update and scan regularly this will go a long way towards overall online security.

I cannot advise strongly enough though steer clear of absolutely anything P2P related in future. I have dealt with so many infected machines that the use of the aforementioned applications was a major conduit for malware to gain a foothold.

Next:

Congratulations your girlfriends computer appears to be malware free!

Most of the advice below is quite similar to what I posted prior here (http://forums.spybot.info/showpost.php?p=376290&postcount=15) for yourself but basically just clean up advice pertaining to your girlfriends machine as you mentioned you did bookmark my original advice.

Clean up with OTL:

Right-click OTL and select Run as Administrator to start the program.
Close all other programs apart from OTL as this step will require a reboot.
On the OTL main screen, depress the CleanUp button.
Say Yes to the prompt and then allow the program to reboot your computer.
The above process should clean up and remove the vast majority of scanners used and logs created etc.

Any left over merely delete yourself and empty the Recycle Bin.

Reset the System Restore points:

Create a new, clean System Restore point:-

Right click on Computer and select Properties >> System protection >> Create.
Give this restore point a descriptive name and click Create.
When done, click Apply >> OK.
Note: Do not clear infected/old System Restore points before creating a new System Restore point first!

Flush Old System Restore points:-

Right click on Computer and select Properties >> System protection.
(untick) Vista C system box an click Turn off system restore then Apply >> OK.
Restart your computer.
Navigate back to System protection >> (tick) Vista C system box >> Apply >> OK
Now some advice for on-line safety:

Malwarebyte's Anti-Malware:

This is a excellent application and I advise you keep this installed. Check for updates and run a scan once a week.

Other installed security software:

The presently installed security application, avast! Antivirus automatically checks for updates and downloads/installs them with every system reboot and or periodically if the machine is left running providing a internet connection is active.

I advise you also run a complete scan with this also once per week.

Erunt:

Emergency Recovery Utility NT, I advice you keep this installed as a means to keep a complete backup of your registry and restore it when needed.

Myself I would actually create a new back up once per week as this along with System Restore may prove to be invaluable if something unforeseen occurs!

Keep your system updated:

Microsoft releases patches for Windows and other products regularly:

Click on Start(Vista Orb) >> All Programs >> Windows Update.
In the navigation pane, click Check for updates.
After Windows Update has finished checking for updates, click View available updates.
Click to select the check box for any found, then click Install.
When completed Reboot(restart) your computer if not prompted to do so.
Install WinPatrol:

WinPatrol alerts you about possible system hijacks, malware attacks and critical changes made to your computer without your permission.

Download it from here (http://www.winpatrol.com/download.html).

You can find information about how WinPatrol works here (http://www.winpatrol.com/features.html).

Next:

Any questions? Feel free to ask, if not stay safe!

derarne
2010-07-07, 00:24
Hi!

Ok .. cleaned up the system with otl.

Made a new system restorepoint.. dumped the old ones.

Installed the programs I did not have.

Which real-time malware program should I have besides doing my weekly checks? spybot?

How long will this thread stay if I want to go back and read some stuff once again!?

And once again.. thankyou,thankyou,thankyou..

It has been an honour.

Best regards DerArne

Dakeyras
2010-07-07, 01:31
Hi. :)


And once again.. thankyou,thankyou,thankyou..

It has been an honour.
You're most welcome!


How long will this thread stay if I want to go back and read some stuff once again!?Actually once it is archived here (http://forums.spybot.info/forumdisplay.php?f=23) you will be able to access it for quite some time, probably not indefinitely but for the foreseeable future anyway and the oldest topic in that part of the forum is nigh on five years old now.


Which real-time malware program should I have besides doing my weekly checks? spybot?You could actually consider purchasing a licence for Malwarebytes' Anti-Malware. I use the Real Time protection feature myself on all my machines that have a active internet connection and on my Wife's laptop. Though you would need to actually disable the in-built Windows Defender. How to exactly can be read here (http://forums.malwarebytes.org/index.php?showtopic=8279).

Now if you have opted to re-install Spybot Search & Destroy my advice would be keep as a on-demand scanner only and do not use either the immunisation feature or registry guard as both of these features are actual covered by the Host-File I advised and WinPatrol. If you do a system conflict will occur and overall online protection will be compromised.

This topic here in Safer Networking is worth reading:-

So how did I get infected in the first place? (http://forums.spybot.info/showthread.php?t=279) and is updated periodically, so worth bookmarking/add to favourites.

This is also a good resource:- How to prevent Malware (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html).

Dakeyras
2010-07-12, 00:07
In the event you have not re-enabled the CD Emulation drivers on your girlfriends computer, do so as outlined here (http://forums.spybot.info/showpost.php?p=376348&postcount=20). The same procedure pertains except select the option Disable.

--------------

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh set of the requested logs and a link to your previous thread.

If it has been less than three days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.