Hello. :greeting:

My first post and predictably it's because I need your help, sorry :red:

I've read the "BEFORE you POST" thread, so I very much hope this post meets the rules.

I appear to have become a member of an ever increasing club, who have managed to encounter the Click.GiftLoad HijackersC (virus/trojan/worm??). Spybot finds the problem and allows me to 'fix' it, but whenever I restart windows it is still here.

The problem manifests itself in re-directed web browsing, I suspect un-authorised web browsing, regular and frequent script error debugging to web sites I have not knowingly visited. Through looking at the Spybot reports the finger always points to a svchost.exe problem in the registry under 'Feature_Browser_Emulation'. The debugging issue is always in relation to the file path - C:\WINDOWS\System32\svchost.exe

There are currently 10 svchost.exe processes listed in the task manager.

As instructed in the "BEFORE you POST" thread I need to let you know what I have rightly, or as I now suspect wrongly done to date;

-I did have another trojan/virus which came along at the same time as the Click.GiftLoad issue, I can't remember the exact name but I think it was win32.fraudload or something similar, I had a similar issue of removing it but each time I restarted windows it would return, after a bit of research I ran SDfix which seemingly sorted that problem (It is no longer found by Spybot)

- I have downloaded and run Malwarebytes along with Spybot and have done a System restore numerous times.

-The latest program I have run in an effort to deal with the problem was Combofix, this didn't seem to work, but with hindsight I probably shouldn't have done this with my lack of knowledge, apologies if this complicates things. :sad:

Other things to mention:confused:.... I have a full and up to date McAfee Internet Security Subscription and I use FireFox for web browsing.

DDS report >>>>

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Jimmy Wise at 15:15:13.73 on 14/03/2011
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3536.2708 [GMT 0:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r205445\stacsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
svchost.exe
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Caplio Software\RGateLXP.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\winmine.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\MSE7.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Jimmy Wise.COURAGE\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
uInternet Connection Wizard,ShellNext = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101102204702.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [SecureUpgrade] "c:\program files\wave systems corp\SecureUpgrade.exe"
mRun: [EmbassySecurityCheck] "c:\program files\wave systems corp\embassy security setup\EMBASSYSecurityCheck.exe"
mRun: [USCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe
mRun: [DellConnectionManager] "c:\program files\dell\dell controlpoint\connection manager\Dell.UCM.exe"
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell.exe" /mode2
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 4.0\apdproxy.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\jimmyw~1.cou\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ricohg~1.lnk - c:\program files\caplio software\RGateLXP.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: line6.net
Trusted Zone: mcafee.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\jimmyw~1.cou\applic~1\mozilla\firefox\profiles\8tydp6v2.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\documents and settings\jimmy wise.courage\application data\mozilla\firefox\profiles\8tydp6v2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\jimmy wise.courage\application data\mozilla\firefox\profiles\8tydp6v2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: SeoQuake: {317B5128-0B0B-49b2-B2DB-1E7560E16C74} - %profile%\extensions\{317B5128-0B0B-49b2-B2DB-1E7560E16C74}
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-8-24 386840]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-11-2 84072]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2010-11-2 54776]
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-12-29 320800]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2009-1-22 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2009-1-22 20840]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-2-6 443168]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-11-2 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-11-2 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-11-2 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-11-2 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-11-2 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-11-2 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-11-2 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-4-13 229688]
R2 SMManager;Smith Micro Connection Manager Service;c:\program files\dell\dell controlpoint\connection manager\SMManager.exe [2009-3-1 77824]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2009-3-28 2058776]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-3-28 112128]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-11-2 55840]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2009-3-28 32808]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-3-28 244368]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-3-28 110080]
R3 L6DP;L6DP;c:\windows\system32\drivers\l6dp.sys [2005-9-28 27392]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-11-2 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-11-2 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-11-2 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-11-2 88544]
R3 OA001Afx;Provides a software interface to control audio effects of OA001 camera.;c:\windows\system32\drivers\OA001Afx.sys [2009-3-28 148056]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2009-3-28 144672]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2009-3-28 277440]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-18 136176]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [2007-4-19 42832]
S3 L6TPortA;Service - Line 6 TonePort UX1;c:\windows\system32\drivers\L6TPortA.sys [2005-9-28 392448]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-11-2 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-11-2 84264]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\drivers\nvtsp50.sys --> c:\windows\system32\drivers\NvtSp50.sys [?]
.
=============== Created Last 30 ================
.
2011-03-14 01:40:27 -------- d-sha-r- C:\cmdcons
2011-03-14 01:37:22 98816 ----a-w- c:\windows\sed.exe
2011-03-14 01:37:22 89088 ----a-w- c:\windows\MBR.exe
2011-03-14 01:37:22 256512 ----a-w- c:\windows\PEV.exe
2011-03-14 01:37:22 161792 ----a-w- c:\windows\SWREG.exe
2011-03-13 19:16:40 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2011-03-13 19:09:16 -------- d-----w- c:\windows\ERUNT
2011-03-13 18:40:33 -------- d-----w- C:\SDFix
2011-03-13 17:36:02 -------- d-----w- c:\program files\CCleaner
2011-03-13 17:24:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-13 17:24:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-13 16:34:40 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-13 16:34:40 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-12 13:06:04 -------- d-----w- c:\program files\Exterminate It!
2011-03-10 19:41:02 -------- dc----w- c:\docume~1\alluse~1\applic~1\{78A29A4D-35CE-4C46-9AC9-2692EE35F0BE}(2)
2011-03-10 19:40:40 -------- d-----w- c:\program files\Lavasoft(2)
2011-03-10 19:40:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\Lavasoft(2)
2011-03-10 17:56:25 -------- d-----w- c:\program files\IObit
2011-03-09 23:56:29 -------- d-----w- c:\docume~1\jimmyw~1.cou\applic~1\Malwarebytes
2011-03-09 23:56:19 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-09 23:56:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-09 23:42:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-09 23:42:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2010-12-20 12:55:25 389120 ----a-w- c:\windows\system32\html.iec
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD80 rev.11.0 -> Harddisk0\DR0 -> \Device\Ide\iaStor0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8B03E439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8b0447d0]; MOV EAX, [0x8b04484c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AFFFAB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A5D8A90]
\Driver\iaStor[0x8A623568] -> IRP_MJ_CREATE -> 0x8B03E439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD800BJKT-75F4T0____________________11.01A11#4&11fcf6bd&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 156301486 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 15:16:45.75 ===============


Spybot results >>>>

Click.GiftLoad: [SBI $89783858] User settings (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2011-03-13 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-02-24 Includes\Adware.sbi (*)
2011-03-08 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2010-11-30 Includes\Hijackers.sbi (*)
2011-03-08 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-02-24 Includes\Malware.sbi (*)
2011-03-08 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-03-03 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2011-03-08 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-03-08 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-12-28 Includes\Trojans.sbi (*)
2011-03-08 Includes\TrojansC-02.sbi (*)
2011-03-03 Includes\TrojansC-03.sbi (*)
2011-03-08 Includes\TrojansC-04.sbi (*)
2011-03-08 Includes\TrojansC-05.sbi (*)
2011-03-08 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll


I have attached the 'Attach.zip' to go with the DDS log.

I look forward to any help that can be offered and I will be extremely grateful for any reply. I've subscribed to instant email notification of replys and will reply to your responses with haste.

Thank you in advance.

:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.


Running Combofix on your own is not recommended, I cant tell you how many systems have been damaged by running this tool incorrectly or without supervision. If you run it on your own, me, this forum and sUbs will not be responsible if you disable your system


Looks like your Master Boot Record is infected, run this tool please

Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrscan.gif
Click the "Scan" button to start scan



On completion of the scan click save log, save it to your desktop and post in your next reply

Hi, many thanks for your response.:)

I wish I'd seen this site first of all, I've already noticed a number undesirable things that have happened due to Combofix, drivers gone, no sound etc :oops: It'll teach me to have a little more patience.



aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-15 01:37:20
-----------------------------
01:37:20.640 OS Version: Windows 5.1.2600 Service Pack 3
01:37:20.640 Number of processors: 2 586 0x1706
01:37:20.640 ComputerName: COURAGE UserName:
01:37:21.062 Initialize success
01:37:23.062 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\iaStor0
01:37:23.093 Disk 0 Vendor: WDC_WD80 11.0 Size: 76319MB BusType: 8
01:37:23.187 Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD800BJKT-75F4T0____________________11.01A11#4&11fcf6bd&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
01:37:23.234 Disk 0 MBR read successfully
01:37:23.265 Disk 0 MBR scan
01:37:23.343 Disk 0 TDL4@MBR code has been found
01:37:23.406 Disk 0 MBR hidden
01:37:23.453 Disk 0 MBR [TDL4] **ROOTKIT**
01:37:23.531 Disk 0 trace - called modules:
01:37:23.578 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8b03e439]<<
01:37:23.750 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8afffab8]
01:37:23.796 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x8a5d8a90]
01:37:23.906 \Driver\iaStor[0x8a623568] -> IRP_MJ_CREATE -> 0x8b03e439
01:37:23.953 Scan finished successfully


Thanks again, look forward to your response.

Good Morning,

Run aswMBR again > Click Scan > When the scan is done click the Fix Button. You need to reboot your computer when its done before you do anything else, then post the log that will be on your desktop.

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrtdl4.gif




Then run this program

OTL by OldTimer

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

Hello again, here's the asw report from the fix -

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-15 16:50:13
-----------------------------
16:50:13.953 OS Version: Windows 5.1.2600 Service Pack 3
16:50:13.953 Number of processors: 2 586 0x1706
16:50:13.953 ComputerName: COURAGE UserName:
16:50:14.843 Initialize success
16:50:16.562 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\iaStor0
16:50:16.562 Disk 0 Vendor: WDC_WD80 11.0 Size: 76319MB BusType: 8
16:50:16.562 Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD800BJKT-75F4T0____________________11.01A11#4&11fcf6bd&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
16:50:16.562 Disk 0 MBR read successfully
16:50:16.562 Disk 0 MBR scan
16:50:16.562 Disk 0 TDL4@MBR code has been found
16:50:16.578 Disk 0 MBR hidden
16:50:16.578 Disk 0 MBR [TDL4] **ROOTKIT**
16:50:16.578 Disk 0 trace - called modules:
16:50:16.578 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8afd7439]<<
16:50:16.578 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aa3b770]
16:50:16.578 3 CLASSPNP.SYS -> nt!IofCallDriver -> [0x8a5f37a8]
16:50:16.578 \Driver\iaStor[0x8b0544c0] -> IRP_MJ_CREATE -> 0x8afd7439
16:50:16.593 Scan finished successfully
16:50:19.562 Disk 0 fixing MBR
16:50:29.578 Disk 0 MBR restored successfully
16:50:29.578 Infection fixed successfully - please reboot ASAP


Here's the [B]asw report after reboot-


aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-15 16:55:50
-----------------------------
16:55:50.328 OS Version: Windows 5.1.2600 Service Pack 3
16:55:50.328 Number of processors: 2 586 0x1706
16:55:50.328 ComputerName: COURAGE UserName:
16:55:50.671 Initialize success
16:55:52.468 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
16:55:52.468 Disk 0 Vendor: WDC_WD80 11.0 Size: 76319MB BusType: 8
16:55:52.484 Disk 0 MBR read successfully
16:55:52.484 Disk 0 MBR scan
16:55:52.484 Disk 0 scanning sectors +156296385
16:55:52.515 Disk 0 scanning C:\WINDOWS\system32\drivers
16:56:02.140 Service scanning
16:56:03.515 Disk 0 trace - called modules:
16:56:03.546 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
16:56:03.546 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b02f6b8]
16:56:03.546 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8b030028]
16:56:03.546 Scan finished successfully

.....and here are the OTL logs -

OTL logfile created on: 15/03/2011 17:04:53 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Jimmy Wise.COURAGE\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 82.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.36 Gb Total Space | 28.47 Gb Free Space | 38.28% Space Free | Partition Type: NTFS

Computer Name: COURAGE | User Name: Jimmy Wise | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Jimmy Wise.COURAGE\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe (McAfee, Inc.)
PRC - C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee Online Backup\MOBKbackup.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe (Smith Micro Software, Inc.)
PRC - C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe (Smith Micro Software, Inc.)
PRC - C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe (Dell Inc.)
PRC - C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe (Dell Inc.)
PRC - C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe (Broadcom Corporation)
PRC - C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe (Broadcom Corporation)
PRC - C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe (Dell Inc.)
PRC - C:\Program Files\Wave Systems Corp\SecureUpgrade.exe (Wave Systems Corp.)
PRC - C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe (Broadcom Corporation)
PRC - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe (Wave Systems Corp.)
PRC - C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe (Dell Inc.)
PRC - C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe (Wave Systems Corp.)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
PRC - c:\drivers\audio\R205445\stacsv.exe (IDT, Inc.)
PRC - C:\WINDOWS\system32\AESTFltr.exe (Andrea Electronics Corporation)
PRC - C:\Program Files\DellTPad\hidfind.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\DellTPad\ApMsgFwd.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\DellTPad\ApntEx.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe (Creative Technology Ltd.)
PRC - C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel(R) Corporation)
PRC - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe (Intel(R) Corporation)
PRC - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel(R) Corporation)
PRC - C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe (Intel Corporation)
PRC - C:\Program Files\Intel\AMT\lms.exe (Intel Corporation)
PRC - C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Caplio Software\RGateLXP.exe (Ricoh Company, Ltd.)
PRC - C:\Program Files\Intel\ASF Agent\ASFAgent.exe (Intel Corporation)
PRC - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe ()
PRC - C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe (Adobe Systems Incorporated)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Jimmy Wise.COURAGE\Desktop\OTL.exe (OldTimer Tools)
MOD - c:\Program Files\McAfee\SiteAdvisor\sahook.dll (McAfee, Inc.)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (SPService) -- C:\Documents and Settings\All Users\Application Data\Ableton\sp.DLL ()
SRV - (mfefire) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe (McAfee, Inc.)
SRV - (mfevtp) -- C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)
SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (McShield) -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe ()
SRV - (MOBKbackup) -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe (McAfee, Inc.)
SRV - (MSK80Service) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McProxy) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McNASvc) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McNaiAnn) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (mcmscsvc) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McMPFSvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McAfee SiteAdvisor Service) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McComponentHostService) -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe (McAfee, Inc.)
SRV - (SMManager) -- C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe (Smith Micro Software, Inc.)
SRV - (dcpsysmgrsvc) -- C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe (Dell Inc.)
SRV - (Credential Vault Host Control Service) -- C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe (Broadcom Corporation)
SRV - (Credential Vault Host Storage) -- C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe (Broadcom Corporation)
SRV - (TdmService) -- C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe (Wave Systems Corp.)
SRV - (buttonsvc32) -- C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe (Dell Inc.)
SRV - (SecureStorageService) -- C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe (Wave Systems Corp.)
SRV - (IAANTMON) Intel(R) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
SRV - (STacSV) -- c:\drivers\audio\R205445\stacsv.exe (IDT, Inc.)
SRV - (tcsd_win32.exe) -- C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe ()
SRV - (EvtEng) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel(R) Corporation)
SRV - (S24EventMonitor) -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe (Intel(R) Corporation)
SRV - (RegSrvc) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel(R) Corporation)
SRV - (UNS) Intel(R) -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe (Intel Corporation)
SRV - (LMS) Intel(R) -- C:\Program Files\Intel\AMT\lms.exe (Intel Corporation)
SRV - (ASFAgent) -- C:\Program Files\Intel\ASF Agent\ASFAgent.exe (Intel Corporation)
SRV - (AdobeActiveFileMonitor4.0) -- C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe ()


========== Driver Services (SafeList) ==========

DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfefirek) -- C:\WINDOWS\system32\drivers\mfefirek.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfeapfk) -- C:\WINDOWS\system32\drivers\mfeapfk.sys (McAfee, Inc.)
DRV - (mfendiskmp) -- C:\WINDOWS\system32\drivers\mfendisk.sys (McAfee, Inc.)
DRV - (mfendisk) -- C:\WINDOWS\system32\drivers\mfendisk.sys (McAfee, Inc.)
DRV - (mferkdet) -- C:\WINDOWS\system32\drivers\mferkdet.sys (McAfee, Inc.)
DRV - (mfetdi2k) -- C:\WINDOWS\system32\drivers\mfetdi2k.sys (McAfee, Inc.)
DRV - (cfwids) -- C:\WINDOWS\system32\drivers\cfwids.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (MOBKFilter) -- C:\WINDOWS\system32\drivers\MOBK.sys (Mozy, Inc.)
DRV - (hwdatacard) -- C:\WINDOWS\system32\drivers\ewusbmdm.sys (Huawei Technologies Co., Ltd.)
DRV - (cvusbdrv) -- C:\WINDOWS\system32\drivers\cvusbdrv.sys (Broadcom Corporation)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSFHWAZL) -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys (Conexant Systems, Inc.)
DRV - (WavxDMgr) -- C:\WINDOWS\system32\drivers\WavxDMgr.sys (Wave Systems Corp.)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (IDT, Inc.)
DRV - (AESTAud) -- C:\WINDOWS\system32\drivers\AESTAud.sys (Andrea Electronics Corporation)
DRV - (ApfiltrService) -- C:\WINDOWS\system32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (OA001Ufd) -- C:\WINDOWS\system32\drivers\OA001Ufd.sys (Creative Technology Ltd.)
DRV - (OA001Vid) -- C:\WINDOWS\system32\drivers\OA001Vid.sys (Creative Technology Ltd.)
DRV - (OA001Afx) -- C:\WINDOWS\system32\drivers\OA001Afx.sys (Creative Technology Ltd.)
DRV - (NETw5x32) Intel(R) -- C:\WINDOWS\system32\drivers\NETw5x32.sys (Intel Corporation)
DRV - (IntcHdmiAddService) Intel(R) -- C:\WINDOWS\system32\drivers\IntcHdmi.sys (Intel(R) Corporation)
DRV - (HECI) Intel(R) -- C:\WINDOWS\system32\drivers\HECI.sys (Intel Corporation)
DRV - (s24trans) -- C:\WINDOWS\system32\drivers\s24trans.sys (Intel Corporation)
DRV - (USBCCID) -- C:\WINDOWS\system32\drivers\usbccid.sys (Microsoft Corporation)
DRV - (rimmptsk) -- C:\WINDOWS\system32\drivers\rimmptsk.sys (REDC)
DRV - (e1yexpress) Intel(R) -- C:\WINDOWS\system32\drivers\e1y5132.sys (Intel Corporation)
DRV - (PBADRV) -- C:\WINDOWS\system32\DRIVERS\PBADRV.sys (Dell Inc)
DRV - (NAL) -- C:\WINDOWS\system32\drivers\iqvw32.sys (Intel Corporation )
DRV - (UsbDiag) -- C:\WINDOWS\system32\drivers\lgusbdiag.sys (LG Electronics Inc.)
DRV - (USBModem) -- C:\WINDOWS\system32\drivers\lgusbmodem.sys (LG Electronics Inc.)
DRV - (usbbus) -- C:\WINDOWS\system32\drivers\lgusbbus.sys (LG Electronics Inc.)
DRV - (AsfAlrt) -- C:\WINDOWS\system32\drivers\Asfalrt.sys (Intel Corporation)
DRV - (L6DP) -- C:\WINDOWS\system32\drivers\l6dp.sys (Line 6)
DRV - (L6TPortA) -- C:\WINDOWS\system32\drivers\L6TPortA.sys (Line 6)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



IE - HKU\S-1-5-21-4282530659-627522652-1122102670-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
IE - HKU\S-1-5-21-4282530659-627522652-1122102670-1005\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\S-1-5-21-4282530659-627522652-1122102670-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-4282530659-627522652-1122102670-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.search.selectedEngine: "Secure Search"
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.3
FF - prefs.js..extensions.enabledItems: {317B5128-0B0B-49b2-B2DB-1E7560E16C74}:2.6.8
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..keyword.URL: "http://uk.search.yahoo.com/search?fr=mcafee&p="
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Firefox\extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/03/13 16:22:42 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/14 17:02:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/14 17:02:19 | 000,000,000 | ---D | M]

[2010/05/02 12:41:05 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jimmy Wise.COURAGE\Application Data\Mozilla\Extensions
[2011/03/14 17:42:25 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jimmy Wise.COURAGE\Application Data\Mozilla\Firefox\Profiles\8tydp6v2.default\extensions
[2010/05/05 20:13:17 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Jimmy Wise.COURAGE\Application Data\Mozilla\Firefox\Profiles\8tydp6v2.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/12/09 01:39:22 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Jimmy Wise.COURAGE\Application Data\Mozilla\Firefox\Profiles\8tydp6v2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/12/10 00:42:22 | 000,000,000 | ---D | M] (SeoQuake) -- C:\Documents and Settings\Jimmy Wise.COURAGE\Application Data\Mozilla\Firefox\Profiles\8tydp6v2.default\extensions\{317B5128-0B0B-49b2-B2DB-1E7560E16C74}
[2011/03/13 16:41:05 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/03/13 16:21:56 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}(2)
[2009/03/28 00:32:59 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/03/13 16:22:42 | 000,000,000 | ---D | M] (McAfee SiteAdvisor) -- C:\PROGRAM FILES\MCAFEE\SITEADVISOR
[2010/10/13 22:28:54 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2011/03/14 17:02:15 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2011/03/14 17:02:15 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2011/03/14 17:02:15 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/11/02 15:59:29 | 000,002,027 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\McSiteAdvisor.xml
[2011/03/14 17:02:15 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2011/03/14 02:35:21 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (HP Print Clips) - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll (Hewlett-Packard Co.)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20101102204702.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AESTFltr] C:\WINDOWS\System32\AESTFltr.exe (Andrea Electronics Corporation)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [ChangeTPMAuth] C:\Program Files\Wave Systems Corp\Common\ChangeTPMAuth.exe (Wave Systems Corp.)
O4 - HKLM..\Run: [Dell Webcam Central] C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [DellConnectionManager] C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe (Smith Micro Software, Inc.)
O4 - HKLM..\Run: [DellControlPoint] C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe (Dell Inc.)
O4 - HKLM..\Run: [EmbassySecurityCheck] C:\Program Files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe (Wave Systems Corp.)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe (McAfee, Inc.)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [picon] C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe (Intel Corporation)
O4 - HKLM..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe (Wave Systems Corp.)
O4 - HKLM..\Run: [USCService] C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe (Broadcom Corporation)
O4 - HKLM..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe (Wave Systems Corp.)
O4 - HKU\S-1-5-21-4282530659-627522652-1122102670-1005..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dell ControlPoint System Manager.lnk = C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe (Dell Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RICOH Gate La.lnk = C:\Program Files\Caplio Software\RGateLXP.exe (Ricoh Company, Ltd.)
O4 - Startup: C:\Documents and Settings\Jimmy Wise.COURAGE\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-4282530659-627522652-1122102670-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-4282530659-627522652-1122102670-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-4282530659-627522652-1122102670-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-4282530659-627522652-1122102670-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.)
O9 - Extra Button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-4282530659-627522652-1122102670-1005\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-4282530659-627522652-1122102670-1005\..Trusted Domains: line6.net ([]* in Trusted sites)
O15 - HKU\S-1-5-21-4282530659-627522652-1122102670-1005\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-4282530659-627522652-1122102670-1005\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Jimmy Wise.COURAGE\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jimmy Wise.COURAGE\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/25 21:29:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/15 17:00:12 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jimmy Wise.COURAGE\Desktop\OTL.exe
[2011/03/15 16:58:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2011/03/15 16:51:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
[2011/03/15 01:34:37 | 000,566,272 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Jimmy Wise.COURAGE\Desktop\aswMBR.exe
[2011/03/14 19:26:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/03/14 19:26:37 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2011/03/14 19:26:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBlaster
[2011/03/14 15:12:57 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/03/14 15:12:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2011/03/14 14:49:30 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/03/14 01:40:27 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/03/14 01:37:22 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/03/14 01:37:22 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/03/14 01:37:22 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/03/14 01:37:22 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/03/14 01:36:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/03/14 01:32:27 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/03/14 01:30:55 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2011/03/13 21:44:11 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Jimmy Wise.COURAGE\Recent
[2011/03/13 19:16:40 | 000,578,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\user32.dll
[2011/03/13 19:09:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2011/03/13 18:42:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jimmy Wise.COURAGE\Desktop\SDFix
[2011/03/13 18:40:33 | 000,000,000 | ---D | C] -- C:\SDFix
[2011/03/13 18:06:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jimmy Wise.COURAGE\My Documents\ccleaner reg backup
[2011/03/13 17:36:02 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2011/03/13 17:24:46 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/03/13 17:24:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/03/13 17:24:40 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/03/13 16:55:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/03/13 16:29:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2011/03/12 13:06:04 | 000,000,000 | ---D | C] -- C:\Program Files\Exterminate It!
[2011/03/11 23:00:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2011/03/11 23:00:27 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/03/11 22:45:35 | 000,148,888 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/03/11 22:45:35 | 000,144,792 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/03/11 22:45:35 | 000,144,792 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/03/10 19:41:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{78A29A4D-35CE-4C46-9AC9-2692EE35F0BE}(2)
[2011/03/10 19:40:40 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft(2)
[2011/03/10 19:40:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft(2)
[2011/03/10 17:56:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\IObit Security 360
[2011/03/10 17:56:25 | 000,000,000 | ---D | C] -- C:\Program Files\IObit
[2011/03/10 17:47:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jimmy Wise.COURAGE\My Documents\registry backup
[2011/03/10 15:56:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/03/10 11:37:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/03/09 23:56:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jimmy Wise.COURAGE\Application Data\Malwarebytes
[2011/03/09 23:56:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/03/09 23:56:16 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/03/09 23:42:26 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/03/09 23:42:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/03/09 16:16:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/03/09 16:16:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/03/15 17:00:16 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jimmy Wise.COURAGE\Desktop\OTL.exe
[2011/03/15 16:56:52 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Jimmy Wise.COURAGE\Desktop\MBR.dat
[2011/03/15 16:52:35 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Jimmy Wise.COURAGE\Local Settings\Application Data\WavXMapDrive.bat
[2011/03/15 16:52:17 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/15 16:52:17 | 000,000,888 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/15 16:51:56 | 000,001,597 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Internet Security.lnk
[2011/03/15 16:51:50 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/15 16:51:44 | 3707,658,240 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/15 16:39:00 | 000,000,892 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/03/15 01:34:38 | 000,566,272 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Jimmy Wise.COURAGE\Desktop\aswMBR.exe
[2011/03/15 01:24:05 | 000,001,489 | ---- | M] () -- C:\Documents and Settings\Jimmy Wise.COURAGE\Desktop\Windows Explorer.LNK
[2011/03/14 19:26:37 | 000,000,692 | ---- | M] () -- C:\Documents and Settings\Jimmy Wise.COURAGE\Desktop\SpywareBlaster.lnk
[2011/03/14 15:18:52 | 000,006,235 | ---- | M] () -- C:\Documents and Settings\Jimmy Wise.COURAGE\Desktop\140311 Attach.zip
[2011/03/14 15:13:06 | 000,000,769 | ---- | M] () -- C:\Documents and Settings\Jimmy Wise.COURAGE\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/03/14 15:12:57 | 000,000,613 | ---- | M] () -- C:\Documents and Settings\Jimmy Wise.COURAGE\Desktop\NTREGOPT.lnk
[2011/03/14 15:12:57 | 000,000,594 | ---- | M] () -- C:\Documents and Settings\Jimmy Wise.COURAGE\Desktop\ERUNT.lnk
[2011/03/14 03:08:12 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/14 02:35:21 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/03/14 01:40:36 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/03/13 22:20:13 | 000,468,098 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/13 22:20:13 | 000,080,956 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/13 19:16:40 | 000,578,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\user32.dll
[2011/03/13 17:36:03 | 000,000,684 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/03/13 17:24:46 | 000,000,786 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/03/13 16:55:03 | 000,000,935 | ---- | M] () -- C:\Documents and Settings\Jimmy Wise.COURAGE\Desktop\Spybot - Search & Destroy.lnk
[2011/03/12 13:58:44 | 000,186,824 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/03/12 11:08:17 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/03/08 19:06:33 | 001,482,299 | ---- | M] () -- C:\Documents and Settings\Jimmy Wise.COURAGE\My Documents\bike computer.pdf
[2011/02/15 21:30:55 | 000,279,640 | ---- | M] () -- C:\Documents and Settings\Jimmy Wise.COURAGE\My Documents\SI_6K20A_001_En_v1_m56577569830616322.pdf
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/15 01:37:43 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Jimmy Wise.COURAGE\Desktop\MBR.dat
[2011/03/14 19:26:37 | 000,000,692 | ---- | C] () -- C:\Documents and Settings\Jimmy Wise.COURAGE\Desktop\SpywareBlaster.lnk
[2011/03/14 15:18:52 | 000,006,235 | ---- | C] () -- C:\Documents and Settings\Jimmy Wise.COURAGE\Desktop\140311 Attach.zip
[2011/03/14 15:13:06 | 000,000,769 | ---- | C] () -- C:\Documents and Settings\Jimmy Wise.COURAGE\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/03/14 15:12:57 | 000,000,613 | ---- | C] () -- C:\Documents and Settings\Jimmy Wise.COURAGE\Desktop\NTREGOPT.lnk
[2011/03/14 15:12:57 | 000,000,594 | ---- | C] () -- C:\Documents and Settings\Jimmy Wise.COURAGE\Desktop\ERUNT.lnk
[2011/03/14 03:07:52 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2011/03/14 01:40:35 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/03/14 01:40:30 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/03/14 01:37:22 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/03/14 01:37:22 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/03/14 01:37:22 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/03/14 01:37:22 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/03/14 01:37:22 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/03/13 22:09:58 | 3707,658,240 | -HS- | C] () -- C:\hiberfil.sys
[2011/03/13 17:36:03 | 000,000,684 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/03/13 17:24:46 | 000,000,786 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/03/13 16:55:03 | 000,000,935 | ---- | C] () -- C:\Documents and Settings\Jimmy Wise.COURAGE\Desktop\Spybot - Search & Destroy.lnk
[2011/03/08 19:06:33 | 001,482,299 | ---- | C] () -- C:\Documents and Settings\Jimmy Wise.COURAGE\My Documents\bike computer.pdf
[2011/02/15 21:30:55 | 000,279,640 | ---- | C] () -- C:\Documents and Settings\Jimmy Wise.COURAGE\My Documents\SI_6K20A_001_En_v1_m56577569830616322.pdf
[2010/10/28 12:50:22 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/08/29 14:14:23 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2010/08/25 21:19:44 | 000,000,736 | ---- | C] () -- C:\WINDOWS\Irodio.INI
[2010/08/25 21:15:26 | 000,000,041 | ---- | C] () -- C:\WINDOWS\System32\SUPPORT.INI
[2010/05/02 12:40:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/04/11 14:16:48 | 000,013,312 | ---- | C] () -- C:\Documents and Settings\Jimmy Wise.COURAGE\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/07 00:45:05 | 000,015,020 | -HS- | C] () -- C:\Documents and Settings\Jimmy Wise.COURAGE\Local Settings\Application Data\1DyLb6P2b0J
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 14:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2009/06/06 14:59:24 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/05/12 14:52:30 | 000,000,141 | ---- | C] () -- C:\Documents and Settings\Jimmy Wise.COURAGE\Local Settings\Application Data\fusioncache.dat
[2009/05/10 01:39:08 | 000,139,769 | ---- | C] () -- C:\WINDOWS\hpoins15.dat
[2009/05/10 01:39:08 | 000,001,039 | ---- | C] () -- C:\WINDOWS\hpomdl15.dat
[2009/05/07 23:20:40 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\instlsp.exe
[2009/05/07 19:46:05 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Jimmy Wise.COURAGE\Local Settings\Application Data\WavXMapDrive.bat
[2009/03/28 08:16:15 | 002,026,604 | ---- | C] () -- C:\WINDOWS\System32\igkrng500.bin
[2009/03/28 08:16:15 | 000,442,964 | ---- | C] () -- C:\WINDOWS\System32\igcompkrng500.bin
[2009/03/28 08:16:15 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4980.dll
[2009/03/28 08:16:08 | 000,077,824 | ---- | C] () -- C:\WINDOWS\setpwr32.exe
[2009/03/28 08:15:14 | 000,001,204 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2009/03/28 01:00:29 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/03/28 00:43:38 | 000,279,888 | ---- | C] () -- C:\WINDOWS\System32\brcmbsp.dll
[2009/03/28 00:41:16 | 000,080,368 | ---- | C] () -- C:\WINDOWS\System32\pbadrvdll.dll
[2009/03/01 18:01:02 | 000,143,360 | R--- | C] () -- C:\WINDOWS\System32\preflib.dll
[2008/12/22 12:13:54 | 000,249,856 | ---- | C] () -- C:\WINDOWS\System32\wxvault.dll
[2008/12/19 18:59:18 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_tr.dll
[2008/12/19 18:59:16 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ro.dll
[2008/12/19 18:59:16 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_pt-BR.dll
[2008/12/19 18:59:14 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_hu.dll
[2008/12/19 18:59:14 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_he.dll
[2008/12/19 18:59:12 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_fi.dll
[2008/12/19 18:59:10 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_el.dll
[2008/12/19 18:59:10 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_cs.dll
[2008/12/19 18:59:08 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ar.dll
[2008/12/19 18:59:06 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_zh-CHT.dll
[2008/12/19 18:59:06 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_zh-CHS.dll
[2008/12/19 18:59:04 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_sv.dll
[2008/12/19 18:59:04 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ru.dll
[2008/12/19 18:59:02 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_pt.dll
[2008/12/19 18:59:00 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_pl.dll
[2008/12/19 18:59:00 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_no.dll
[2008/12/19 18:58:58 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_nl.dll
[2008/12/19 18:58:56 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ja.dll
[2008/12/19 18:58:56 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ko.dll
[2008/12/19 18:58:54 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_it.dll
[2008/12/19 18:58:54 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_fr.dll
[2008/12/19 18:58:52 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_es.dll
[2008/12/19 18:58:50 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_de.dll
[2008/12/19 18:58:48 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_da.dll
[2008/12/11 15:51:36 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\Wavx_ESC_Logging.dll
[2008/12/11 12:59:48 | 000,512,000 | ---- | C] () -- C:\WINDOWS\System32\AmRes_en.dll
[2008/12/11 12:59:46 | 000,540,672 | ---- | C] () -- C:\WINDOWS\System32\AmRes_fr.dll
[2008/12/11 12:59:46 | 000,540,672 | ---- | C] () -- C:\WINDOWS\System32\AmRes_es.dll
[2008/12/11 12:59:46 | 000,536,576 | ---- | C] () -- C:\WINDOWS\System32\AmRes_it.dll
[2008/12/11 12:59:44 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ja.dll
[2008/12/11 12:59:44 | 000,503,808 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ko.dll
[2008/12/11 12:59:42 | 000,565,248 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ru.dll
[2008/12/11 12:59:42 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\AmRes_pt-BR.dll
[2008/12/11 12:59:40 | 000,516,096 | ---- | C] () -- C:\WINDOWS\System32\AmRes_da.dll
[2008/12/11 12:59:40 | 000,479,232 | ---- | C] () -- C:\WINDOWS\System32\AmRes_zh-CHT.dll
[2008/12/11 12:59:40 | 000,475,136 | ---- | C] () -- C:\WINDOWS\System32\AmRes_zh-CHS.dll
[2008/12/11 12:59:38 | 000,540,672 | ---- | C] () -- C:\WINDOWS\System32\AmRes_nl.dll
[2008/12/11 12:59:38 | 000,512,000 | ---- | C] () -- C:\WINDOWS\System32\AmRes_no.dll
[2008/12/11 12:59:36 | 000,528,384 | ---- | C] () -- C:\WINDOWS\System32\AmRes_pl.dll
[2008/12/11 12:59:36 | 000,516,096 | ---- | C] () -- C:\WINDOWS\System32\AmRes_sv.dll
[2008/12/11 12:59:36 | 000,512,000 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ar.dll
[2008/12/11 12:59:34 | 000,536,576 | ---- | C] () -- C:\WINDOWS\System32\AmRes_el.dll
[2008/12/11 12:59:34 | 000,528,384 | ---- | C] () -- C:\WINDOWS\System32\AmRes_cs.dll
[2008/12/11 12:59:34 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\AmRes_fi.dll
[2008/12/11 12:59:34 | 000,503,808 | ---- | C] () -- C:\WINDOWS\System32\AmRes_he.dll
[2008/12/11 12:59:32 | 000,532,480 | ---- | C] () -- C:\WINDOWS\System32\AmRes_pt-PT.dll
[2008/12/11 12:59:32 | 000,528,384 | ---- | C] () -- C:\WINDOWS\System32\AmRes_hu.dll
[2008/12/11 12:59:30 | 000,532,480 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ro.dll
[2008/12/11 12:59:30 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\AmRes_tr.dll
[2008/12/11 12:56:30 | 000,544,768 | ---- | C] () -- C:\WINDOWS\System32\AmRes_de.dll
[2008/10/06 18:36:56 | 000,839,680 | ---- | C] () -- C:\WINDOWS\System32\DemoLicense.dll
[2008/05/26 21:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 21:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2008/04/25 21:31:41 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/04/25 21:27:18 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/04/25 21:26:32 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2008/04/25 16:16:24 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/25 16:16:22 | 000,468,098 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/25 16:16:22 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/25 16:16:22 | 000,080,956 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/25 16:16:22 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/25 16:16:22 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/04/25 16:16:21 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/04/25 16:16:20 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2008/04/25 16:16:18 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/25 16:16:18 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/25 16:16:13 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/25 16:16:11 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/25 09:22:39 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/04/25 09:21:52 | 000,186,824 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/03/25 09:46:00 | 000,077,536 | ---- | C] () -- C:\WINDOWS\System32\xltZlib.dll
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/04/19 05:52:16 | 000,080,720 | ---- | C] () -- C:\WINDOWS\System32\AsfBios.dll
[2007/04/19 05:28:10 | 000,025,424 | ---- | C] () -- C:\WINDOWS\System32\drivers\netamsg.dll
[2006/06/30 12:58:44 | 000,176,128 | R--- | C] () -- C:\WINDOWS\System32\bioapi_mds300.dll
[2006/06/30 12:58:44 | 000,126,976 | R--- | C] () -- C:\WINDOWS\System32\bioapi100.dll
[2006/06/12 08:01:16 | 000,348,160 | ---- | C] () -- C:\WINDOWS\tsp.dll
[2005/09/28 18:34:28 | 000,998,400 | ---- | C] () -- C:\WINDOWS\System32\l6gpcon.exe
[2004/09/10 13:34:00 | 000,917,504 | ---- | C] () -- C:\WINDOWS\System32\lmgr10.dll
[2004/09/10 13:34:00 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ADsSecurity.dll
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2009/03/28 00:53:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Broadcom
[2009/03/28 01:00:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Wave Systems Corp
[2009/03/28 00:30:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Windows Desktop Search
[2011/03/15 15:42:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ableton
[2009/03/28 00:57:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AT&T
[2010/09/11 16:29:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\espionServerData
[2009/03/28 00:49:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NTRU Cryptosystems
[2010/09/21 10:07:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\O2CM-CE
[2009/05/26 21:33:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sports Interactive
[2011/03/14 19:26:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/05/07 18:29:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Wave Systems Corp
[2011/03/13 16:31:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{78A29A4D-35CE-4C46-9AC9-2692EE35F0BE}(2)
[2009/06/25 23:10:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/03/28 00:53:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Broadcom
[2009/03/28 01:00:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Wave Systems Corp
[2009/03/28 00:30:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Windows Desktop Search
[2009/03/28 01:00:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jimmy Wise\Application Data\Wave Systems Corp
[2009/05/09 15:55:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jimmy Wise.COURAGE\Application Data\Ableton
[2010/12/10 00:34:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jimmy Wise.COURAGE\Application Data\Affilorama
[2009/03/28 00:53:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jimmy Wise.COURAGE\Application Data\Broadcom
[2009/05/11 00:00:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jimmy Wise.COURAGE\Application Data\GetRightToGo
[2009/09/16 21:50:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jimmy Wise.COURAGE\Application Data\LG Electronics
[2009/05/10 17:36:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jimmy Wise.COURAGE\Application Data\Line 6
[2010/09/11 15:55:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jimmy Wise.COURAGE\Application Data\Opera
[2010/02/10 00:46:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jimmy Wise.COURAGE\Application Data\PacificPoker
[2009/05/26 21:33:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jimmy Wise.COURAGE\Application Data\Sports Interactive
[2010/09/21 10:15:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jimmy Wise.COURAGE\Application Data\Tatara Systems
[2009/03/28 01:00:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jimmy Wise.COURAGE\Application Data\Wave Systems Corp
[2009/03/28 00:30:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jimmy Wise.COURAGE\Application Data\Windows Desktop Search
[2009/05/09 11:17:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jimmy Wise.COURAGE\Application Data\Windows Search
[2009/11/29 21:25:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2010/10/28 12:50:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Wave Systems Corp
[2010/04/01 18:50:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TEMP\Application Data\Broadcom
[2010/04/01 18:49:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TEMP\Application Data\Wave Systems Corp
[2010/04/01 18:49:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TEMP\Application Data\Windows Desktop Search

========== Purity Check ==========



< End of report >

....and finally here is the 'Extras' log-

OTL Extras logfile created on: 15/03/2011 17:04:53 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Jimmy Wise.COURAGE\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 82.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.36 Gb Total Space | 28.47 Gb Free Space | 38.28% Space Free | Partition Type: NTFS

Computer Name: COURAGE | User Name: Jimmy Wise | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-4282530659-627522652-1122102670-1005\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"11905:TCP" = 11905:TCP:*:Enabled:spport

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Sports Interactive\Football Manager 2009\fm.exe" = C:\Program Files\Sports Interactive\Football Manager 2009\fm.exe:*:Enabled:Football Manager 2009 -- (Sports Interactive)
"C:\Program Files\Caplio Software\RGateLXP.exe" = C:\Program Files\Caplio Software\RGateLXP.exe:*:Enabled:RICOH Gate La for DSC -- (Ricoh Company, Ltd.)
"C:\Program Files\Google\Google Earth\client\googleearth.exe" = C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth -- (Google)
"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" = C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe:*:Enabled:McAfee Shared Service Host -- (McAfee, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{001E7FB6-BB6B-4ED0-BEDC-B5404ED96D4E}" = DocProc
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{07D618CD-B016-438A-ADC9-A75BD23F85CE}" = Wave Support Software
"{0B0A2153-58A6-4244-B458-25EDF5FCD809}" = Private Information Manager
"{10E1E87C-656C-4D08-86D6-5443D28583BE}" = TrayApp
"{173497F1-F291-4AA7-943E-61CB9378771D}" = SO32MMWrapper
"{1753255A-0AEB-4220-8C75-607B73F0C133}" = Copy
"{2220CF3A-EBD6-4070-94D0-0C7337B537A7}" = All Day Battery Life Configuration
"{2223FC2F-B862-4F83-BC9E-DDF2DADF2859}" = Intel(R) Network Connections 13.0.42.0
"{22466889-7642-488d-AA0E-F619704CF7AB}" = DeviceDiscovery
"{24A494F3-5B5F-4183-9F7D-9CE82812C1FC}" = tsp patch
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 13
"{27C467F8-F8EF-4f68-BD72-D63632B2096C}" = McAfee Online Backup
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{294EAADF-E50F-4DD8-AD8D-19587EA10512}" = Modem Diagnostic Tool
"{29FA38B4-0AE4-4D0D-8A51-6165BB990BB0}" = WebReg
"{2F28B3C9-2C89-4206-8B33-8ADC9577C49B}" = Scan
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3A6BE9F4-5FC8-44BB-BE7B-32A29607FEF6}" = Preboot Manager
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{41573DB1-9DAA-43C7-BCBC-49696A648079}" = Dell ControlPoint Connection Manager
"{415CDA53-9100-476F-A7B2-476691E117C7}" = HP Smart Web Printing
"{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
"{4994A7CB-2BF4-4664-8FCE-DB66055ECEBC}" = Broadcom USH Host Components
"{51AE9E42-640D-4C14-A9B6-43F64AA4E3E2}" = Document Manager Lite
"{53333479-6A52-4816-8497-5C52B67ED339}" = EMBASSY Security Setup
"{543E938C-BDC4-4933-A612-01293996845F}" = UnloadSupport
"{5D601655-6D54-4384-B52C-17EC5385FBBD}" = iTunes
"{62F29D1C-D526-40F4-B4D0-840F043C2CC1}" = Dell ControlPoint System Manager
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6705BBE4-4664-40C6-9C1B-0330FA300A5C}" = DCP32MMWrapper
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6EA8A52B-8EA1-4A59-85AB-48132299061A}" = Intel(R) PRO Alerting Agent
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7AEDF187-AC25-4E2B-8065-F5ED3896F28B}" = Caplio Software
"{824D3839-DAA1-4315-A822-7AE3E620E528}" = VideoToolkit01
"{8355F970-601D-442D-A79B-1D7DB4F24CAD}" = Apple Mobile Device Support
"{8389382B-53BA-4A87-8854-91E3D80A5AC7}" = HP Photosmart Essential2.01
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8CB7F4E6-73AE-4D8F-86A2-EAE39CE72FD1}" = Intel(R) PROSet/Wireless WiFi API
"{8E1E6C75-D67B-48B0-B539-EDCA99C29C9E}" = Dell Control Point
"{8FFC924C-ED06-44CB-8867-3CA778ECE903}" = Adobe Help Center 2.0
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{9593C6E5-205E-45C3-B785-05CF146CA76A}" = biolsp patch
"{993960EE-CA4D-443F-8F88-E24260DD5FD2}" = LG PC Suite
"{9AE41AF3-FAD1-4A34-8976-747FDC19FE08}" = Intel(R) PROSet/Wireless WiFi Driver
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{A093D83F-429A-4AB2-A0CD-1F7E9C7B764A}" = Trusted Drive Manager
"{A23C3636-4F99-4A34-972C-F395E85DFEC0}" = Wave Infrastructure Installer
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB40272D-92AB-4F30-B36B-22EDE16F8FE5}" = HP Update
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{ABBA2EA4-740E-4052-902B-9CA70B081E3F}" = Dell Embassy Trust Suite by Wave Systems
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{ACA85783-8EEA-4f0a-B2A3-A8173F30209F}" = C4200_doccd
"{AEA07F97-9088-497c-8821-0F36BD5DC251}" = HPProductAssistant
"{AF7E4468-E364-4991-BC2A-6E8293E1055B}" = BioAPI Framework
"{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan
"{B09BCBF6-87EE-4403-A336-3A9510856535}" = HP Photosmart All-In-One Software 9.0
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BB93D30B-B395-44BB-A9ED-A0E057F07E53}" = NTRU TCG Software Stack
"{BC52E419-B185-488F-9973-049A88E5DCBE}" = Gemalto
"{BCD6CD1A-0DBE-412E-9F25-3B500D1E6BA1}" = SolutionCenter
"{BFDE4176-5DFE-4db9-AA00-8F30CB001BDA}" = c4200_Help
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C39E671D-0528-4c5e-A034-8470C5BC393A}" = C4200
"{C3ABE126-2BB2-4246-BFE1-6797679B3579}" = LG USB Modem driver
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CFF4500E-C5D6-695D-A027-B3D4DDED2CC3}" = McAfee Online Backup
"{D0E39A1D-0CEE-4D85-B4A2-E3BE990D075E}" = Destination Component
"{D1E829E9-88B8-47C6-A75E-0D40E2C09D50}" = Secure Update
"{D8B7A682-20DA-4797-8415-B1FB14D4D32B}" = PS_AIO_Software
"{E2662C24-B31E-4349-A084-32EB76E8B760}" = BufferChm
"{E28750A2-45F2-4b63-99F7-9F81A94B1E2D}" = PS_AIO_Software_min
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E738A392-F690-4A9D-808E-7BAF80E0B398}" = ESC Home Page Plugin
"{E8F5F4AB-512F-44EB-9018-3C527AF6A717}" = Irodio Photo & Video Studio
"{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}" = Toolbox
"{EBB7C1C1-D439-4D9B-9FDC-954C10F266B0}" = Adobe Photoshop Elements 4.0
"{EC84E3E6-C2D6-4DFB-81E0-448324C8FDF4}" = Security Wizards
"{EEAFE1E5-076B-430A-96D9-B567792AFA88}" = EMBASSY Security Center
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F4487649-7368-4217-AEA3-1E04DB3E2C5C}" = Dell ControlPoint Security Manager
"{F72E2DDC-3DB8-4190-A21D-63883D955FE7}" = PSSWCORE
"{FD7F242B-9AA0-40c3-941E-3A9821D19C09}" = PS_AIO_ProductContext
"{FD8D8B04-BEAD-4A55-AA1D-62D2373E7DEA}" = Status
"{FF1DDCF4-3A28-4F7F-96D8-E3F4BD1C1702}" = Dell Security Device Driver Pack
"9D57DE505B6D8C710EF3B74BE638DBB936EED8A3" = Windows Driver Package - Dell Inc. PBADRV System (01/07/2008 1.0.1.5)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop Elements 4" = Adobe Photoshop Elements 4.0
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"bwin Poker_is1" = bwin Poker
"CCleaner" = CCleaner
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F" = Conexant HDA D330 MDC V.92 Modem
"Creative OA001" = Integrated Webcam Driver (1.03.02.0919)
"Dell Webcam Central" = Dell Webcam Central
"ERUNT_is1" = ERUNT 1.1j
"Football Manager 2009" = Football Manager 2009
"GearBox 1.00" = GearBox 1.00 (Remove Only)
"Guitar Pro 5_is1" = Guitar Pro 5.2
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"Hospital" = Theme Hospital
"HP Imaging Device Functions" = HP Imaging Device Functions 9.0
"HP Photosmart Essential" = HP Photosmart Essential 2.01
"HP Solution Center & Imaging Support Tools" = HP Solution Center 9.0
"HPOCR" = HP OCR Software 9.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{07D618CD-B016-438A-ADC9-A75BD23F85CE}" = Wave Support Software
"InstallShield_{0B0A2153-58A6-4244-B458-25EDF5FCD809}" = Private Information Manager
"InstallShield_{51AE9E42-640D-4C14-A9B6-43F64AA4E3E2}" = Document Manager Lite
"InstallShield_{53333479-6A52-4816-8497-5C52B67ED339}" = EMBASSY Security Setup
"InstallShield_{D1E829E9-88B8-47C6-A75E-0D40E2C09D50}" = Secure Update
"InstallShield_{E738A392-F690-4A9D-808E-7BAF80E0B398}" = ESC Home Page Plugin
"InstallShield_{EC84E3E6-C2D6-4DFB-81E0-448324C8FDF4}" = Security Wizards
"InstallShield_{EEAFE1E5-076B-430A-96D9-B567792AFA88}" = EMBASSY Security Center
"Live 4.1.5" = Live 4.1.5
"Live 7.0.16" = Live 7.0.16
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McAfee Security Scan" = McAfee Security Scan Plus
"MESOL" = Intel® Active Management Technology
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.15)" = Mozilla Firefox (3.6.15)
"MSC" = McAfee Internet Security
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Orion2DeinstKey" = Master of Orion II
"Pacific Poker" = Pacific Poker
"ProInst" = Intel PROSet Wireless
"SpywareBlaster_is1" = SpywareBlaster 4.4
"Traffic Travis_is1" = Traffic Travis 3.3.7
"VLC media player" = VLC media player 1.1.5
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format Runtime
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 15/03/2011 11:23:09 | Computer Name = COURAGE | Source = LMS | ID = 2
Description = LMS Service cannot connect to HECI driver

Error - 15/03/2011 11:23:10 | Computer Name = COURAGE | Source = LMS | ID = 2
Description = Failed to unregister for device notifications

Error - 15/03/2011 11:26:10 | Computer Name = COURAGE | Source = Wave TCG Client Services | ID = 123
Description = The NTRU TSS is not running, Wave Software is unable to communicate
to TPM

Error - 15/03/2011 11:26:11 | Computer Name = COURAGE | Source = Wave TCG Client Services | ID = 123
Description = The NTRU TSS is not running, Wave Software is unable to communicate
to TPM

Error - 15/03/2011 11:34:41 | Computer Name = COURAGE | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module kernel32.dll, version 5.1.2600.5781, fault address 0x00012afb.

Error - 15/03/2011 11:37:33 | Computer Name = COURAGE | Source = Application Error | ID = 1001
Description = Fault bucket 1228874298.

Error - 15/03/2011 12:51:55 | Computer Name = COURAGE | Source = LMS | ID = 2
Description = LMS Service cannot connect to HECI driver

Error - 15/03/2011 12:51:56 | Computer Name = COURAGE | Source = LMS | ID = 2
Description = Failed to unregister for device notifications

Error - 15/03/2011 12:52:49 | Computer Name = COURAGE | Source = Wave TCG Client Services | ID = 123
Description = The NTRU TSS is not running, Wave Software is unable to communicate
to TPM

Error - 15/03/2011 12:52:51 | Computer Name = COURAGE | Source = Wave TCG Client Services | ID = 123
Description = The NTRU TSS is not running, Wave Software is unable to communicate
to TPM

[ OSession Events ]
Error - 14/05/2009 15:13:42 | Computer Name = COURAGE | Source = Microsoft Office 12 Sessions | ID = 7001
Description =

Error - 14/05/2009 20:43:49 | Computer Name = COURAGE | Source = Microsoft Office 12 Sessions | ID = 7001
Description =

Error - 14/05/2009 21:30:13 | Computer Name = COURAGE | Source = Microsoft Office 12 Sessions | ID = 7001
Description =

Error - 15/05/2009 00:20:48 | Computer Name = COURAGE | Source = Microsoft Office 12 Sessions | ID = 7001
Description =

Error - 15/05/2009 00:58:14 | Computer Name = COURAGE | Source = Microsoft Office 12 Sessions | ID = 7001
Description =

Error - 15/05/2009 02:07:55 | Computer Name = COURAGE | Source = Microsoft Office 12 Sessions | ID = 7001
Description =

Error - 15/05/2009 02:47:53 | Computer Name = COURAGE | Source = Microsoft Office 12 Sessions | ID = 7001
Description =

[ System Events ]
Error - 15/03/2011 11:23:11 | Computer Name = COURAGE | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 15/03/2011 11:23:11 | Computer Name = COURAGE | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 15/03/2011 11:24:31 | Computer Name = COURAGE | Source = iaStor | ID = 262153
Description = The device, \Device\Ide\iaStor0, did not respond within the timeout
period.

Error - 15/03/2011 11:28:03 | Computer Name = COURAGE | Source = DCOM | ID = 10010
Description = The server {3A185DDE-E020-4985-A8F2-E27CDC4A0F3A} did not register
with DCOM within the required timeout.

Error - 15/03/2011 11:40:04 | Computer Name = COURAGE | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Windows Management Instrumentation
service, but this action failed with the following error: %%1056

Error - 15/03/2011 11:49:10 | Computer Name = COURAGE | Source = iaStor | ID = 262153
Description = The device, \Device\Ide\iaStor0, did not respond within the timeout
period.

Error - 15/03/2011 12:51:57 | Computer Name = COURAGE | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 15/03/2011 12:51:57 | Computer Name = COURAGE | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 15/03/2011 12:51:57 | Computer Name = COURAGE | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 15/03/2011 12:54:33 | Computer Name = COURAGE | Source = DCOM | ID = 10010
Description = The server {209500FC-6B45-4693-8871-6296C4843751} did not register
with DCOM within the required timeout.


< End of report >


Once again thanks and look forward to your reply.:thanks:

Looking good, but I need to look over your OTL log and that takes a bit of time, in the meantime do a few things for me.

C:\ComboFix.txt <--go here and find the Combofix log and copy and paste it into this thread for me to see.

Then,

Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please

Hi, here is the ComboFix Log-

ComboFix 11-03-12.01 - Jimmy Wise 14/03/2011 1:50.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3536.2922 [GMT 0:00]
Running from: c:\documents and settings\Jimmy Wise.COURAGE\My Documents\Downloads\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Jimmy Wise.COURAGE\Activator.exe
c:\documents and settings\Jimmy Wise.COURAGE\Application Data\Start
c:\documents and settings\Jimmy Wise.COURAGE\Application Data\Start\temp_20E5ACDA\flash.9.0.115.0.ocx
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-02-14 to 2011-03-14 )))))))))))))))))))))))))))))))
.
.
2011-03-14 01:30 . 2011-03-14 01:36 -------- d-----w- C:\32788R22FWJFW
2011-03-13 19:16 . 2011-03-13 19:16 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2011-03-13 19:09 . 2011-03-13 19:09 -------- d-----w- c:\windows\ERUNT
2011-03-13 18:40 . 2011-03-13 22:18 -------- d-----w- C:\SDFix
2011-03-13 17:36 . 2011-03-13 17:36 -------- d-----w- c:\program files\CCleaner
2011-03-13 17:24 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-13 17:24 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-13 16:34 . 2011-03-13 16:34 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-13 16:29 . 2011-03-13 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2011-03-12 13:06 . 2011-03-13 16:28 -------- d-----w- c:\program files\Exterminate It!
2011-03-11 23:00 . 2011-03-11 23:00 -------- d-----w- c:\program files\Common Files\Java
2011-03-10 19:41 . 2011-03-13 16:31 -------- dc----w- c:\documents and settings\All Users\Application Data\{78A29A4D-35CE-4C46-9AC9-2692EE35F0BE}(2)
2011-03-10 19:40 . 2011-03-13 16:31 -------- d-----w- c:\program files\Lavasoft(2)
2011-03-10 19:40 . 2011-03-13 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft(2)
2011-03-10 17:56 . 2011-03-10 21:09 -------- d-----w- c:\program files\IObit
2011-03-10 15:56 . 2011-03-10 15:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-09 23:56 . 2011-03-09 23:56 -------- d-----w- c:\documents and settings\Jimmy Wise.COURAGE\Application Data\Malwarebytes
2011-03-09 23:56 . 2011-03-09 23:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-09 23:56 . 2011-03-13 17:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-09 23:42 . 2011-03-13 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-09 23:42 . 2011-03-13 17:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-14 02:36 . 2009-05-07 19:46 0 ----a-w- c:\documents and settings\Jimmy Wise.COURAGE\Local Settings\Application Data\WavXMapDrive.bat
2010-12-20 12:55 . 2008-04-25 16:16 389120 ----a-w- c:\windows\system32\html.iec
2010-10-13 22:28 . 2010-11-02 01:52 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2009-01-14 10:24 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-13 20:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-13 20:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-13 20:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2009-01-14 10:24 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-10-28 200704]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-12-01 471040]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-09-17 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-09-17 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-09-17 150040]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-12-04 186904]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-06-02 367128]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-01-19 667648]
"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2008-12-19 184320]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-12-22 145408]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2009-01-16 656696]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2009-01-16 95544]
"USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2009-01-16 15360]
"DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2009-03-01 1810432]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-10-17 442536]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-2-6 1095456]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-3-28 50688]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
RICOH Gate La.lnk - c:\program files\Caplio Software\RGateLXP.exe [2010-8-25 364544]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2009\\fm.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Caplio Software\\RGateLXP.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [02/11/2010 01:52 84072]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [02/11/2010 01:53 54776]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [19/04/2007 05:56 133968]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [29/12/2008 11:07 320800]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [22/01/2009 10:19 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [22/01/2009 10:19 20840]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [06/02/2009 20:06 443168]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [02/11/2010 01:52 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [02/11/2010 01:52 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [02/11/2010 01:52 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [02/11/2010 01:52 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [02/11/2010 01:46 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [13/04/2010 20:11 229688]
R2 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [01/03/2009 18:09 77824]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [28/03/2009 00:47 2058776]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [28/03/2009 08:16 112128]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [02/11/2010 01:52 55840]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [28/03/2009 08:16 32808]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [28/03/2009 08:16 244368]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [28/03/2009 08:16 110080]
R3 L6DP;L6DP;c:\windows\system32\drivers\l6dp.sys [28/09/2005 18:38 27392]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [02/11/2010 01:52 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [02/11/2010 01:52 88544]
R3 OA001Afx;Provides a software interface to control audio effects of OA001 camera.;c:\windows\system32\drivers\OA001Afx.sys [28/03/2009 08:16 148056]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [28/03/2009 08:16 144672]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [28/03/2009 08:16 277440]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [18/04/2010 09:24 136176]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [19/04/2007 05:28 42832]
S3 L6TPortA;Service - Line 6 TonePort UX1;c:\windows\system32\drivers\L6TPortA.sys [28/09/2005 18:36 392448]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 12:49 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [02/11/2010 01:52 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [02/11/2010 01:52 84264]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-18 09:24]
.
2011-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-18 09:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
uInternet Connection Wizard,ShellNext = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: line6.net
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Jimmy Wise.COURAGE\Application Data\Mozilla\Firefox\Profiles\8tydp6v2.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: SeoQuake: {317B5128-0B0B-49b2-B2DB-1E7560E16C74} - %profile%\extensions\{317B5128-0B0B-49b2-B2DB-1E7560E16C74}
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-14 02:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD80 rev.11.0 -> Harddisk0\DR0 -> \Device\Ide\iaStor0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A774439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a77a7d0]; MOV EAX, [0x8a77a84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B0C3AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8B0DE838]
\Driver\iaStor[0x8B190EA0] -> IRP_MJ_CREATE -> 0x8A774439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD800BJKT-75F4T0____________________11.01A11#4&11fcf6bd&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 156301486 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1456)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(1516)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(4468)
c:\windows\system32\WININET.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\drivers\audio\r205445\stacsv.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\System32\vssvc.exe
c:\program files\IDT\WDM\sttray.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system32\SearchFilterHost.exe
c:\windows\system32\SearchProtocolHost.exe
.
**************************************************************************
.
Completion time: 2011-03-14 02:47:21 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-14 02:47
.
Pre-Run: 30,740,672,512 bytes free
Post-Run: 30,946,349,056 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 6FF388B8094D3E9F89A383849484E9D5

....and here are the Malwarebytes logs, the first after the problems were removed but prior to reboot, the second was after the reboot -

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6067

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

15/03/2011 18:34:24
mbam-log-2011-03-15 (18-34-24).txt

Scan type: Quick scan
Objects scanned: 185637
Time elapsed: 4 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\documents and settings\all users\application data\Ableton\sp.DLL (TrojanProxy.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SPService (TrojanProxy.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{96AFBE69-C3B0-4B00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Value: {96AFBE69-C3B0-4B00-8578-D933D2896EE2} -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Value: {96AFBE69-C3B0-4b00-8578-D933D2896EE2} -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvc (TrojanProxy.Agent) -> Value: netsvc -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\Ableton\sp.DLL (TrojanProxy.Agent) -> Delete on reboot.


And the 2nd -


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6067

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

15/03/2011 18:45:12
mbam-log-2011-03-15 (18-45-12).txt

Scan type: Quick scan
Objects scanned: 185270
Time elapsed: 4 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Many thanks.

Hi,

Correct me if I'm wrong but is this a government or corporate computer ?

You logs look fine and I dont see anything that Combofix removed that would remove your sound or other issues that you may have.


There are infections going around classified as Rootkits, there are also ones that infect your master boot record, you got the double whammy , a rootkit infected your MBR, its known as a bootkit and its gone so you should be ok now.


How are things running for you now?

To check for leftovers lets run a free online virus scanner.

Please run this free online virus scanner from ESET (http://www.eset.com/onlinescan/)

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

Hi, well I purchased the computer 'new' from ebay a few years ago as a personal computer, but judging by the model and the number of units the vendor had for sale I suppose it was probably originally meant to be a corporate computer.

After a reboot the sound was restored and the computer now recognises usb drives etc.

I ran Spybot again before the last reboot and it found the Click.GiftLoad trojan again, but was not suffering the debugging or re-directing though the computer did seem slow and laboured. I used Spybot to remove it, then rebooted in Safe Mode and scanned again, and the removal appears to have worked now as no issues were found.

Ran another Spybot scan in normal mode whilst connected to the internet and all still clear.

I've tried the link to the ESET scan both on Internet Explorer and FireFox, but a 404 error appears on both, I had a look on the downloads on the home page, but they requested I uninstall all current virus protection and virus scanning software, so I'll hold on for further instruction from you.

I think it seems like the problem has been fixed but I'll wait for your confirmation.

Thankyou very much for all your help so far, I really appreciate it. :thanks:

Hi,

That link works for me. You can try this one instead of ESET, you just need to disable current AV , not uninstall them

Glad things are better, running this scan is just a double check

Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply .

Hi,

Just a quick update-

I had problems trying to run the Kaspersky Scan, so googled a link for the ESET scan and have started a scan with that. The scan is currently at 69% completion after over 4 hours, does that time frame seem normal?

Regards.

Depends on your system, I have seen it take less than an hour and sometimes longer than what you posted.

Here are some others if this one fails

Panda Active Scan (http://www.pandasoftware.com/activescan/)
Trendmicro Housecall (http://housecall.trendmicro.com/)
BitDefender Online Scanner (http://www.bitdefender.com/scan8/ie.html)
Sygate Free Online Scan (http://scan.sygatetech.com/)
Mcafee Online Scan (http://us.mcafee.com/root/mfs/default.asp?cid=9914)
Computer Associates (http://www3.ca.com/securityadvisor/virusinfo/scan.aspx)
Kaspersky Online Virus Scanner (http://www.kaspersky.com/virusscanner)

Hi, the scan is now complete, here's the log, it found a trojan -

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17095 (vista_gdr.101217-1830)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=4326b736e3f0e948b2bb5469e4ed1d2e
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-17 12:54:14
# local_time=2011-03-17 12:54:14 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5121 16777189 100 75 288775 17489477 0 0
# compatibility_mode=8192 67108863 100 0 3750 3750 0 0
# scanned=23734
# found=0
# cleaned=0
# scan_time=3416
# version=7
# iexplore.exe=7.00.6000.17095 (vista_gdr.101217-1830)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=4326b736e3f0e948b2bb5469e4ed1d2e
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-17 04:26:54
# local_time=2011-03-17 04:26:54 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5121 16777173 100 75 336444 17537146 0 0
# compatibility_mode=8192 67108863 100 0 51419 51419 0 0
# scanned=106236
# found=1
# cleaned=1
# scan_time=11710
C:\WINDOWS\Temp\nqmi\setup.exe a variant of Win32/TrojanProxy.Agent.NHB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


Thanks.

Great, just a leftover

Run ATF Cleaner again

Then go here

C:\WINDOWS\Temp<-- Open the folder and delete anything inside, it should be empty, but dont delete the Temp Folder, just its contents

How are things running now ?

Hi,

I ran ATF cleaner and there are two files left in the Temp folder which I can't delete (Will not allow me to). >>

'Perflib_Perfdata_424' and 'Perflib_Perfdata_838'

Things seem to be running well, no script errors or re-directed web searches, so thats good.

Thanks again for the help.

Those two files are fine, they will be removed when you shut down your system and will be rebuilt the next time you start it. There normal.

Why dont you use your system for a few days and then post back and let me know how your doing ?

Hi,

So I've been using the computer for a few days and as far as the problems I was experiencing are concerned, they seem to have stopped completely, no redirected web searches or script errors and no trojans/ viruses being picked up by spybot or malwarebytes. Looks like you've fixed that for me.:thanks:

As far as the system as a whole, generally ok, does seem to be sluggish occaisionally but perhaps it was like this before.

One thing you might be able to advise me on may be the performance of FireFox, It frustrates me on an ever increasing basis, I seem to get regular, as in 4-5 minute intervals when the internet stops working for perhaps 20-30 seconds, pages seem to time out but re-load fine after a refresh, it's especially apparant when streaming on YouTube, it's streams quickly and then suddendly stops streaming at all for 20-30 seconds then starts again.:confused: It also completely crashes every few days aswell.

This of course could be the internet providers issue but this isn't something I remember suffering from a few months ago.

But hey thats just knit picking, I can live with it.

Thank you so much for all the help, I really appreciate it.

Regards,

James :bigthumb:

James,

Thanks for getting back to me

I experience the same thing you are with Firefox but not the degree that you seem to be. It happens to me about once a week , page just closes for about 2 or 3 seconds and pops right back up. I believe that this is a problem with Firefox, I was told that an update would fix it but so far it has not completely.

Open Firefox and go to Help > About and make sure you have version 3.6.15, if not go back to Help > Check for Updates and download and install the latest updates.


http://www.mozilla.com/en-US/firefox/RC/
There is also a new beta version , FireFox 4, but have not tried it myself yet


Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups



How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)




Safe Surfn
Ken

Hi Ken,

Yeah latest FireFox installed, I 'll have a look at FireFox 4.

Will run OTL as suggested and will also look at the threads suggested.

Once again a big thankyou for helping me out, safe surfing indeed.:D:

Cheers,

James

Your welcome James,

Take Care,
Ken

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.