PDA

View Full Version : Fake Anti Virus renders computer almost inoperable - cannot run DDS



Jambo John
2010-09-05, 14:37
Hello

My daughter's laptop is virtually unusable as a result of this - Virtumond (I guess) has taken over almost all the computer. IE and google chrome will not start, but firefox is still working. Other programs will not run as the system says the files are infected. The ERUNT and DDS files would not be transferred to the desktop when downloaded so I copied them from another machine. However neither would run - ERUNT flashed a couple of installation screens then nothing happened. Running DDS produced a fake virus warning and nothing happened.

I hope you can help. My daughter goes back to Uni sometime next week so I hope we can get it sorted before then!

Thanks

ken545
2010-09-09, 14:24
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.



RKill

Please download and run the following tool to help allow other programs to run. (Thanks to Grinler of BleepingComputer.com)

RKill.exe (http://download.bleepingcomputer.com/grinler/rkill.exe)
RKill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
RKill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
RKill.pif (http://download.bleepingcomputer.com/grinler/rkill.pif)


There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.
You will know one ran when a box opens up with a report






Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please

Jambo John
2010-09-09, 20:35
Hello Ken545 and thank you for your help.

Rkill seemed to do the trick to suppress the malware interference. Thanks Grinler from me too. ERUNT and DDS ran but I'm not sure you need the logs as I have now run Anti-Malware. Here is the log - I will now have to reboot:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4583

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

09/09/2010 18:30:04
mbam-log-2010-09-09 (18-30-04).txt

Scan type: Quick scan
Objects scanned: 142029
Time elapsed: 25 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 8
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\OTGV1DNWQQ (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\wnxmal (Rogue.SecuritySuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XBV6RD5SZF (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Amnesiac (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvcchfngyyqc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvcchfngrvg (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvcchfngrvg (windows; u; windows nt 5.1; en-us; rv:1.9) gecko/2008052906 firefox/3.0 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvcchfngtrf (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvcchfngnb (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\com+ manager (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\desktop cleanup wizard (Rogue.DiskCleanUp) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Ailsa\AppData\Local\Temp\e0wkrvgnnh.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Ailsa\AppData\Local\Temp\spoolsv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Ailsa\AppData\Local\Temp\svchost.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Ailsa\AppData\Local\Temp\cmd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Ailsa\AppData\Local\Temp\thuurs.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Ailsa\AppData\Local\Temp\x75xob4ji6cr6.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Ailsa\AppData\Local\Temp\jp318az.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Ailsa\AppData\Local\Temp\iexplorer.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Users\Ailsa\AppData\Local\Temp\Bdf.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Ailsa\AppData\Local\Temp\Bdg.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Ailsa\AppData\Local\Temp\Bdj.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Ailsa\AppData\Local\Temp\Bdk.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Ailsa\AppData\Local\Temp\cac31B6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Ailsa\AppData\Local\Temp\_TU2D20.tmp (Rogue.DiskCleanUp) -> Quarantined and deleted successfully.
C:\Users\Ailsa\AppData\Local\Temp\f266g.dll (Trojan.Ertfor) -> Quarantined and deleted successfully.
C:\Users\Ailsa\AppData\Roaming\Microsoft\Windows\Start Menu\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Users\Ailsa\AppData\Local\Temp\skaioejiesfjoee.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Ailsa\.COMMgr\complmgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Ailsa\Local Settings\Application Data\Windows Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Ailsa\Local Settings\Application Data\Desktop Cleanup Wizard\dskclnwiz.dll (Rogue.DiskCleanUp) -> Quarantined and deleted successfully.

ken545
2010-09-09, 21:02
:bigthumb:

You had some nasty stuff on this system that MBAM removed, I am sure there is more. Be sure to follow these instructions to save this program to your desktop and rename it, I am seeing markers for a possible rootkit and it may try to prevent CF from running.


Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Jambo John
2010-09-10, 02:31
Not so straightforward - after starting combofix a windows box appeared just saying "error" and when I clicked on OK the laptop rebooted and combofix ran on startup - here is the log:

ComboFix 10-09-08.03 - Ailsa 09/09/2010 23:29:01.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2038.875 [GMT 1:00]
Running from: c:\users\Ailsa\Downloads\Desktop\Combo-Fix.exe
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Ailsa\.COMMgr
c:\users\Ailsa\AppData\Local\authdebugcfg.exe
c:\users\Ailsa\AppData\Local\Desktop Cleanup Wizard
c:\users\Ailsa\AppData\Local\Windows Server
c:\users\Ailsa\AppData\Local\Windows Server\flags.ini
c:\users\Ailsa\AppData\Local\Windows Server\server.dat
c:\users\Ailsa\AppData\Local\Windows Server\uses32.dat
c:\users\Ailsa\AppData\Roaming\D34830358D7FC232CB434F03068DE234
c:\users\Ailsa\AppData\Roaming\D34830358D7FC232CB434F03068DE234\enemies-names.txt
c:\users\Ailsa\AppData\Roaming\D34830358D7FC232CB434F03068DE234\local.ini
c:\users\Ailsa\AppData\Roaming\D34830358D7FC232CB434F03068DE234\lsrslt.ini
c:\users\Ailsa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor
c:\users\Ailsa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk
c:\users\Ailsa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk
c:\windows\Temp\log.txt

.
((((((((((((((((((((((((( Files Created from 2010-08-09 to 2010-09-09 )))))))))))))))))))))))))))))))
.

2010-09-09 22:35 . 2010-09-09 22:35 -------- d-----w- c:\users\Ailsa\AppData\Local\temp
2010-09-09 22:35 . 2010-09-09 22:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-09 16:46 . 2010-09-09 16:46 -------- d-----w- c:\program files\ERUNT
2010-09-09 15:50 . 2010-09-09 15:50 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-09-04 18:20 . 2010-09-09 16:26 -------- d-----w- c:\users\Ailsa\AppData\Local\gxoowdbct
2010-08-16 17:21 . 2010-09-09 16:35 -------- d-----w- c:\users\Ailsa\AppData\Local\Windows
2010-08-11 16:00 . 2010-06-21 13:18 2036736 ----a-w- c:\windows\system32\win32k.sys
2010-08-11 16:00 . 2010-06-18 16:43 36352 ----a-w- c:\windows\system32\rtutils.dll
2010-08-11 16:00 . 2010-06-08 17:00 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-08-11 16:00 . 2010-06-08 17:00 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-11 16:00 . 2010-06-11 15:30 1257472 ----a-w- c:\windows\system32\msxml3.dll
2010-08-11 16:00 . 2010-06-18 14:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-11 16:00 . 2010-06-18 14:43 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-11 16:00 . 2010-06-16 15:59 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-09 21:34 . 2009-01-16 20:42 -------- d-----w- c:\programdata\avg8
2010-09-09 16:53 . 2010-09-09 16:53 -------- d-----w- c:\users\Ailsa\AppData\Roaming\Malwarebytes
2010-09-09 16:53 . 2010-09-09 16:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-09 16:53 . 2010-09-09 16:53 -------- d-----w- c:\programdata\Malwarebytes
2010-09-04 18:46 . 2009-07-28 00:22 680 ----a-w- c:\users\Ailsa\AppData\Local\d3d9caps.dat
2010-09-04 18:34 . 2009-03-31 21:14 -------- d-----w- c:\users\Ailsa\AppData\Roaming\Spotify
2010-09-03 14:32 . 2007-06-25 01:36 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-08-19 23:26 . 2010-07-02 13:07 -------- d-----w- c:\users\Ailsa\AppData\Roaming\LimeWire
2010-08-18 21:15 . 2010-06-23 11:22 -------- d-----w- c:\users\Ailsa\AppData\Roaming\DivX
2010-08-12 02:03 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-08-10 01:42 . 2008-09-15 07:58 -------- d-----w- c:\users\Ailsa\AppData\Roaming\Apple Computer
2010-08-10 01:40 . 2008-09-15 07:55 -------- d-----w- c:\programdata\Apple
2010-07-11 02:18 . 2010-06-23 11:25 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-07-11 01:51 . 2010-07-11 01:51 56765 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-07-11 01:51 . 2010-07-11 01:51 57715 ----a-w- c:\programdata\DivX\Player\Uninstaller.exe
2010-07-11 01:49 . 2010-07-11 01:49 84054 ----a-w- c:\programdata\DivX\TransferWizard\Uninstaller.exe
2010-07-11 01:49 . 2010-07-11 01:49 54153 ----a-w- c:\programdata\DivX\DFXPlugin\Uninstaller.exe
2010-07-11 01:47 . 2010-07-11 01:47 144696 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-07-11 01:47 . 2010-06-23 11:22 1062184 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-07-11 01:47 . 2010-06-23 11:22 895256 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-07-02 13:09 . 2010-07-02 13:09 610304 ----a-w- c:\users\Ailsa\AppData\Roaming\LimeWire\browser\xulrunner\js3250.dll
2010-07-02 13:01 . 2010-07-02 13:01 72504 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-07-02 12:58 . 2010-07-02 12:58 71992 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
2010-06-28 16:17 . 2010-08-11 16:08 833024 ----a-w- c:\windows\system32\wininet.dll
2010-06-28 16:13 . 2010-08-11 16:08 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-23 11:22 . 2010-06-23 11:22 56997 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-06-23 11:22 . 2010-06-23 11:22 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-06-23 11:21 . 2010-06-23 11:21 57054 ----a-w- c:\programdata\DivX\DSDesktopComponents\Uninstaller.exe
2010-06-23 11:21 . 2010-06-23 11:21 54166 ----a-w- c:\programdata\DivX\DSAVCDecoder\Uninstaller.exe
2010-06-23 11:21 . 2010-06-23 11:21 57532 ----a-w- c:\programdata\DivX\DSASPDecoder\Uninstaller.exe
2010-06-23 11:21 . 2010-06-23 11:21 56458 ----a-w- c:\programdata\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-06-23 11:21 . 2010-06-23 11:21 54174 ----a-w- c:\programdata\DivX\DSAACDecoder\Uninstaller.exe
2010-06-23 11:21 . 2010-06-23 11:21 54128 ----a-w- c:\programdata\DivX\Converter\Uninstaller.exe
2010-06-23 11:21 . 2010-06-23 11:21 54644 ----a-w- c:\programdata\DivX\TranscodeEngine\Uninstaller.exe
2010-06-23 11:21 . 2010-06-23 11:21 57409 ----a-w- c:\programdata\DivX\ControlPanel\Uninstaller.exe
2010-06-23 11:21 . 2010-06-23 11:21 54101 ----a-w- c:\programdata\DivX\MPEG2Plugin\Uninstaller.exe
2010-06-23 11:21 . 2010-06-23 11:21 52963 ----a-w- c:\programdata\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-06-23 11:21 . 2010-06-23 11:21 54073 ----a-w- c:\programdata\DivX\Qt4.5\Uninstaller.exe
2010-06-23 11:21 . 2010-06-23 11:21 56969 ----a-w- c:\programdata\DivX\ASPEncoder\Uninstaller.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-12-08 10:10 . 2007-12-08 10:10 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 11:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-19 2153472]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Google Update"="c:\users\Ailsa\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-06-14 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*bootxmlhost.exe"="c:\users\Ailsa\AppData\Local\Windows\bootxmlhost.exe" [2010-09-09 153600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-29 4472832]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 815104]
"PLFSet"="c:\windows\PLFSet.dll" [2007-04-24 45056]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-13 178712]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-08 54832]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-26 457216]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-10-17 858632]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 57344]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Skytel"="Skytel.exe" [2007-05-29 1826816]
"4oD"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-24 148888]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 150552]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-23 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-17 767312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

c:\users\Ailsa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-9-30 503808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-02-08 179712]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2009-07-28 721904]
S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [2009-04-02 464264]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [2009-04-02 234888]

.
Contents of the 'Scheduled Tasks' folder

2010-08-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1851843919-258154983-2237051013-1003Core.job
- c:\users\Ailsa\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-14 19:18]

2010-09-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1851843919-258154983-2237051013-1003UA.job
- c:\users\Ailsa\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-14 19:18]

2010-09-04 c:\windows\Tasks\Norton Security Scan for Ailsa.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-06-25 00:27]

2010-09-09 c:\windows\Tasks\User_Feed_Synchronization-{57588C0C-88DF-4546-847B-C6A86A175871}.job
- c:\windows\system32\msfeedssync.exe [2008-09-21 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = <local>
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Ailsa\AppData\Roaming\Mozilla\Firefox\Profiles\in1soth6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Ailsa\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-Acer Tour Reminder - (no file)
HKLM-Run-Acer Tour - (no file)
HKLM-Run-eRecoveryService - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-09 23:35
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-09-09 23:39:10
ComboFix-quarantined-files.txt 2010-09-09 22:39

Pre-Run: 11,659,726,848 bytes free
Post-Run: 12,899,094,528 bytes free

- - End Of File - - E6A31E568B448C704E1E7A8060402917

ken545
2010-09-10, 07:42
Hi,

A couple of things to go over.

1.
Limewire Any form of P2P (File Sharing ) is dangerous, this is most likely how this system got infected. Your downloading that file from an unknown source, malware writers are in tune to this and have made this the latest way of infecting your computer. Personally I would never allow any form of programs like this on any of my systems.


2.
Ask Toolbar
* It promotes its toolbars on sites targeted at kids.
* It promotes its toolbars through ads that appear to be part of other companies' sites.
* It promotes its toolbars through other companies' spyware.
* It is Installed without any disclosure whatsoever and without any consent from the user whatsoever.
* It solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.
* It makes confusing changes to user's browsers - increasing Ask's revenues while taking users to pages they didn't intend to visit.



I would uninstall both these programs via Programs and Features in the Control Panel.


Not sure about this file, looks like it just installed


You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)

Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see. If the site says this file has been checked before, have them check it again


c:\users\Ailsa\AppData\Local\Windows\bootxmlhost.exe<--This file

If the site is busy you can try this one

http://virusscan.jotti.org/en





Please run this free online virus scanner from ESET (http://www.eset.com/onlinescan/)

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

Jambo John
2010-09-10, 11:29
Hi and thanks again

Limewire removed, there was no Ask toolbar in the program list but there was Vuze Toolbar which I guess is a brand name - also removed.

Enabled hidden files and folders but when I navigated to the location there was no file of that name there. I did a search of the computer and found one file with a similar name (BOOTXMLHOST.EXE-D2F942A3.pf) in C:\windows\prefetch so submitted this for analysis - sorry if this was dumb. Here are the results, if this can be pasted from the report screen - essentially all nil:

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: BOOTXMLHOST.EXE-D2F942A3.pf
Submission date: 2010-09-10 07:59:28 (UTC)
Current status: finished
Result: 0/ 43 (0.0%)
VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.09.10.00 2010.09.10 -
AntiVir 8.2.4.50 2010.09.09 -
Antiy-AVL 2.0.3.7 2010.09.10 -
Authentium 5.2.0.5 2010.09.10 -
Avast 4.8.1351.0 2010.09.09 -
Avast5 5.0.594.0 2010.09.09 -
AVG 9.0.0.851 2010.09.09 -
BitDefender 7.2 2010.09.10 -
CAT-QuickHeal 11.00 2010.09.10 -
ClamAV 0.96.2.0-git 2010.09.10 -
Comodo 6029 2010.09.10 -
DrWeb 5.0.2.03300 2010.09.10 -
Emsisoft 5.0.0.37 2010.09.10 -
eSafe 7.0.17.0 2010.09.07 -
eTrust-Vet 36.1.7846 2010.09.10 -
F-Prot 4.6.1.107 2010.09.01 -
F-Secure 9.0.15370.0 2010.09.10 -
Fortinet 4.1.143.0 2010.09.09 -
GData 21 2010.09.10 -
Ikarus T3.1.1.88.0 2010.09.10 -
Jiangmin 13.0.900 2010.09.10 -
K7AntiVirus 9.63.2483 2010.09.09 -
Kaspersky 7.0.0.125 2010.09.10 -
McAfee 5.400.0.1158 2010.09.10 -
McAfee-GW-Edition 2010.1B 2010.09.10 -
Microsoft 1.6103 2010.09.10 -
NOD32 5438 2010.09.09 -
Norman 6.06.06 2010.09.09 -
nProtect 2010-09-10.01 2010.09.10 -
Panda 10.0.2.7 2010.09.09 -
PCTools 7.0.3.5 2010.09.10 -
Prevx 3.0 2010.09.10 -
Rising 22.64.04.01 2010.09.10 -
Sophos 4.57.0 2010.09.10 -
Sunbelt 6857 2010.09.10 -
SUPERAntiSpyware 4.40.0.1006 2010.09.10 -
Symantec 20101.1.1.7 2010.09.10 -
TheHacker 6.7.0.0.012 2010.09.09 -
TrendMicro 9.120.0.1004 2010.09.10 -
TrendMicro-HouseCall 9.120.0.1004 2010.09.10 -
VBA32 3.12.14.0 2010.09.08 -
ViRobot 2010.9.8.4031 2010.09.10 -
VirusBuster 12.64.26.0 2010.09.09 -
Additional informationShow all
MD5 : e258c364f40cf63fe13db0c0dc439ea0
SHA1 : 963561ddf4d0811c5f8c2f1d04fae979123696cb
SHA256: 66537f6565e4e532aba36b9a161e8c3a1bc1c15a645689de0c7c58a7a30435f2

Here is the ESET log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=337ee7a469cf974290cb201c1d65106c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-09-10 08:27:01
# local_time=2010-09-10 09:27:01 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=1024 16777215 100 0 51969419 51969419 0 0
# compatibility_mode=5892 16776573 100 100 56487 121637083 0 0
# compatibility_mode=8192 67108863 100 0 157 157 0 0
# scanned=133021
# found=2
# cleaned=2
# scan_time=2866
C:\Qoobox\Quarantine\C\Users\Ailsa\AppData\Local\authdebugcfg.exe.vir a variant of Win32/Kryptik.GOD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Ailsa\AppData\Local\Windows\adslbootedit.exe a variant of Win32/Kryptik.GOD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

ken545
2010-09-10, 12:01
Looks like the one you sent up for analysis was bad and removed by ESET, the other one ESET removed was just a backup of what Combofix removed.

How are things running now ?


Why dont you post the DDS log and let me take a final look

Download DDS by sUBs from one of the following links. Save it to your desktop.

DDS.com (http://www.techsupportforum.com/sectools/sUBs/dds)
DDS.scr (http://download.bleepingcomputer.com/sUBs/dds.scr)
DDS.pif (http://www.forospyware.com/sUBs/dds)

Double click on the DDS icon, allow it to run.
A small box will open, with an explaination about the tool. No input is needed, the scan is running.
Notepad will open with the results, click no to the Optional_Scan
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control Here (http://www.bleepingcomputer.com/forums/topic114351.html)

Jambo John
2010-09-10, 16:19
Hi Ken

No apparent problems after running the various cleansers, thanks (although when selecting English language to come back to the forum I was mysteriously redirected to a page at www.info.co.uk). Also on startup a Windows Defender window pops up stating that potentially harmful startup programs have been blocked. This appears to be two items both called cryptpackcache.exe.

Anyhow here are the logs from DDS:

DDS.txt


DDS (Ver_09-09-29.01) - NTFSx86
Run by Ailsa at 14:06:20.64 on 10/09/2010
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2038.915 [GMT 1:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Windows\system32\igfxext.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Users\Ailsa\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Ailsa\Downloads\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\windows\system32\ActiveToolBand.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Google Update] "c:\users\ailsa\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRunOnce: [*cryptpackcache.exe] "c:\users\ailsa\appdata\local\windows\cryptpackcache.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PLFSet] rundll32.exe c:\windows\PLFSet.dll,PLFDefSetting
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [Skytel] Skytel.exe
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\ailsa\appdata\local\windows\cryptpackcache.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} - hxxp://www.bebo.com/files/BeboUploader.5.1.4.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1240591838346&h=e53a404309ef65636af19b3679aee831/&filename=jinstall-6u13-windows-i586-jc.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\ailsa\appdata\roaming\mozilla\firefox\profiles\in1soth6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np32asw.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\ailsa\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

============= SERVICES / DRIVERS ===============

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\cyberlink\powerdvd\000.fcl [2007-12-8 13560]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2010-5-14 249136]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-2-8 179712]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-11-11 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-09-10 08:36 <DIR> --d----- c:\program files\ESET
2010-09-09 23:39 <DIR> --dsh--- C:\$RECYCLE.BIN
2010-09-09 23:24 256,512 a------- c:\windows\PEV.exe
2010-09-09 23:24 161,792 a------- c:\windows\SWREG.exe
2010-09-09 23:24 98,816 a------- c:\windows\sed.exe
2010-09-09 23:24 77,312 a------- c:\windows\MBR.exe
2010-09-09 17:53 <DIR> --d----- c:\users\ailsa\appdata\roaming\Malwarebytes
2010-09-09 17:53 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-09 17:53 20,952 a------- c:\windows\system32\drivers\mbam.sys
2010-09-09 17:53 <DIR> --d----- c:\programdata\Malwarebytes
2010-09-09 17:53 <DIR> --d----- c:\progra~2\Malwarebytes
2010-09-09 17:53 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2010-09-09 16:50 <DIR> --d----- c:\programdata\Office Genuine Advantage
2010-08-11 17:00 2,036,736 a------- c:\windows\system32\win32k.sys
2010-08-11 17:00 36,352 a------- c:\windows\system32\rtutils.dll
2010-08-11 17:00 3,598,216 a------- c:\windows\system32\ntkrnlpa.exe
2010-08-11 17:00 3,545,992 a------- c:\windows\system32\ntoskrnl.exe
2010-08-11 17:00 1,257,472 a------- c:\windows\system32\msxml3.dll
2010-08-11 17:00 302,080 a------- c:\windows\system32\drivers\srv.sys
2010-08-11 17:00 144,896 a------- c:\windows\system32\drivers\srv2.sys
2010-08-11 17:00 898,952 a------- c:\windows\system32\drivers\tcpip.sys

==================== Find3M ====================

2010-07-02 14:07 143,360 a------- c:\windows\inf\infstrng.dat
2010-07-02 14:07 86,016 a------- c:\windows\inf\infstor.dat
2010-07-02 14:07 51,200 a------- c:\windows\inf\infpub.dat
2010-06-28 17:17 833,024 a------- c:\windows\system32\wininet.dll
2010-06-28 17:13 78,336 a------- c:\windows\system32\ieencode.dll
2008-10-24 16:14 174 a--sh--- c:\program files\desktop.ini
2008-10-24 16:05 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-12-16 13:07 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\temp\cookies\index.dat
2009-12-16 13:07 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\temp\history\history.ie5\index.dat
2009-12-16 13:07 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\temp\temporary internet files\content.ie5\index.dat
2007-12-08 11:10 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 14:07:08.71 ===============


Attach.txt


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 08/12/2007 09:19:34
System Uptime: 09/10/2010 13:14:59 (-695 hours ago)

Motherboard: Acer | | Columbia
Processor: Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz | U2E1 | 2001/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 70 GiB total, 14.441 GiB free.
D: is FIXED (NTFS) - 70 GiB total, 69.191 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0021
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter
PNP Device ID: ROOT\*6TO4MP\0021
Service: tunnel

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Broadcom NetLink (TM) Gigabit Ethernet
Device ID: PCI\VEN_14E4&DEV_1693&SUBSYS_011C1025&REV_02\4&87CE153&0&00E0
Manufacturer: Broadcom
Name: Broadcom NetLink (TM) Gigabit Ethernet
PNP Device ID: PCI\VEN_14E4&DEV_1693&SUBSYS_011C1025&REV_02\4&87CE153&0&00E0
Service: b57nd60x

==== System Restore Points ===================

RP735: 09/09/2010 22:31:16 - Removed AVG Free 8.5
RP736: 09/09/2010 22:34:40 - Installed AVG Free 8.5
RP738: 10/09/2010 02:04:41 - Windows Defender Checkpoint

==== Installed Programs ======================


4oD
Acer Crystal Eye webcam
Acer eDataSecurity Management
Acer eLock Management
Acer Empowering Technology
Acer eNet Management
Acer ePower Management
Acer ePresentation Management
Acer eSettings Management
Acer GridVista
Acer Mobility Center Plug-In
Acer ScreenSaver
Acer Tour
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.2.1
AGEIA PhysX v7.11.13
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
Broadcom Gigabit Integrated Controller
Business Contact Manager for Outlook 2007 SP2
Canon Easy-WebPrint EX
Canon MP Navigator EX 3.0
Canon MP250 series MP Drivers
Canon MP250 series User Registration
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
Compatibility Pack for the 2007 Office system
DivX Setup
ERUNT 1.1j
ESET Online Scanner v3
GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
Google Chrome
HDAUDIO Soft Data Fax Modem with SmartCP
Highlight Viewer (Windows Live Toolbar)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Graphics Media Accelerator Driver
Intel(R) Matrix Storage Manager
Intel(R) TV Wizard
iTunes
Java(TM) 6 Update 13
Junk Mail filter update
Launch Manager
LightScribe 1.4.142.1
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Lost Via Domus
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Age of Empires II Trial Version
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Access 2003
Microsoft Office Live Add-in 1.3
Microsoft Office Outlook Connector
Microsoft Office Small Business Connectivity Components
Microsoft Office Standard Edition 2003
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MobileMe Control Panel
Mozilla Firefox (3.0.13)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Norton Security Scan
NTI Backup NOW! 4.7
NTI CD & DVD-Maker
NTI Shadow
OGA Notifier 2.0.0048.0
PowerDVD
QuickTime
Realtek High Definition Audio Driver
Safari
Security Update for CAPICOM (KB931906)
Smart Menus (Windows Live Toolbar)
Spotify
Synaptics Pointing Device Driver
System Requirements Lab
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC80CRTRedist - 8.0.50727.4053
VoiceOver Kit
Vuze
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Favorites for Windows Live Toolbar
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Upload Tool
Windows Live Writer
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

09/09/2010 23:28:32, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
09/09/2010 23:28:31, Error: Service Control Manager [7034] - The MobilityService service terminated unexpectedly. It has done this 1 time(s).
09/09/2010 23:27:52, Error: Service Control Manager [7034] - The XAudioService service terminated unexpectedly. It has done this 1 time(s).
09/09/2010 23:27:13, Error: Microsoft-Windows-Dhcp-Client [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001CBF63CAA3. The following error occurred: The operation was canceled by the user.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
09/09/2010 23:26:57, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 10.212.29.138 for the Network Card with network address 001CBF63CAA3 has been denied by the DHCP server 10.199.121.25 (The DHCP Server sent a DHCPNACK message).
09/09/2010 23:24:07, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.117 for the Network Card with network address 001CBF63CAA3 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
09/09/2010 18:42:43, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.116 for the Network Card with network address 001CBF63CAA3 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
09/09/2010 17:40:40, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 10.212.29.138 for the Network Card with network address 001CBF63CAA3 has been denied by the DHCP server 10.0.0.138 (The DHCP Server sent a DHCPNACK message).
09/09/2010 17:37:59, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.115 for the Network Card with network address 001CBF63CAA3 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
09/09/2010 17:26:48, Error: Microsoft-Windows-Windows Defender [1008] - Windows Defender has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Rogue:Win32/FakeVimes&threatid=141340 Scan ID: {AE4419CE-FABE-4B22-A473-9FCB8691DC63} Scan Type: AntiMalware User: NT AUTHORITY\NETWORK SERVICE Name: Rogue:Win32/FakeVimes ID: 141340 Severity ID: 5 Category ID: 8 Path: Action: Remove Error Code: 0x80508022 Error description: To finish removing spyware and other potentially unwanted software, restart the computer.
09/09/2010 16:53:28, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
09/09/2010 16:48:19, Error: EventLog [6008] - The previous system shutdown at 19:01:36 on 05/09/2010 was unexpected.
05/09/2010 12:03:41, Error: PlugPlayManager [10] - Error writing to server side install pipe
04/09/2010 20:05:36, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
04/09/2010 19:58:58, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x800706be: Office Live add-in 1.5.
04/09/2010 19:58:58, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x800706ba: Office Genuine Advantage Notifications (KB949810).
04/09/2010 19:58:58, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x800706ba: Internet Explorer 8 for Windows Vista.
04/09/2010 19:39:48, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
04/09/2010 19:39:37, Error: EventLog [6008] - The previous system shutdown at 19:37:01 on 04/09/2010 was unexpected.
04/09/2010 16:59:37, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{957EDBCA-A3A1-47A6-8946-055BF5DBB5D0} because another computer on the network has the same name. The server could not start.
04/09/2010 16:59:21, Error: cdrom [15] - The device, \Device\CdRom2, is not ready for access yet.
03/09/2010 11:12:26, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.70 for the Network Card with network address 001CBF63CAA3 has been denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).
03/09/2010 10:51:30, Error: PlugPlayManager [12] - The device 'Slimtype DVD A DS8A1P ATA Device' (IDE\CdRomSlimtype_DVD_A__DS8A1P__________________CA14____\5&206e8ad&0&0.0.0) disappeared from the system without first being prepared for removal.

==== End Of File ===========================

ken545
2010-09-10, 19:33
Lets do this

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above DDS::




DDS::
uRunOnce: [*cryptpackcache.exe]


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Jambo John
2010-09-11, 12:17
Ken

Disastrous - I am having to send this from another pc. When I try to launch Firefox or chrome I get the message, "Illegal operation on a registry key that has been marked for deletion". This message appears for almost any program including DDS so I cannot post a log.

IE will not run at all.

HELP!!

During combofix's run a window appeared saying something like PEV.exe cannot run. It disappeared so I am not sure exactly what it said.

Here is the log for combofix:

ComboFix 10-09-08.03 - Ailsa 11/09/2010 9:39.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2038.751 [GMT 1:00]
Running from: c:\users\Ailsa\Downloads\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Ailsa\Downloads\Desktop\CFScript.txt
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-08-11 to 2010-09-11 )))))))))))))))))))))))))))))))
.

2010-09-11 08:51 . 2010-09-11 08:51 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-09-11 08:51 . 2010-09-11 08:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-10 18:00 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-09-10 13:44 . 2010-09-10 13:44 -------- d-----w- C:\$AVG
2010-09-10 13:44 . 2010-09-10 13:44 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-09-10 13:44 . 2010-09-10 13:44 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-09-10 13:44 . 2010-09-10 13:44 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-09-10 13:44 . 2010-09-10 13:44 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-09-10 13:44 . 2010-09-11 08:12 -------- d-----w- c:\windows\system32\drivers\Avg
2010-09-10 13:41 . 2010-09-10 13:41 -------- d-----w- c:\programdata\avg9
2010-09-10 07:36 . 2010-09-10 07:36 -------- d-----w- c:\program files\ESET
2010-09-09 22:39 . 2010-09-11 08:51 -------- d-----w- c:\users\Ailsa\AppData\Local\temp
2010-09-09 16:53 . 2010-09-09 16:53 -------- d-----w- c:\users\Ailsa\AppData\Roaming\Malwarebytes
2010-09-09 16:53 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-09 16:53 . 2010-09-09 16:53 -------- d-----w- c:\programdata\Malwarebytes
2010-09-09 16:53 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-09 16:53 . 2010-09-09 16:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-09 16:46 . 2010-09-09 16:46 -------- d-----w- c:\program files\ERUNT
2010-09-09 15:50 . 2010-09-09 15:50 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-09-04 18:20 . 2010-09-09 16:26 -------- d-----w- c:\users\Ailsa\AppData\Local\gxoowdbct
2010-08-16 17:21 . 2010-09-10 14:44 -------- d-----w- c:\users\Ailsa\AppData\Local\Windows

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-10 17:08 . 2009-03-14 12:04 -------- d-----w- c:\program files\Microsoft
2010-09-10 17:04 . 2009-03-14 12:09 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-10 14:31 . 2007-06-25 01:36 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-09-10 13:41 . 2009-01-16 20:42 -------- d-----w- c:\program files\AVG
2010-09-10 07:06 . 2010-07-02 13:05 -------- d-----w- c:\program files\LimeWire
2010-09-04 18:46 . 2009-07-28 00:22 680 ----a-w- c:\users\Ailsa\AppData\Local\d3d9caps.dat
2010-09-04 18:34 . 2009-03-31 21:14 -------- d-----w- c:\users\Ailsa\AppData\Roaming\Spotify
2010-08-19 23:26 . 2010-07-02 13:07 -------- d-----w- c:\users\Ailsa\AppData\Roaming\LimeWire
2010-08-18 21:15 . 2010-06-23 11:22 -------- d-----w- c:\users\Ailsa\AppData\Roaming\DivX
2010-08-12 02:03 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-08-10 01:42 . 2008-09-15 07:58 -------- d-----w- c:\users\Ailsa\AppData\Roaming\Apple Computer
2010-08-10 01:40 . 2008-09-15 07:55 -------- d-----w- c:\programdata\Apple
2010-07-11 02:18 . 2010-06-23 11:25 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-07-11 01:51 . 2010-07-11 01:51 56765 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-07-11 01:51 . 2010-07-11 01:51 57715 ----a-w- c:\programdata\DivX\Player\Uninstaller.exe
2010-07-11 01:49 . 2010-07-11 01:49 84054 ----a-w- c:\programdata\DivX\TransferWizard\Uninstaller.exe
2010-07-11 01:49 . 2010-07-11 01:49 54153 ----a-w- c:\programdata\DivX\DFXPlugin\Uninstaller.exe
2010-07-11 01:47 . 2010-07-11 01:47 144696 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-07-11 01:47 . 2010-06-23 11:22 1062184 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-07-11 01:47 . 2010-06-23 11:22 895256 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-07-02 13:09 . 2010-07-02 13:09 610304 ----a-w- c:\users\Ailsa\AppData\Roaming\LimeWire\browser\xulrunner\js3250.dll
2010-07-02 13:01 . 2010-07-02 13:01 72504 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-07-02 12:58 . 2010-07-02 12:58 71992 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
2010-06-26 06:05 . 2010-09-10 17:10 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-09-10 17:10 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02 . 2010-09-10 17:10 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-09-10 17:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-06-23 11:22 . 2010-06-23 11:22 56997 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-06-23 11:22 . 2010-06-23 11:22 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-06-23 11:21 . 2010-06-23 11:21 57054 ----a-w- c:\programdata\DivX\DSDesktopComponents\Uninstaller.exe
2010-06-23 11:21 . 2010-06-23 11:21 54166 ----a-w- c:\programdata\DivX\DSAVCDecoder\Uninstaller.exe
2010-06-23 11:21 . 2010-06-23 11:21 57532 ----a-w- c:\programdata\DivX\DSASPDecoder\Uninstaller.exe
2010-06-23 11:21 . 2010-06-23 11:21 56458 ----a-w- c:\programdata\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-06-23 11:21 . 2010-06-23 11:21 54174 ----a-w- c:\programdata\DivX\DSAACDecoder\Uninstaller.exe
2010-06-23 11:21 . 2010-06-23 11:21 54128 ----a-w- c:\programdata\DivX\Converter\Uninstaller.exe
2010-06-23 11:21 . 2010-06-23 11:21 54644 ----a-w- c:\programdata\DivX\TranscodeEngine\Uninstaller.exe
2010-06-23 11:21 . 2010-06-23 11:21 57409 ----a-w- c:\programdata\DivX\ControlPanel\Uninstaller.exe
2010-06-23 11:21 . 2010-06-23 11:21 54101 ----a-w- c:\programdata\DivX\MPEG2Plugin\Uninstaller.exe
2010-06-23 11:21 . 2010-06-23 11:21 52963 ----a-w- c:\programdata\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-06-23 11:21 . 2010-06-23 11:21 54073 ----a-w- c:\programdata\DivX\Qt4.5\Uninstaller.exe
2010-06-23 11:21 . 2010-06-23 11:21 56969 ----a-w- c:\programdata\DivX\ASPEncoder\Uninstaller.exe
2010-06-21 13:18 . 2010-08-11 16:00 2036736 ----a-w- c:\windows\system32\win32k.sys
2010-06-18 16:43 . 2010-08-11 16:00 36352 ----a-w- c:\windows\system32\rtutils.dll
2010-06-18 14:43 . 2010-08-11 16:00 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-18 14:43 . 2010-08-11 16:00 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-06-16 15:59 . 2010-08-11 16:00 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-12-08 10:10 . 2007-12-08 10:10 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2010-09-09_22.35.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-10 13:41 . 2010-09-10 13:41 65536 c:\windows\winsxs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.4053_none_3b0e32bdc9afe437\vcomp.dll
+ 2010-09-10 13:41 . 2010-09-10 13:41 49152 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80KOR.dll
+ 2010-09-10 13:41 . 2010-09-10 13:41 49152 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80JPN.dll
+ 2010-09-10 13:41 . 2010-09-10 13:41 61440 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80ITA.dll
+ 2010-09-10 13:41 . 2010-09-10 13:41 61440 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80FRA.dll
+ 2010-09-10 13:41 . 2010-09-10 13:41 61440 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80ESP.dll
+ 2010-09-10 13:41 . 2010-09-10 13:41 57344 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80ENU.dll
+ 2010-09-10 13:41 . 2010-09-10 13:41 65536 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80DEU.dll
+ 2010-09-10 13:41 . 2010-09-10 13:41 45056 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80CHT.dll
+ 2010-09-10 13:41 . 2010-09-10 13:41 40960 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80CHS.dll
+ 2010-09-10 13:41 . 2010-09-10 13:41 57856 c:\windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\mfcm80u.dll
+ 2010-09-10 13:41 . 2010-09-10 13:41 69632 c:\windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\mfcm80.dll
+ 2010-09-10 17:09 . 2009-03-08 11:32 94720 c:\windows\winsxs\x86_microsoft-windows-ie-setup_31bf3856ad364e35_8.0.6001.18702_none_7c2a7e005d93bd9b\inseng.dll
+ 2010-09-10 17:10 . 2010-06-26 06:48 71680 c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.6001.23040_none_a9180e0d8d84c714\iesetup.dll
+ 2010-09-10 17:10 . 2010-06-26 06:48 55808 c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.6001.23040_none_a9180e0d8d84c714\iernonce.dll
+ 2010-09-10 17:10 . 2010-06-26 06:02 71680 c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.6001.18943_none_a8919be474643d34\iesetup.dll
+ 2010-09-10 17:10 . 2010-06-26 06:02 55808 c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.6001.18943_none_a8919be474643d34\iernonce.dll
+ 2010-09-10 17:09 . 2009-03-08 11:32 71680 c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.6001.18702_none_a8bbd77e7444b9cb\iesetup.dll
+ 2010-09-10 17:09 . 2009-03-08 11:32 55808 c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.6001.18702_none_a8bbd77e7444b9cb\iernonce.dll
+ 2010-09-10 17:09 . 2009-03-08 11:31 59904 c:\windows\winsxs\x86_microsoft-windows-ie-infocard_31bf3856ad364e35_8.0.6001.18702_none_3d86a1c07a097782\icardie.dll
+ 2010-09-10 17:09 . 2009-03-08 11:31 34816 c:\windows\winsxs\x86_microsoft-windows-ie-imagesupport_31bf3856ad364e35_8.0.6001.18702_none_20dfeb2e08d9ec0a\imgutil.dll
+ 2010-09-10 17:09 . 2009-03-08 11:32 66560 c:\windows\winsxs\x86_microsoft-windows-ie-iexpress_31bf3856ad364e35_8.0.6001.18702_none_4766ff3b547d623d\wextract.exe
+ 2010-09-10 17:11 . 2010-06-24 05:17 16896 c:\windows\winsxs\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.23039_none_844ab3e55fe5699d\iecompat.dll
+ 2010-09-10 17:11 . 2010-06-24 04:49 16896 c:\windows\winsxs\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.18942_none_83af6eec46d5fe48\iecompat.dll
+ 2010-09-10 17:09 . 2009-03-08 11:31 48128 c:\windows\winsxs\x86_microsoft-windows-ie-htmleditingsupport_31bf3856ad364e35_8.0.6001.18702_none_d658a8dacff20c9e\mshtmler.dll
+ 2010-09-10 17:09 . 2009-03-08 11:31 66560 c:\windows\winsxs\x86_microsoft-windows-ie-htmlediting_31bf3856ad364e35_8.0.6001.18702_none_2b140bc159303551\mshtmled.dll
+ 2010-09-10 17:09 . 2009-03-08 11:31 45568 c:\windows\winsxs\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_8.0.6001.18702_none_3c45119b1f28ff3d\mshta.exe
+ 2010-09-10 17:10 . 2010-06-26 05:12 13312 c:\windows\winsxs\x86_microsoft-windows-ie-feedsbs_31bf3856ad364e35_8.0.6001.23040_none_df9547f309cd816b\msfeedssync.exe
+ 2010-09-10 17:10 . 2010-06-26 06:49 55296 c:\windows\winsxs\x86_microsoft-windows-ie-feedsbs_31bf3856ad364e35_8.0.6001.23040_none_df9547f309cd816b\msfeedsbs.dll
+ 2010-09-10 17:10 . 2010-06-26 04:24 13312 c:\windows\winsxs\x86_microsoft-windows-ie-feedsbs_31bf3856ad364e35_8.0.6001.18943_none_df0ed5c9f0acf78b\msfeedssync.exe
+ 2010-09-10 17:10 . 2010-06-26 06:03 55296 c:\windows\winsxs\x86_microsoft-windows-ie-feedsbs_31bf3856ad364e35_8.0.6001.18943_none_df0ed5c9f0acf78b\msfeedsbs.dll
+ 2010-09-10 17:09 . 2009-03-08 11:31 13312 c:\windows\winsxs\x86_microsoft-windows-ie-feedsbs_31bf3856ad364e35_8.0.6001.18702_none_df391163f08d7422\msfeedssync.exe
+ 2010-09-10 17:09 . 2009-03-08 11:31 55296 c:\windows\winsxs\x86_microsoft-windows-ie-feedsbs_31bf3856ad364e35_8.0.6001.18702_none_df391163f08d7422\msfeedsbs.dll
+ 2010-09-10 17:09 . 2009-03-08 11:34 43008 c:\windows\winsxs\x86_microsoft-windows-ie-controls_31bf3856ad364e35_8.0.6001.18702_none_accc7a4465be292a\licmgr10.dll
+ 2010-09-10 17:09 . 2009-03-08 11:32 72704 c:\windows\winsxs\x86_microsoft-windows-ie-adminkitmostfiles_31bf3856ad364e35_8.0.6001.18702_none_911d44271c9159e9\admparse.dll
+ 2010-09-10 17:10 . 2010-06-26 06:51 64512 c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.6001.23040_none_e5304c66d0de8f8c\WininetPlugin.dll
+ 2010-09-10 17:10 . 2010-06-26 06:48 25600 c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.6001.23040_none_e5304c66d0de8f8c\jsproxy.dll
+ 2010-09-10 17:10 . 2010-06-26 06:05 64512 c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.6001.18943_none_e4a9da3db7be05ac\WininetPlugin.dll
+ 2010-09-10 17:10 . 2010-06-26 06:02 25600 c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.6001.18943_none_e4a9da3db7be05ac\jsproxy.dll
+ 2010-09-10 17:09 . 2009-03-08 11:33 64512 c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.6001.18702_none_e4d415d7b79e8243\WininetPlugin.dll
+ 2010-09-10 17:09 . 2009-03-08 11:33 25600 c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.6001.18702_none_e4d415d7b79e8243\jsproxy.dll
+ 2010-09-10 17:09 . 2009-03-08 11:33 18944 c:\windows\winsxs\x86_microsoft-windows-i..tivexpolicyprovider_31bf3856ad364e35_8.0.6001.18702_none_6f561c09617d9439\corpol.dll
+ 2010-09-10 17:09 . 2009-03-08 11:31 46592 c:\windows\winsxs\x86_microsoft-windows-i..ablenetworkgraphics_31bf3856ad364e35_8.0.6001.18702_none_d0b191832934e44c\pngfilt.dll
+ 2010-09-10 17:09 . 2009-03-08 11:32 66560 c:\windows\System32\wextract.exe
+ 2007-04-18 09:41 . 2010-09-11 08:15 68624 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-09-11 08:15 73310 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2010-09-10 17:09 . 2009-03-08 11:31 46592 c:\windows\System32\pngfilt.dll
- 2006-11-02 07:33 . 2006-11-02 07:33 48128 c:\windows\System32\mshtmler.dll
+ 2010-09-10 17:09 . 2009-03-08 11:31 48128 c:\windows\System32\mshtmler.dll
+ 2010-09-10 17:09 . 2009-03-08 11:31 66560 c:\windows\System32\mshtmled.dll
- 2008-09-21 17:12 . 2008-01-19 07:33 45568 c:\windows\System32\mshta.exe
+ 2010-09-10 17:09 . 2009-03-08 11:31 45568 c:\windows\System32\mshta.exe
+ 2010-09-10 17:10 . 2010-06-26 04:24 13312 c:\windows\System32\msfeedssync.exe
+ 2010-09-10 17:10 . 2010-06-26 06:03 55296 c:\windows\System32\msfeedsbs.dll
+ 2010-09-10 17:10 . 2010-06-26 06:05 64512 c:\windows\System32\migration\WininetPlugin.dll
- 2008-10-15 22:09 . 2008-02-22 05:01 64512 c:\windows\System32\migration\WininetPlugin.dll
+ 2010-09-10 17:09 . 2009-03-08 11:34 43008 c:\windows\System32\licmgr10.dll
+ 2010-09-10 17:10 . 2010-06-26 06:02 25600 c:\windows\System32\jsproxy.dll
+ 2010-09-10 17:09 . 2009-03-08 11:32 94720 c:\windows\System32\inseng.dll
+ 2010-09-10 17:09 . 2009-03-08 11:31 34816 c:\windows\System32\imgutil.dll
+ 2010-09-10 17:10 . 2010-06-26 06:02 55808 c:\windows\System32\iernonce.dll
+ 2010-09-10 17:09 . 2009-03-08 11:31 59904 c:\windows\System32\icardie.dll
+ 2010-09-10 17:09 . 2009-03-08 11:33 18944 c:\windows\System32\corpol.dll
+ 2007-12-08 09:36 . 2010-09-11 08:14 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-12-08 09:36 . 2010-09-09 22:34 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-12-08 09:36 . 2010-09-09 22:34 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2007-12-08 09:36 . 2010-09-11 08:14 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-09-10 17:09 . 2009-03-08 11:32 72704 c:\windows\System32\admparse.dll
- 2008-09-21 17:12 . 2008-01-19 07:33 72704 c:\windows\System32\admparse.dll
+ 2010-06-04 02:01 . 2010-09-10 15:54 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
- 2010-06-04 02:01 . 2010-06-04 02:01 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
+ 2010-09-10 17:09 . 2009-03-08 11:35 2048 c:\windows\winsxs\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.18702_none_83daaad046b59436\iecompat.dll
+ 2008-09-23 21:03 . 2010-09-10 17:15 5158 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2009-03-24 16:10 . 2010-09-10 17:13 2010 c:\windows\System32\WDI\{88d4896f-f553-446a-9c75-9dec124ff8b7}.bin
+ 2008-09-14 00:00 . 2010-09-11 08:15 9644 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1851843919-258154983-2237051013-1003_UserData.bin
+ 2010-09-10 12:57 . 2010-09-10 12:57 9560 c:\windows\System32\networklist\icons\{92D7E619-1CB0-4823-AF71-5ACBBBF87053}_48.bin
+ 2010-09-10 12:57 . 2010-09-10 12:57 4280 c:\windows\System32\networklist\icons\{92D7E619-1CB0-4823-AF71-5ACBBBF87053}_32.bin
+ 2010-09-10 12:57 . 2010-09-10 12:57 2456 c:\windows\System32\networklist\icons\{92D7E619-1CB0-4823-AF71-5ACBBBF87053}_24.bin
- 2010-09-09 22:24 . 2010-09-09 22:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-09-11 08:08 . 2010-09-11 08:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-09-11 08:08 . 2010-09-11 08:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-09-09 22:24 . 2010-09-09 22:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-09-10 18:00 . 2010-03-05 22:19 420352 c:\windows\winsxs\x86_microsoft-windows-scripting-vbscript_31bf3856ad364e35_8.0.6001.23000_none_2bcc9be85cd2112b\vbscript.dll
+ 2010-09-10 18:00 . 2010-03-05 14:01 420352 c:\windows\winsxs\x86_microsoft-windows-scripting-vbscript_31bf3856ad364e35_8.0.6001.18909_none_2b4c2b7b43ac1f55\vbscript.dll
+ 2010-09-10 17:09 . 2009-03-08 11:33 420352 c:\windows\winsxs\x86_microsoft-windows-scripting-vbscript_31bf3856ad364e35_8.0.6001.18702_none_2b4525a943b273a6\vbscript.dll
+ 2010-09-10 18:00 . 2009-12-04 16:15 726528 c:\windows\winsxs\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.22960_none_6611c986263fd953\jscript.dll
+ 2010-09-10 18:00 . 2009-06-06 12:55 726528 c:\windows\winsxs\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.22886_none_66022984264aac18\jscript.dll
+ 2010-09-10 18:00 . 2009-12-04 07:19 726528 c:\windows\winsxs\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.18869_none_65912f550d1a1d98\jscript.dll
+ 2010-09-10 18:00 . 2009-06-06 05:01 726528 c:\windows\winsxs\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.18795_none_656cbc830d360ee8\jscript.dll
+ 2010-09-10 17:09 . 2009-03-08 11:33 726528 c:\windows\winsxs\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.18702_none_65cb0af10cefc76a\jscript.dll
+ 2010-09-10 17:09 . 2009-03-08 11:22 156160 c:\windows\winsxs\x86_microsoft-windows-msls31_31bf3856ad364e35_8.0.6001.18702_none_aeeaf610b83f2e48\msls31.dll
+ 2010-09-10 17:09 . 2009-03-08 11:35 121344 c:\windows\winsxs\x86_microsoft-windows-js-debuggeride_31bf3856ad364e35_8.0.6001.18702_none_1de359b6148047cc\jsdebuggeride.dll
+ 2010-09-10 17:09 . 2009-03-08 11:33 256000 c:\windows\winsxs\x86_microsoft-windows-ieinstal_31bf3856ad364e35_8.0.6001.18702_none_cb86fb78a76dcdde\ieinstal.exe
+ 2010-09-10 17:10 . 2010-06-26 06:48 164352 c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_8.0.6001.23040_none_47e9c588dd2a86ef\ieui.dll
+ 2010-09-10 17:10 . 2010-06-26 06:02 164352 c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_8.0.6001.18943_none_4763535fc409fd0f\ieui.dll
+ 2010-09-10 17:09 . 2009-03-08 11:22 164352 c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_8.0.6001.18702_none_478d8ef9c3ea79a6\ieui.dll
+ 2010-09-10 17:09 . 2009-03-08 11:34 105984 c:\windows\winsxs\x86_microsoft-windows-ie-winsockautodialstub_31bf3856ad364e35_8.0.6001.18702_none_d315f3a07395d0ed\url.dll
+ 2010-09-10 17:09 . 2009-03-08 11:34 208384 c:\windows\winsxs\x86_microsoft-windows-ie-winfxdocobj_31bf3856ad364e35_8.0.6001.18702_none_d4a239fe30224f93\WinFXDocObj.exe
+ 2010-09-10 17:09 . 2009-03-08 11:33 759296 c:\windows\winsxs\x86_microsoft-windows-ie-vgx_31bf3856ad364e35_8.0.6001.18702_none_d02233c4fe8667df\VGX.dll
+ 2010-09-10 17:10 . 2010-06-26 06:48 109056 c:\windows\winsxs\x86_microsoft-windows-ie-sysprep_31bf3856ad364e35_8.0.6001.23040_none_fed972b9e90803d9\iesysprep.dll
+ 2010-09-10 17:10 . 2010-06-26 06:02 109056 c:\windows\winsxs\x86_microsoft-windows-ie-sysprep_31bf3856ad364e35_8.0.6001.18943_none_fe530090cfe779f9\iesysprep.dll
+ 2010-09-10 17:09 . 2009-03-08 11:33 109056 c:\windows\winsxs\x86_microsoft-windows-ie-sysprep_31bf3856ad364e35_8.0.6001.18702_none_fe7d3c2acfc7f690\iesysprep.dll
+ 2010-09-10 17:10 . 2010-06-26 05:13 173056 c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.6001.23040_none_a9180e0d8d84c714\ie4uinit.exe
+ 2010-09-10 17:10 . 2010-06-26 04:24 173056 c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.6001.18943_none_a8919be474643d34\ie4uinit.exe
+ 2010-09-10 17:09 . 2009-03-08 11:32 173056 c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.6001.18702_none_a8bbd77e7444b9cb\ie4uinit.exe
+ 2010-09-10 17:10 . 2010-06-26 06:51 129536 c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_8.0.6001.23040_none_2aeb0342bb8fade9\sqmapi.dll
+ 2010-09-10 17:10 . 2010-06-26 06:05 129536 c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_8.0.6001.18943_none_2a649119a26f2409\sqmapi.dll
+ 2010-09-10 17:09 . 2009-03-08 21:09 140128 c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_8.0.6001.18702_none_2a8eccb3a24fa0a0\sqmapi.dll
+ 2010-09-10 17:09 . 2009-03-08 11:34 193536 c:\windows\winsxs\x86_microsoft-windows-ie-ratings_31bf3856ad364e35_8.0.6001.18702_none_aa7d60ae7286ab24\msrating.dll
+ 2010-09-10 17:09 . 2009-03-08 11:33 109568 c:\windows\winsxs\x86_microsoft-windows-ie-pdm_31bf3856ad364e35_8.0.6001.18702_none_d0610d06fe575a49\PDMSetup.exe
+ 2010-09-10 17:09 . 2009-01-08 01:20 355832 c:\windows\winsxs\x86_microsoft-windows-ie-pdm_31bf3856ad364e35_8.0.6001.18702_none_d0610d06fe575a49\pdm.dll
+ 2010-09-10 17:09 . 2009-01-08 01:20 265720 c:\windows\winsxs\x86_microsoft-windows-ie-pdm_31bf3856ad364e35_8.0.6001.18702_none_d0610d06fe575a49\msdbg2.dll
+ 2010-09-10 17:09 . 2009-03-08 11:34 236544 c:\windows\winsxs\x86_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.6001.18702_none_44170552678500f2\webcheck.dll
+ 2010-09-10 17:10 . 2010-06-26 06:50 206848 c:\windows\winsxs\x86_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.6001.23040_none_1a6dc115432e9357\occache.dll
+ 2010-09-10 17:10 . 2010-06-26 06:04 206848 c:\windows\winsxs\x86_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.6001.18943_none_19e74eec2a0e0977\occache.dll
+ 2010-09-10 17:09 . 2009-03-08 11:34 109568 c:\windows\winsxs\x86_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.6001.18702_none_1a118a8629ee860e\occache.dll
+ 2010-09-10 17:09 . 2009-03-08 11:35 233984 c:\windows\winsxs\x86_microsoft-windows-ie-jsprofilerui_31bf3856ad364e35_8.0.6001.18702_none_d5ea1c01e3fe67ea\jsprofilerui.dll
+ 2010-09-10 17:09 . 2009-03-08 11:35 118272 c:\windows\winsxs\x86_microsoft-windows-ie-jsprofilercore_31bf3856ad364e35_8.0.6001.18702_none_ed92bec9472aab53\JSProfilerCore.dll
+ 2010-09-10 17:09 . 2009-03-08 11:35 521216 c:\windows\winsxs\x86_microsoft-windows-ie-jscriptdebugui_31bf3856ad364e35_8.0.6001.18702_none_9d577137e370ad2c\jsdbgui.dll
+ 2010-09-10 17:10 . 2010-06-26 06:52 638232 c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23040_none_12a958f24909fe6f\iexplore.exe
+ 2010-09-10 17:10 . 2010-06-26 05:13 133632 c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23040_none_12a958f24909fe6f\ieUnatt.exe
+ 2010-09-10 17:10 . 2010-06-26 06:06 638232 c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18943_none_1222e6c92fe9748f\iexplore.exe
+ 2010-09-10 17:10 . 2010-06-26 04:25 133632 c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18943_none_1222e6c92fe9748f\ieUnatt.exe
+ 2010-09-10 17:09 . 2009-03-08 21:09 638816 c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18702_none_124d22632fc9f126\iexplore.exe
+ 2010-09-10 17:09 . 2009-03-08 11:33 132608 c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18702_none_124d22632fc9f126\ieUnatt.exe
+ 2010-09-10 17:09 . 2009-03-08 11:35 144384 c:\windows\winsxs\x86_microsoft-windows-ie-impexp-extexport_31bf3856ad364e35_8.0.6001.18702_none_10e8e2fad95106ab\ExtExport.exe
+ 2010-09-10 17:09 . 2009-03-08 11:32 169472 c:\windows\winsxs\x86_microsoft-windows-ie-iexpress_31bf3856ad364e35_8.0.6001.18702_none_4766ff3b547d623d\iexpress.exe
+ 2010-09-10 17:10 . 2010-06-26 06:48 197632 c:\windows\winsxs\x86_microsoft-windows-ie-ieshims_31bf3856ad364e35_8.0.6001.23040_none_2ad488dec9448079\IEShims.dll
+ 2010-09-10 17:10 . 2010-06-26 06:02 197632 c:\windows\winsxs\x86_microsoft-windows-ie-ieshims_31bf3856ad364e35_8.0.6001.18943_none_2a4e16b5b023f699\IEShims.dll
+ 2010-09-10 17:09 . 2009-03-08 11:33 196096 c:\windows\winsxs\x86_microsoft-windows-ie-ieshims_31bf3856ad364e35_8.0.6001.18702_none_2a78524fb0047330\IEShims.dll
+ 2010-09-10 17:10 . 2010-06-26 06:48 247808 c:\windows\winsxs\x86_microsoft-windows-ie-ieproxy_31bf3856ad364e35_8.0.6001.23040_none_73763d48799c1a0b\ieproxy.dll
+ 2010-09-10 17:10 . 2010-06-26 06:02 247808 c:\windows\winsxs\x86_microsoft-windows-ie-ieproxy_31bf3856ad364e35_8.0.6001.18943_none_72efcb1f607b902b\ieproxy.dll
+ 2010-09-10 17:09 . 2009-03-08 11:33 246784 c:\windows\winsxs\x86_microsoft-windows-ie-ieproxy_31bf3856ad364e35_8.0.6001.18702_none_731a06b9605c0cc2\ieproxy.dll
+ 2010-09-10 17:09 . 2009-03-08 11:34 115712 c:\windows\winsxs\x86_microsoft-windows-ie-ielowutil_31bf3856ad364e35_8.0.6001.18702_none_e9612e8087062a88\ielowutil.exe
+ 2010-09-10 17:09 . 2009-03-08 11:33 125952 c:\windows\winsxs\x86_microsoft-windows-ie-iecleanup_31bf3856ad364e35_8.0.6001.18702_none_a0d17792aa595b3e\iecleanup.exe
+ 2010-09-10 17:09 . 2009-03-08 11:33 103936 c:\windows\winsxs\x86_microsoft-windows-ie-gc-setdepnx_31bf3856ad364e35_8.0.6001.18702_none_9396116207a33bbc\SetDepNx.exe
+ 2010-09-10 17:09 . 2009-03-08 11:33 107520 c:\windows\winsxs\x86_microsoft-windows-ie-gc-registeriepkeys_31bf3856ad364e35_8.0.6001.18702_none_0ad3f877399acafc\RegisterIEPKEYs.exe
+ 2010-09-10 17:10 . 2010-06-26 06:49 599040 c:\windows\winsxs\x86_microsoft-windows-ie-feeds-platform_31bf3856ad364e35_8.0.6001.23040_none_432de3356981e244\msfeeds.dll
+ 2010-09-10 17:10 . 2010-06-26 06:03 599040 c:\windows\winsxs\x86_microsoft-windows-ie-feeds-platform_31bf3856ad364e35_8.0.6001.18943_none_42a7710c50615864\msfeeds.dll
+ 2010-09-10 17:09 . 2009-03-08 11:32 594432 c:\windows\winsxs\x86_microsoft-windows-ie-feeds-platform_31bf3856ad364e35_8.0.6001.18702_none_42d1aca65041d4fb\msfeeds.dll
+ 2010-09-10 17:09 . 2009-03-08 11:31 216064 c:\windows\winsxs\x86_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_8.0.6001.18702_none_7ab17169976f82c4\dxtrans.dll
+ 2010-09-10 17:09 . 2009-03-08 11:31 348160 c:\windows\winsxs\x86_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_8.0.6001.18702_none_7ab17169976f82c4\dxtmsft.dll
+ 2010-09-10 17:10 . 2010-06-26 06:48 743424 c:\windows\winsxs\x86_microsoft-windows-ie-devtools_31bf3856ad364e35_8.0.6001.23040_none_1eec65b96ee1dbcd\iedvtool.dll
+ 2010-09-10 17:10 . 2010-06-26 06:02 743424 c:\windows\winsxs\x86_microsoft-windows-ie-devtools_31bf3856ad364e35_8.0.6001.18943_none_1e65f39055c151ed\iedvtool.dll
+ 2010-09-10 17:09 . 2009-03-08 11:35 742912 c:\windows\winsxs\x86_microsoft-windows-ie-devtools_31bf3856ad364e35_8.0.6001.18702_none_1e902f2a55a1ce84\iedvtool.dll
+ 2010-09-10 17:10 . 2010-06-26 06:48 184320 c:\windows\winsxs\x86_microsoft-windows-ie-behaviors_31bf3856ad364e35_8.0.6001.23040_none_200add98211957ee\iepeers.dll
+ 2010-09-10 17:10 . 2010-06-26 06:02 184320 c:\windows\winsxs\x86_microsoft-windows-ie-behaviors_31bf3856ad364e35_8.0.6001.18943_none_1f846b6f07f8ce0e\iepeers.dll
+ 2010-09-10 17:09 . 2009-03-08 11:31 183808 c:\windows\winsxs\x86_microsoft-windows-ie-behaviors_31bf3856ad364e35_8.0.6001.18702_none_1faea70907d94aa5\iepeers.dll
+ 2010-09-10 17:09 . 2009-03-08 11:11 445952 c:\windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_8.0.6001.18702_none_de7d38b18189fc96\ieapfltr.dll
+ 2010-09-10 17:09 . 2009-03-08 11:32 163840 c:\windows\winsxs\x86_microsoft-windows-ie-adminkitmostfiles_31bf3856ad364e35_8.0.6001.18702_none_911d44271c9159e9\ieakui.dll
+ 2010-09-10 17:09 . 2009-03-08 11:33 229376 c:\windows\winsxs\x86_microsoft-windows-ie-adminkitmostfiles_31bf3856ad364e35_8.0.6001.18702_none_911d44271c9159e9\ieaksie.dll
+ 2010-09-10 17:09 . 2009-03-08 11:33 125952 c:\windows\winsxs\x86_microsoft-windows-ie-adminkitengine_31bf3856ad364e35_8.0.6001.18702_none_87015889ddff063f\ieakeng.dll
+ 2010-09-10 17:10 . 2010-06-26 06:48 387584 c:\windows\winsxs\x86_microsoft-windows-ie-adminkitbranding_31bf3856ad364e35_8.0.6001.23040_none_5797c5628688b053\iedkcs32.dll
+ 2010-09-10 17:10 . 2010-06-26 06:02 387584 c:\windows\winsxs\x86_microsoft-windows-ie-adminkitbranding_31bf3856ad364e35_8.0.6001.18943_none_571153396d682673\iedkcs32.dll
+ 2010-09-10 17:09 . 2009-03-08 21:09 391536 c:\windows\winsxs\x86_microsoft-windows-ie-adminkitbranding_31bf3856ad364e35_8.0.6001.18702_none_573b8ed36d48a30a\iedkcs32.dll
+ 2010-09-10 17:10 . 2010-06-26 06:51 919040 c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.6001.23040_none_e5304c66d0de8f8c\wininet.dll
+ 2010-09-10 17:10 . 2010-06-26 06:05 916480 c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.6001.18943_none_e4a9da3db7be05ac\wininet.dll
+ 2010-09-10 17:09 . 2009-03-08 11:34 914944 c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.6001.18702_none_e4d415d7b79e8243\wininet.dll
+ 2010-09-10 17:10 . 2010-06-26 06:49 611840 c:\windows\winsxs\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_8.0.6001.23040_none_c40cff8dab7e2868\mstime.dll
+ 2010-09-10 17:10 . 2010-06-26 06:03 611840 c:\windows\winsxs\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_8.0.6001.18943_none_c3868d64925d9e88\mstime.dll
+ 2010-09-10 17:09 . 2009-03-08 11:32 611840 c:\windows\winsxs\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_8.0.6001.18702_none_c3b0c8fe923e1b1f\mstime.dll
+ 2010-09-10 17:09 . 2009-03-08 11:33 107008 c:\windows\winsxs\x86_microsoft-windows-i..-setieinstalleddate_31bf3856ad364e35_8.0.6001.18702_none_eb622404d6d4cb81\SetIEInstalledDate.exe
+ 2010-09-10 17:09 . 2009-03-08 11:32 128512 c:\windows\winsxs\x86_microsoft-windows-advpack_31bf3856ad364e35_8.0.6001.18702_none_8eb687d4089bfe4d\advpack.dll
+ 2010-09-10 17:09 . 2009-03-08 11:34 208384 c:\windows\System32\WinFXDocObj.exe
- 2008-09-21 17:13 . 2008-01-19 07:33 208384 c:\windows\System32\WinFXDocObj.exe
+ 2010-09-10 17:09 . 2009-03-08 11:34 236544 c:\windows\System32\webcheck.dll
+ 2008-11-06 10:37 . 2010-09-10 17:13 291170 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2008-10-27 03:00 . 2010-09-10 12:54 409100 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2008-09-21 17:12 . 2008-01-19 07:36 105984 c:\windows\System32\url.dll
+ 2010-09-10 17:09 . 2009-03-08 11:34 105984 c:\windows\System32\url.dll
+ 2010-09-10 17:09 . 2009-03-08 11:33 107008 c:\windows\System32\SetIEInstalledDate.exe
+ 2010-09-10 17:09 . 2009-03-08 11:33 103936 c:\windows\System32\SetDepNx.exe
+ 2010-09-10 17:09 . 2009-03-08 11:33 107520 c:\windows\System32\RegisterIEPKEYs.exe
+ 2006-11-02 10:33 . 2010-09-11 08:15 656378 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-09-09 22:31 656378 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2010-09-11 08:15 126668 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2010-09-09 22:31 126668 c:\windows\System32\perfc009.dat
+ 2010-09-10 17:09 . 2009-03-08 11:33 109568 c:\windows\System32\PDMSetup.exe
+ 2010-09-10 17:10 . 2010-06-26 06:04 206848 c:\windows\System32\occache.dll
+ 2010-09-10 17:10 . 2010-06-26 06:03 611840 c:\windows\System32\mstime.dll
+ 2010-09-10 17:09 . 2009-03-08 11:34 193536 c:\windows\System32\msrating.dll
- 2008-09-21 17:13 . 2008-01-19 07:35 156160 c:\windows\System32\msls31.dll
+ 2010-09-10 17:09 . 2009-03-08 11:22 156160 c:\windows\System32\msls31.dll
+ 2010-09-10 17:10 . 2010-06-26 06:03 599040 c:\windows\System32\msfeeds.dll
+ 2010-09-10 18:00 . 2009-12-04 07:19 726528 c:\windows\System32\jscript.dll
+ 2010-09-10 17:09 . 2009-03-08 11:32 169472 c:\windows\System32\iexpress.exe
+ 2010-09-10 17:10 . 2010-06-26 06:02 164352 c:\windows\System32\ieui.dll
+ 2010-09-10 17:10 . 2010-06-26 06:02 184320 c:\windows\System32\iepeers.dll
+ 2010-09-10 17:10 . 2010-06-26 06:02 387584 c:\windows\System32\iedkcs32.dll
+ 2010-09-10 17:09 . 2009-03-08 11:11 445952 c:\windows\System32\ieapfltr.dll
+ 2010-09-10 17:09 . 2009-03-08 11:32 163840 c:\windows\System32\ieakui.dll
+ 2010-09-10 17:09 . 2009-03-08 11:33 229376 c:\windows\System32\ieaksie.dll
+ 2010-09-10 17:09 . 2009-03-08 11:33 125952 c:\windows\System32\ieakeng.dll
+ 2010-09-10 17:10 . 2010-06-26 04:24 173056 c:\windows\System32\ie4uinit.exe
+ 2006-11-02 12:47 . 2010-09-10 12:15 373808 c:\windows\System32\FNTCACHE.DAT
- 2006-11-02 12:47 . 2010-08-12 14:33 373808 c:\windows\System32\FNTCACHE.DAT
+ 2010-09-10 17:09 . 2009-03-08 11:31 216064 c:\windows\System32\dxtrans.dll
+ 2010-09-10 17:09 . 2009-03-08 11:31 348160 c:\windows\System32\dxtmsft.dll
+ 2010-09-10 17:20 . 2010-09-10 17:20 262144 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2007-12-08 09:36 . 2010-09-11 08:14 360448 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-12-08 09:36 . 2010-09-09 22:34 360448 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-09-10 17:09 . 2009-03-08 11:32 128512 c:\windows\System32\advpack.dll
+ 2010-09-10 13:41 . 2010-09-10 13:41 424448 c:\windows\Installer\4e9661.msi
+ 2010-09-10 17:08 . 2010-09-10 17:08 552448 c:\windows\Installer\4c995.msi
+ 2010-09-10 13:41 . 2010-09-10 13:41 1093120 c:\windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\mfc80u.dll
+ 2010-09-10 13:41 . 2010-09-10 13:41 1105920 c:\windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\mfc80.dll
+ 2010-09-10 17:10 . 2010-06-26 06:48 1987072 c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_8.0.6001.23040_none_2aeb0342bb8fade9\iertutil.dll
+ 2010-09-10 17:10 . 2010-06-26 06:02 1986560 c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_8.0.6001.18943_none_2a649119a26f2409\iertutil.dll
+ 2010-09-10 17:09 . 2009-03-08 11:32 1985024 c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_8.0.6001.18702_none_2a8eccb3a24fa0a0\iertutil.dll
+ 2010-09-10 17:10 . 2010-06-26 06:49 5954560 c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.6001.23040_none_f68a6b855134f8c2\mshtml.dll
+ 2010-09-10 17:10 . 2010-06-26 06:03 5951488 c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.6001.18943_none_f603f95c38146ee2\mshtml.dll
+ 2010-09-10 17:09 . 2009-03-08 11:41 5937152 c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.6001.18702_none_f62e34f637f4eb79\mshtml.dll
+ 2010-09-10 17:09 . 2009-02-07 04:07 3698584 c:\windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_8.0.6001.18702_none_de7d38b18189fc96\ieapfltr.dat
+ 2010-09-10 17:10 . 2010-06-26 06:51 1211904 c:\windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_8.0.6001.23040_none_982a70c505d568f9\urlmon.dll
+ 2010-09-10 17:10 . 2010-06-26 06:05 1210368 c:\windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_8.0.6001.18943_none_97a3fe9becb4df19\urlmon.dll
+ 2010-09-10 17:09 . 2009-03-08 11:34 1206784 c:\windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_8.0.6001.18702_none_97ce3a35ec955bb0\urlmon.dll
+ 2010-09-10 17:10 . 2010-06-26 06:05 1210368 c:\windows\System32\urlmon.dll
- 2006-11-02 10:22 . 2010-08-23 22:09 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2006-11-02 10:22 . 2010-09-10 20:29 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2010-09-10 17:10 . 2010-06-26 06:03 5951488 c:\windows\System32\mshtml.dll
+ 2010-09-10 17:10 . 2010-06-26 06:02 1986560 c:\windows\System32\iertutil.dll
+ 2010-09-10 17:09 . 2009-02-07 04:07 3698584 c:\windows\System32\ieapfltr.dat
+ 2010-09-10 17:09 . 2010-09-10 17:09 2317312 c:\windows\Installer\4c9a5.msi
+ 2010-09-10 17:10 . 2010-06-26 06:48 11078656 c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_8.0.6001.23040_none_47e9c588dd2a86ef\ieframe.dll
+ 2010-09-10 17:10 . 2010-06-26 06:02 11077120 c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_8.0.6001.18943_none_4763535fc409fd0f\ieframe.dll
+ 2010-09-10 17:09 . 2009-03-08 11:39 11063808 c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_8.0.6001.18702_none_478d8ef9c3ea79a6\ieframe.dll
+ 2010-09-10 17:10 . 2010-06-26 06:02 11077120 c:\windows\System32\ieframe.dll
+ 2010-09-10 15:53 . 2010-09-10 15:53 20303872 c:\windows\Installer\c8887e.msp
+ 2009-05-01 23:16 . 2010-09-10 18:00 299573751 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-19 2153472]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Google Update"="c:\users\Ailsa\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-06-14 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-29 4472832]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 815104]
"PLFSet"="c:\windows\PLFSet.dll" [2007-04-24 45056]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-13 178712]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-08 54832]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-26 457216]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-10-17 858632]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 57344]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Skytel"="Skytel.exe" [2007-05-29 1826816]
"4oD"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-24 148888]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 150552]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-23 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-17 767312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-09-10 2065760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-02-08 179712]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2009-07-28 721904]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-09-10 216400]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-09-10 243024]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-09-10 308136]

.
Contents of the 'Scheduled Tasks' folder

2010-09-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1851843919-258154983-2237051013-1003Core.job
- c:\users\Ailsa\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-14 19:18]

2010-09-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1851843919-258154983-2237051013-1003UA.job
- c:\users\Ailsa\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-14 19:18]

2010-09-10 c:\windows\Tasks\Norton Security Scan for Ailsa.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-06-25 00:27]

2010-09-11 c:\windows\Tasks\User_Feed_Synchronization-{24B22FC6-9FD4-4B9E-AD2D-A56153674704}.job
- c:\windows\system32\msfeedssync.exe [2010-09-10 04:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = <local>
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Ailsa\AppData\Roaming\Mozilla\Firefox\Profiles\in1soth6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Ailsa\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2736)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
.
Completion time: 2010-09-11 09:54:59
ComboFix-quarantined-files.txt 2010-09-11 08:54
ComboFix2.txt 2010-09-09 22:39

Pre-Run: 12,871,581,696 bytes free
Post-Run: 14,034,448,384 bytes free

- - End Of File - - 6B9260D670BB72F1618384C828D2C9CD

ken545
2010-09-11, 13:48
Hi,

I am looking into this, be back as soon as I can

ken545
2010-09-11, 15:05
Hi,

What we removed was a dangerous backdoor bot, its responsible for downloading other malware and stealing user data.

Lets try running RKill again and see if it fixes it. If not then run this program

You may have to use a good computer to download these and transfer by disk or thumb drive to the infected one.


Please download exeHelper (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop.

Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Jambo John
2010-09-11, 15:38
Hi

Cannot run rkill (any version) or exeHelper - get the message "Illegal operation on a registry key that has been marked for deletion"

ken545
2010-09-11, 15:49
Can you try running them in Safemode


To Enter Safemode

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)





You may also try to do a System Restore, although some of the malware will be back but we can deal with that later

http://support.microsoft.com/kb/306084

ken545
2010-09-11, 17:11
Just reboot your computer a few times, hang off on system restore

Jambo John
2010-09-11, 18:08
Hi Ken

Ran Rkill then exehelper in safe mode, rebooted then browsers worked - ran rkill and DDS - logs posted in sequence below:

exehelper in safe mode:


exeHelper by Raktor
Build 20100414
Run at 15:49:17 on 09/11/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

DDS logs in normal mode:



DDS (Ver_09-09-29.01) - NTFSx86
Run by Ailsa at 16:06:46.37 on 11/09/2010
Internet Explorer: 8.0.6001.18943 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2038.859 [GMT 1:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\Explorer.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\Ailsa\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ailsa\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Ailsa\Downloads\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\windows\system32\ActiveToolBand.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Google Update] "c:\users\ailsa\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PLFSet] rundll32.exe c:\windows\PLFSet.dll,PLFDefSetting
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [Skytel] Skytel.exe
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} - hxxp://www.bebo.com/files/BeboUploader.5.1.4.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1240591838346&h=e53a404309ef65636af19b3679aee831/&filename=jinstall-6u13-windows-i586-jc.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\ailsa\appdata\roaming\mozilla\firefox\profiles\in1soth6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-9-10 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-9-10 243024]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\cyberlink\powerdvd\000.fcl [2007-12-8 13560]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-9-10 308136]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2010-5-14 249136]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-8-18 1529728]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-2-8 179712]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-11-11 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-09-11 09:53 <DIR> --dsh--- C:\$RECYCLE.BIN
2010-09-10 19:00 420,352 a------- c:\windows\system32\vbscript.dll
2010-09-10 14:44 <DIR> --d----- C:\$AVG
2010-09-10 14:44 12,536 a------- c:\windows\system32\avgrsstx.dll
2010-09-10 14:44 243,024 a------- c:\windows\system32\drivers\avgtdix.sys
2010-09-10 14:44 216,400 a------- c:\windows\system32\drivers\avgldx86.sys
2010-09-10 14:44 <DIR> --d----- c:\windows\system32\drivers\Avg
2010-09-10 14:41 <DIR> --d----- c:\programdata\avg9
2010-09-10 14:41 <DIR> --d----- c:\progra~2\avg9
2010-09-10 08:36 <DIR> --d----- c:\program files\ESET
2010-09-09 23:24 256,512 a------- c:\windows\PEV.exe
2010-09-09 23:24 161,792 a------- c:\windows\SWREG.exe
2010-09-09 23:24 98,816 a------- c:\windows\sed.exe
2010-09-09 23:24 77,312 a------- c:\windows\MBR.exe
2010-09-09 17:53 <DIR> --d----- c:\users\ailsa\appdata\roaming\Malwarebytes
2010-09-09 17:53 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-09 17:53 20,952 a------- c:\windows\system32\drivers\mbam.sys
2010-09-09 17:53 <DIR> --d----- c:\programdata\Malwarebytes
2010-09-09 17:53 <DIR> --d----- c:\progra~2\Malwarebytes
2010-09-09 17:53 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2010-09-09 16:50 <DIR> --d----- c:\programdata\Office Genuine Advantage

==================== Find3M ====================

2010-07-02 14:07 143,360 a------- c:\windows\inf\infstrng.dat
2010-07-02 14:07 86,016 a------- c:\windows\inf\infstor.dat
2010-07-02 14:07 51,200 a------- c:\windows\inf\infpub.dat
2010-06-26 07:05 916,480 a------- c:\windows\system32\wininet.dll
2010-06-26 07:02 109,056 a------- c:\windows\system32\iesysprep.dll
2010-06-26 07:02 71,680 a------- c:\windows\system32\iesetup.dll
2010-06-26 05:25 133,632 a------- c:\windows\system32\ieUnatt.exe
2010-06-21 14:18 2,036,736 a------- c:\windows\system32\win32k.sys
2010-06-18 17:43 36,352 a------- c:\windows\system32\rtutils.dll
2008-10-24 16:14 174 a--sh--- c:\program files\desktop.ini
2008-10-24 16:05 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-12-16 13:07 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\temp\cookies\index.dat
2009-12-16 13:07 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\temp\history\history.ie5\index.dat
2009-12-16 13:07 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\temp\temporary internet files\content.ie5\index.dat
2007-12-08 11:10 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 16:07:38.04 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 08/12/2007 09:19:34
System Uptime: 09/11/2010 15:53:11 (-1415 hours ago)

Motherboard: Acer | | Columbia
Processor: Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz | U2E1 | 2001/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 70 GiB total, 13.188 GiB free.
D: is FIXED (NTFS) - 70 GiB total, 69.181 GiB free.
E: is Removable
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0021
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter
PNP Device ID: ROOT\*6TO4MP\0021
Service: tunnel

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Broadcom NetLink (TM) Gigabit Ethernet
Device ID: PCI\VEN_14E4&DEV_1693&SUBSYS_011C1025&REV_02\4&87CE153&0&00E0
Manufacturer: Broadcom
Name: Broadcom NetLink (TM) Gigabit Ethernet
PNP Device ID: PCI\VEN_14E4&DEV_1693&SUBSYS_011C1025&REV_02\4&87CE153&0&00E0
Service: b57nd60x

==== System Restore Points ===================

RP739: 10/09/2010 14:41:08 - Installed AVG Free 9.0
RP740: 10/09/2010 16:53:34 - Windows Update
RP741: 10/09/2010 18:08:24 - Windows Update
RP742: 10/09/2010 21:28:24 - Windows Update
RP743: 11/09/2010 12:16:36 - Scheduled Checkpoint

==== Installed Programs ======================


4oD
Acer Crystal Eye webcam
Acer eDataSecurity Management
Acer eLock Management
Acer Empowering Technology
Acer eNet Management
Acer ePower Management
Acer ePresentation Management
Acer eSettings Management
Acer GridVista
Acer Mobility Center Plug-In
Acer ScreenSaver
Acer Tour
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.2.1
AGEIA PhysX v7.11.13
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG Free 9.0
Bonjour
Broadcom Gigabit Integrated Controller
Business Contact Manager for Outlook 2007 SP2
Canon Easy-WebPrint EX
Canon MP Navigator EX 3.0
Canon MP250 series MP Drivers
Canon MP250 series User Registration
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
Compatibility Pack for the 2007 Office system
DivX Setup
ERUNT 1.1j
ESET Online Scanner v3
GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
Google Chrome
HDAUDIO Soft Data Fax Modem with SmartCP
Highlight Viewer (Windows Live Toolbar)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Graphics Media Accelerator Driver
Intel(R) Matrix Storage Manager
Intel(R) TV Wizard
iTunes
Java(TM) 6 Update 13
Junk Mail filter update
Launch Manager
LightScribe 1.4.142.1
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Lost Via Domus
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Age of Empires II Trial Version
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Access 2003
Microsoft Office Live Add-in 1.5
Microsoft Office Outlook Connector
Microsoft Office Small Business Connectivity Components
Microsoft Office Standard Edition 2003
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MobileMe Control Panel
Mozilla Firefox (3.0.13)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Norton Security Scan
NTI Backup NOW! 4.7
NTI CD & DVD-Maker
NTI Shadow
OGA Notifier 2.0.0048.0
PowerDVD
QuickTime
Realtek High Definition Audio Driver
Safari
Security Update for CAPICOM (KB931906)
Smart Menus (Windows Live Toolbar)
Spotify
Synaptics Pointing Device Driver
System Requirements Lab
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC80CRTRedist - 8.0.50727.4053
VoiceOver Kit
Vuze
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Favorites for Windows Live Toolbar
Windows Live ID Sign-in Assistant
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sync
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Upload Tool
Windows Live Writer
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

11/09/2010 15:43:34, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
11/09/2010 15:43:13, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr tdx Wanarpv6
11/09/2010 15:43:13, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
11/09/2010 15:43:13, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
11/09/2010 15:43:13, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
11/09/2010 15:43:13, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
11/09/2010 15:43:13, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
11/09/2010 15:43:13, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
11/09/2010 15:43:13, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
11/09/2010 15:43:13, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
11/09/2010 15:43:13, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
11/09/2010 15:43:13, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
11/09/2010 15:43:13, Error: Service Control Manager [7001] - The Network Connections service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
11/09/2010 15:43:13, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
11/09/2010 15:43:13, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/09/2010 15:43:13, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
11/09/2010 15:43:13, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
11/09/2010 15:42:20, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
11/09/2010 15:42:20, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
11/09/2010 15:42:20, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
11/09/2010 15:42:19, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/09/2010 15:42:11, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
11/09/2010 10:00:35, Error: bowser [8003] - The master browser has received a server announcement from the computer ACER-4D025C48B8 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{957EDBCA-A3A1-47A6-8946-05. The master browser is stopping or an election is being forced.
09/09/2010 23:28:32, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
09/09/2010 23:28:31, Error: Service Control Manager [7034] - The MobilityService service terminated unexpectedly. It has done this 1 time(s).
09/09/2010 23:27:52, Error: Service Control Manager [7034] - The XAudioService service terminated unexpectedly. It has done this 1 time(s).
09/09/2010 23:27:13, Error: Microsoft-Windows-Dhcp-Client [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001CBF63CAA3. The following error occurred: The operation was canceled by the user.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
09/09/2010 23:26:57, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 10.212.29.138 for the Network Card with network address 001CBF63CAA3 has been denied by the DHCP server 10.199.121.25 (The DHCP Server sent a DHCPNACK message).
09/09/2010 23:24:07, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.117 for the Network Card with network address 001CBF63CAA3 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
09/09/2010 18:42:43, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.116 for the Network Card with network address 001CBF63CAA3 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
09/09/2010 17:40:40, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 10.212.29.138 for the Network Card with network address 001CBF63CAA3 has been denied by the DHCP server 10.0.0.138 (The DHCP Server sent a DHCPNACK message).
09/09/2010 17:37:59, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.115 for the Network Card with network address 001CBF63CAA3 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
09/09/2010 17:26:48, Error: Microsoft-Windows-Windows Defender [1008] - Windows Defender has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Rogue:Win32/FakeVimes&threatid=141340 Scan ID: {AE4419CE-FABE-4B22-A473-9FCB8691DC63} Scan Type: AntiMalware User: NT AUTHORITY\NETWORK SERVICE Name: Rogue:Win32/FakeVimes ID: 141340 Severity ID: 5 Category ID: 8 Path: Action: Remove Error Code: 0x80508022 Error description: To finish removing spyware and other potentially unwanted software, restart the computer.
09/09/2010 16:53:28, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
09/09/2010 16:48:19, Error: EventLog [6008] - The previous system shutdown at 19:01:36 on 05/09/2010 was unexpected.
05/09/2010 12:03:41, Error: PlugPlayManager [10] - Error writing to server side install pipe
04/09/2010 20:05:36, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
04/09/2010 19:58:58, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x800706be: Office Live add-in 1.5.
04/09/2010 19:58:58, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x800706ba: Office Genuine Advantage Notifications (KB949810).
04/09/2010 19:58:58, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x800706ba: Internet Explorer 8 for Windows Vista.
04/09/2010 19:39:48, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
04/09/2010 19:39:37, Error: EventLog [6008] - The previous system shutdown at 19:37:01 on 04/09/2010 was unexpected.
04/09/2010 16:59:53, Error: PlugPlayManager [12] - The device 'Slimtype DVD A DS8A1P ATA Device' (IDE\CdRomSlimtype_DVD_A__DS8A1P__________________CA14____\5&206e8ad&0&0.0.0) disappeared from the system without first being prepared for removal.
04/09/2010 16:59:37, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{957EDBCA-A3A1-47A6-8946-055BF5DBB5D0} because another computer on the network has the same name. The server could not start.
04/09/2010 16:59:21, Error: cdrom [15] - The device, \Device\CdRom2, is not ready for access yet.

==== End Of File ===========================

ken545
2010-09-11, 18:59
New log looks fine. I guess I read more into the problem than there really was. Glad things are working ok.

You need to enable windows to Show all Files and Folders
Instructions for your Operating System HERE (http://www.bleepingcomputer.com/tutorials/tutorial62.html)

c:\users\Ailsa\AppData\Local\gxoowdbct <--You need to delete this folder

You need to update your Java

You can go to Start > Control Panel and look for the Java Icon ( looks like a little coffee cup ) go to the update tab and have it update it, this helps making your system more secure.

Any other problems ?

Jambo John
2010-09-13, 12:02
Hi Ken

Sorry for the delay in replying. My daughter has had to leave for Uni so I will talk her through these steps when she call me, hopefully today, and check all is well - certainly it was working brilliantly just before she left. Sorry if I panicked in my post of 10:17 on 11th. Thanks for your help so far. Will post again after I have spoken to her.

ken545
2010-09-13, 14:19
Good Morning,

That was my mistake, I forgot that with that error all you had to do was reboot, this happens just with Vista .

If you can get her to do this it would be great. These kids today are all about social networking and downloading free music, this is where they get into trouble, hope she will be a bit more careful, there are threats going around today that are uncleanable, the only recourse is to format the drive and install a fresh copy of windows, not a lot of fun.


Now to remove most of the tools that we have used in fixing your machine:
Make sure you have an Internet Connection.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
A list of tool components used in the cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.






How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

WinPatrol (www.winpatrol.com/download.html) Keep this fine program activated to block a lot of threats

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.



Safe Surfn
Ken

Jambo John
2010-09-13, 18:09
Hi

Completed recommended steps in post of 10-09-11 16:59, then downloaded and ran OTC. Everything seems to be working fine now. I can't thank you enough.

I directed her to the resources you mention in the last post, which I will look at myself. She's back in a couple of weeks and will go over these recommendations with her. A question: are all these recommended programs complimentary and can be used together? I ask because I think I have seen on this forum that sometimes security programs such as anti-virus programs can interfere with each other.

Cheers

ken545
2010-09-13, 19:39
Hello John,

The programs I posted will all work together and there all free. The only thing a home user has to purchase is Anti Virus software but there are also free versions if one wants to go that route and there more than adequate. Whats important is to just have one anti virus program and one firewall, more is over kill and wont accomplish anything. Some people think that installing 2 or 3 AV programs will make them more secure when in reality it will not, they use a ton of system resources working in the background and most times they will fight each other degrading system performance. Just use one, keep it updated and run a scan periodically.

Just read what I posted because SpywareGuard does the same as the TeaTimer in Spybot , so if you install Spybot and also SG, just dont enable the Teatimer in Spybot and you will be fine. SpywareBlaster works a bit differently so you can also install that.

Out side of what i posted the only thing you need is common sense, dont open emails from someone you dont know, dont download attachments unless you know for sure it came from someone you know. Don't be fooled by going into a website and a pop up tells you your infect , click here for a free scan, your not infected but you will be if you fall for it. Legit vendors don't operate that way.

Keep Malwarebytes, its free, update it and run a scan a few times a month and remove anything it finds ( hopefully nothing ) . The paid version has a malware blocker, I have it on all 3 of my systems, but thats up to you.

Take care,
Ken:)

ken545
2010-09-19, 15:26
Since this issue appears resolved this thread will be closed