View Full Version : PWS:win32/zbot.gen!AC after downloading Free File Opener
ecosarah
2012-03-18, 01:07
Hello, at beginning March, I received a .docx which I cannot open as only have .doc, the microsoft website suggested I download Free File Opener. Soon after (minutes?) my firewall picked up malware and removed/blocked. Later, a microsoft program told me I had PWS:win32/zbot.gen!AC
Cannot run DDS, as takes ages and then computer crashes. Could be cos my computer already has something strange going on, because I can not account for about 15gig on the hard drive and it is almost full (32gig):confused:
I have run Ccleaner, HJT, downloaded spybot and tried to run it (found 2 hotkeys) but computer crashed just before end of it, so will try again, have run malwarebit anti-malware, ERUNT, and downloaded Microsoft Security Essentials and am going to run that when spybot finishes.
Do I need to do anything else: I would be very grateful if you could advise.
thanks a lot
Hello ecosarah and :welcome:
My name is JonTom
Malware Logs can sometimes take a lot of time to research and interpret.
Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
PLEASE NOTE: If you do not reply after 3 days your thread will be closed.
Please let me know what operating system you are running (XP, Win7, Vista, 32 or 64 bit).
Download the following tool and try to run it:
aswMBR
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) to your desktop.
Double click the aswMBR.exe to run it.
When asked if you want to download Avast's virus definitions please select Yes.
Click the "Scan" button to start scan.
http://public.avast.com/~gmerek/aswMBR1.png
On completion of the scan click save log, save it to your desktop and post in your next reply.
http://public.avast.com/~gmerek/aswMBR2.png
If it does not run from Normal Mode boot into Safe Mode and try it (and DDS) from there.
Reboot Your System in Safe Mode
Restart your computer.
As soon as BIOS is loaded begin tapping the F8 key until the "Advanced Options" menu appears.
Use the arrow keys to select the Safe mode menu item.
Press Enter.
Once in Safe Mode, give aswMBR and DDS another try. If they fail to complete their scans let me know.
have run malwarebit Please post the most recent MBAM log for me to review (you can find it by opening MBAM and clicking on the logs tab).
ecosarah
2012-03-24, 00:52
Hello JonTom,
I cannot tell you how happy I am to hear from you!!! So so happy! :eek:
Please could you tell me how to set it up so I get an email when you reply? thanks.
operating system is XP, dont know if 32 or 64 bit. :confused:
MBAM log:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 3982
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
17/03/2012 10:08:17
mbam-log-2012-03-17 (10-08-17).txt
Scan type: Full scan (C:\|)
Objects scanned: 185758
Time elapsed: 1 hour(s), 37 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
aswMBR (was set to "quick scan" I noticed) log:
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-23 22:35:52
-----------------------------
22:35:52.935 OS Version: Windows 5.1.2600 Service Pack 3
22:35:52.935 Number of processors: 1 586 0xD08
22:35:52.935 ComputerName: MAXIMILLION UserName: 1 Sarah
22:36:16.559 Initialize success
22:39:11.693 AVAST engine defs: 12032302
22:39:41.113 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
22:39:41.113 Disk 0 Vendor: HTS541040G9AT00 MB2IA60A Size: 38154MB BusType: 3
22:39:41.160 Disk 0 MBR read successfully
22:39:41.160 Disk 0 MBR scan
22:39:41.520 Disk 0 unknown MBR code
22:39:41.520 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 34086 MB offset 63
22:39:41.848 Disk 0 Partition 2 00 12 Compaq diag MSWIN4.1 4067 MB offset 69809040
22:39:42.910 Disk 0 scanning sectors +78140160
22:39:43.598 Disk 0 scanning C:\WINDOWS\system32\drivers
22:41:48.718 Service scanning
22:42:56.559 Service MpKsl6bbbadd1 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{679B0FC7-69F0-49F8-B47B-630253CE429D}\MpKsl6bbbadd1.sys **LOCKED** 32
22:44:39.555 Modules scanning
22:45:13.851 Disk 0 trace - called modules:
22:45:13.866 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
22:45:13.866 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a52dab8]
22:45:13.866 3 CLASSPNP.SYS[ba0f8fd7] -> nt!IofCallDriver -> \Device\0000009b[0x8a5772a0]
22:45:13.866 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a556940]
22:45:14.960 AVAST engine scan C:\WINDOWS
22:46:04.208 AVAST engine scan C:\WINDOWS\system32
23:16:05.198 AVAST engine scan C:\WINDOWS\system32\drivers
23:17:35.039 AVAST engine scan C:\Documents and Settings\1 Sarah
23:39:03.803 AVAST engine scan C:\Documents and Settings\All Users
23:44:43.326 Scan finished successfully
23:49:34.805 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\1 Sarah\Desktop\MBR.dat"
23:49:34.836 The log file has been saved successfully to "C:\Documents and Settings\1 Sarah\Desktop\aswMBR 23.3.12.txt"
I will post this then re-start laptop in safe mode to try dds
big thanks!! sarah
ecosarah
2012-03-24, 01:31
cannot run in safe mode or safe mode with networking: gets stuck as list of pathways (?) comes up...
think have found out how to subscribe to thread, so dont worry about answering that question.
thanks, look forward to hearing from you,
sarah
Hello ecosarah
Thank you for the aswMBR log.
Lets see if we can get the following scan to run:
Download and run OTL by Oldtimer
Please download OTL by Oldtimer by clicking here (http://oldtimer.geekstogo.com/OTL.com) and save the file (called OTL.com) to your desktop.
Close all open windows on your computer then Double click on the OTL.com icon to run the program.
Check the boxes beside "LOP Check" and "Purity Check".
Under Custom Scan paste this in:
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90
CREATERESTOREPOINT
Click the "Run Scan" button. Do not change any settings unless specifically told to do so. The scan will not take long.
When the scan completes, it will open two notepad windows: OTL.Txt and Extras.Txt.
Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please Copy and Paste the contents of both files in your next reply. You may need two posts to fit them both in.
If OTL is able to run please post both logs in your next reply.
If the machine crashes (as it did with DDS) please scan with HJT and post the log for me to review.
ecosarah
2012-03-24, 19:27
It was touch and go but we got there:
OTL logfile created on: 24/03/2012 17:36:52 - Run 1
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\1 Sarah\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
1.49 Gb Total Physical Memory | 0.97 Gb Available Physical Memory | 65.37% Memory free
2.83 Gb Paging File | 2.31 Gb Available in Paging File | 81.64% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 33.29 Gb Total Space | 1.09 Gb Free Space | 3.27% Space Free | Partition Type: NTFS
Computer Name: MAXIMILLION | User Name: 1 Sarah | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2012/03/24 17:34:51 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\1 Sarah\Desktop\OTL.com
PRC - [2011/12/18 21:08:42 | 002,420,616 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
PRC - [2011/12/18 21:04:24 | 000,073,360 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
PRC - [2011/11/03 14:44:28 | 000,497,280 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
PRC - [2011/11/03 14:44:24 | 000,738,944 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
PRC - [2011/08/12 17:13:26 | 000,087,040 | ---- | M] () -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
PRC - [2011/07/01 19:10:23 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/04/30 08:52:26 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2010/12/24 12:02:23 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/01/14 20:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/03/18 10:07:00 | 000,086,016 | ---- | M] (IBM Corp.) -- C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
PRC - [2005/03/18 10:07:00 | 000,077,824 | ---- | M] (IBM Corp.) -- C:\WINDOWS\system32\QCONSVC.EXE
PRC - [2005/03/04 00:10:32 | 000,094,208 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
PRC - [2004/12/16 11:49:44 | 000,385,024 | ---- | M] () -- C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
PRC - [2004/11/04 16:47:04 | 000,040,547 | ---- | M] (UPEK Inc.) -- C:\Program Files\Common Files\Virtual Token\vtserver.exe
PRC - [2004/09/06 23:03:52 | 000,077,824 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
PRC - [2003/07/12 01:19:22 | 000,032,768 | ---- | M] () -- C:\WINDOWS\system32\TpKmpSvc.exe
PRC - [2002/01/10 22:01:34 | 000,065,536 | ---- | M] (IBM Corporation) -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
========== Modules (No Company Name) ==========
MOD - [2011/08/12 17:13:26 | 000,087,040 | ---- | M] () -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
MOD - [2010/01/28 11:57:58 | 000,355,688 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2005/03/19 06:10:38 | 000,028,672 | ---- | M] () -- C:\Program Files\ThinkPad\ConnectUtilities\Res\US\IconRes.dll
MOD - [2005/03/04 00:10:32 | 000,094,208 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
MOD - [2005/01/21 08:00:00 | 000,065,536 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\PWRMGRIF.DLL
MOD - [2005/01/21 08:00:00 | 000,032,768 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\US\PWRMGRRT.DLL
MOD - [2004/12/16 11:49:44 | 000,385,024 | ---- | M] () -- C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
MOD - [2004/12/16 10:41:58 | 000,045,056 | ---- | M] () -- C:\WINDOWS\system32\pwdmon.dll
MOD - [2004/11/24 09:10:00 | 000,036,864 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\US\EZMAPRES.DLL
MOD - [2004/09/06 23:03:52 | 000,077,824 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
MOD - [2004/08/17 19:28:12 | 000,225,280 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\tpfnf7.dll
MOD - [2004/08/13 03:11:26 | 000,024,576 | ---- | M] () -- C:\WINDOWS\system32\tphklock.dll
MOD - [2003/07/12 01:19:22 | 000,032,768 | ---- | M] () -- C:\WINDOWS\system32\TpKmpSvc.exe
MOD - [2003/07/04 06:49:30 | 000,024,576 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY_2\tphk_2k.dll
========== Win32 Services (SafeList) ==========
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\system32\PsaSrv.exe -- (PsaSrv)
SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2012/02/15 13:30:18 | 000,158,856 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2011/12/18 21:08:42 | 002,420,616 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe -- (vsmon)
SRV - [2011/11/03 14:44:28 | 000,497,280 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe -- (IswSvc)
SRV - [2011/08/12 17:13:26 | 000,087,040 | ---- | M] () [Auto | Running] -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe -- (PassThru Service)
SRV - [2011/07/01 19:10:23 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/06/29 14:59:18 | 000,155,344 | ---- | M] (Avanquest Software) [On_Demand | Stopped] -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe -- (Sony Ericsson PCCompanion)
SRV - [2011/04/30 08:52:26 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/04/02 15:52:56 | 000,543,744 | ---- | M] (OptionNV) [Disabled | Stopped] -- C:\Program Files\Option\GlobeTrotter Connect\GtDetectSc.exe -- (GtDetectSc)
SRV - [2008/08/29 10:01:22 | 000,033,752 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus(R) Helper) getPlus(R)
SRV - [2005/03/18 10:07:00 | 000,077,824 | ---- | M] (IBM Corp.) [Auto | Running] -- C:\WINDOWS\system32\QCONSVC.EXE -- (QCONSVC)
SRV - [2004/12/16 11:49:44 | 000,385,024 | ---- | M] () [Auto | Running] -- C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe -- (IBM Rapid Restore Ultra Service)
SRV - [2004/11/04 16:47:04 | 000,040,547 | ---- | M] (UPEK Inc.) [Auto | Running] -- C:\Program Files\Common Files\Virtual Token\vtserver.exe -- (vtserver)
SRV - [2004/10/01 22:06:34 | 000,163,840 | ---- | M] (Broadcom Corporation) [On_Demand | Stopped] -- C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe -- (btwdins)
SRV - [2003/07/12 01:19:22 | 000,032,768 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\TpKmpSvc.exe -- (TpKmpSVC)
========== Driver Services (SafeList) ==========
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | Boot | Stopped] -- system32\ZoneLabs\srescan.sys -- (srescan)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\LVCD.sys -- (QCDonner) Logitech QuickCam Express(PID_0840)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\glauiad.sys -- (iadusb)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\adiusbaw.sys -- (adiusbaw)
DRV - File not found [Kernel | Auto | Stopped] -- System32\Drivers\adildr.sys -- (ADILOADER) General Purpose USB Driver (adildr.sys)
DRV - [2011/12/18 21:04:24 | 000,525,840 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (Vsdatant)
DRV - [2011/11/03 14:44:20 | 000,027,016 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL)
DRV - [2011/07/01 19:10:25 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/07/01 19:10:25 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/06/22 18:01:50 | 000,021,248 | ---- | M] (Windows (R) Win 7 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\htcnprot.sys -- (htcnprot)
DRV - [2009/12/24 20:57:13 | 000,025,512 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ggsemc.sys -- (ggsemc)
DRV - [2009/12/24 20:57:13 | 000,013,224 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ggflt.sys -- (ggflt)
DRV - [2009/06/10 00:49:32 | 000,024,576 | ---- | M] (HTC, Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ANDROIDUSB.sys -- (HTCAND32)
DRV - [2009/05/11 10:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 08:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2008/10/21 08:22:48 | 000,114,600 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017mdm.sys -- (s0017mdm)
DRV - [2008/10/21 08:22:48 | 000,109,736 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017unic.sys -- (s0017unic) Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM)
DRV - [2008/10/21 08:22:48 | 000,108,328 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017mgmt.sys -- (s0017mgmt) Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM)
DRV - [2008/10/21 08:22:48 | 000,104,616 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017obex.sys -- (s0017obex)
DRV - [2008/10/21 08:22:48 | 000,086,824 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017bus.sys -- (s0017bus) Sony Ericsson Device 0017 driver (WDM)
DRV - [2008/10/21 08:22:48 | 000,026,024 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017nd5.sys -- (s0017nd5) Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS)
DRV - [2008/10/21 08:22:48 | 000,015,016 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017mdfl.sys -- (s0017mdfl)
DRV - [2008/04/13 18:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2008/02/18 16:14:38 | 000,106,624 | ---- | M] (Option N.V.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Gt51Ip.sys -- (GT72NDISIPXP)
DRV - [2008/02/08 12:00:22 | 000,059,648 | ---- | M] (Option N.V.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gt72ubus.sys -- (GT72UBUS)
DRV - [2008/02/01 15:43:22 | 000,103,720 | ---- | M] (Guillemot Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\camfilt2.sys -- (camfilt2)
DRV - [2008/01/09 12:28:34 | 000,027,632 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\seehcri.sys -- (seehcri)
DRV - [2007/12/10 13:22:22 | 000,110,120 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3017unic.sys -- (s3017unic) Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM)
DRV - [2007/12/10 13:22:22 | 000,100,648 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3017obex.sys -- (s3017obex)
DRV - [2007/12/10 13:22:20 | 000,104,616 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3017mgmt.sys -- (s3017mgmt) Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM)
DRV - [2007/12/10 13:22:20 | 000,025,512 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3017nd5.sys -- (s3017nd5) Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS)
DRV - [2007/12/10 13:22:18 | 000,110,632 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3017mdm.sys -- (s3017mdm)
DRV - [2007/12/10 13:22:18 | 000,015,016 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3017mdfl.sys -- (s3017mdfl)
DRV - [2007/12/10 13:22:14 | 000,083,880 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3017bus.sys -- (s3017bus) Sony Ericsson Device 3017 driver (WDM)
DRV - [2007/07/13 09:45:08 | 000,285,952 | ---- | M] (Akkord Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HDvidv.sys -- (APL531)
DRV - [2007/06/14 17:34:00 | 000,457,856 | ---- | M] (PixArt Imaging Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PAC7302.SYS -- (PAC7302)
DRV - [2007/05/21 07:29:26 | 000,235,648 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8187.sys -- (RTLWUSB)
DRV - [2007/04/23 15:54:50 | 000,100,488 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s115mgmt.sys -- (s115mgmt) Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM)
DRV - [2007/04/23 15:54:46 | 000,083,208 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s115bus.sys -- (s115bus) Sony Ericsson Device 115 driver (WDM)
DRV - [2007/04/23 13:54:50 | 000,098,568 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s115obex.sys -- (s115obex)
DRV - [2007/04/23 13:54:48 | 000,108,680 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s115mdm.sys -- (s115mdm)
DRV - [2007/04/23 13:54:48 | 000,015,112 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s115mdfl.sys -- (s115mdfl)
DRV - [2007/04/03 13:57:54 | 000,099,080 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116unic.sys -- (s116unic) Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (WDM)
DRV - [2007/04/03 13:57:52 | 000,098,696 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116obex.sys -- (s116obex)
DRV - [2007/04/03 13:57:52 | 000,023,176 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116nd5.sys -- (s116nd5) Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (NDIS)
DRV - [2007/04/03 13:57:50 | 000,100,488 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116mgmt.sys -- (s116mgmt) Sony Ericsson Device 116 USB WMC Device Management Drivers (WDM)
DRV - [2007/04/03 13:57:48 | 000,108,680 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116mdm.sys -- (s116mdm)
DRV - [2007/04/03 13:57:48 | 000,015,112 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116mdfl.sys -- (s116mdfl)
DRV - [2007/04/03 13:57:42 | 000,083,336 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116bus.sys -- (s116bus) Sony Ericsson Device 116 driver (WDM)
DRV - [2007/03/30 12:38:14 | 000,008,064 | ---- | M] (Option N.V.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gtptser.sys -- (GTPTSER)
DRV - [2005/08/15 19:25:50 | 000,013,184 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)
DRV - [2005/03/18 10:07:00 | 000,012,288 | ---- | M] (IBM Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\qcndisif.sys -- (QCNDISIF)
DRV - [2005/03/18 10:07:00 | 000,011,520 | ---- | M] (IBM Corp.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ANC.sys -- (ANC)
DRV - [2005/03/18 10:07:00 | 000,002,432 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\IBMBLDID.SYS -- (IBMTPCHK)
DRV - [2005/02/14 15:00:10 | 003,255,168 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel(R)
DRV - [2005/02/11 09:22:48 | 000,081,728 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\k750mgmt.sys -- (k750mgmt)
DRV - [2005/02/11 09:19:20 | 000,055,216 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\k750bus.sys -- (k750bus) Sony Ericsson 750 driver (WDM)
DRV - [2005/01/21 08:40:00 | 000,014,848 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SMAPINT.SYS -- (Smapint)
DRV - [2005/01/21 08:40:00 | 000,009,340 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TDSMAPI.SYS -- (TDSMAPI)
DRV - [2005/01/21 08:00:00 | 000,004,442 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TPPWRIF.SYS -- (TPPWRIF)
DRV - [2004/12/16 11:12:20 | 000,063,616 | ---- | M] (IBM) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ibmfilter.sys -- (ibmfilter)
DRV - [2004/12/07 00:55:20 | 000,126,720 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/12/02 23:14:44 | 000,014,208 | ---- | M] (IBM Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\TPDiskPM.sys -- (TPDiskPM)
DRV - [2004/12/02 22:54:12 | 000,006,016 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\TPInput.sys -- (TPInput)
DRV - [2004/12/01 09:33:00 | 000,007,168 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TSMAPIP.SYS -- (TSMAPIP)
DRV - [2004/11/10 23:47:30 | 000,200,448 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2004/11/10 23:46:24 | 000,685,184 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/11/10 23:45:50 | 001,041,664 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/10/15 17:20:04 | 000,011,354 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2004/10/01 21:51:46 | 000,017,024 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2004/10/01 21:48:30 | 001,241,482 | ---- | M] (Broadcom Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2004/10/01 21:47:06 | 000,147,896 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2004/10/01 21:44:22 | 000,030,299 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2004/10/01 21:43:44 | 000,054,488 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2004/08/04 12:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2004/08/04 12:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2004/05/19 20:41:26 | 000,013,757 | ---- | M] (National Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NscTpmDD.sys -- (portio)
DRV - [2003/12/08 10:53:48 | 000,053,600 | ---- | M] (THOMSON) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\alcan5wn.sys -- (alcan5wn) SpeedTouch USB ADSL PPP Networking Driver (NDISWAN)
DRV - [2003/12/08 10:53:46 | 000,070,688 | ---- | M] (THOMSON) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\alcaudsl.sys -- (alcaudsl)
DRV - [2002/02/19 12:06:28 | 000,021,019 | ---- | M] (Magic Control Technology Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\u2s2kxp.sys -- (U2SP) USB to Serial Converter Driver(Philips)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.saynoto0870.com/
IE - HKCU\..\SearchScopes,DefaultScope = {78F909E2-E4DC-4AF1-8FD7-B411278EEC6D}
IE - HKCU\..\SearchScopes\{04E563C9-734C-41AE-A368-E84AB98DF7A7}: "URL" = http://www.bing.com/search?q={searchTerms}&form=IE0006
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKCU\..\SearchScopes\{78F909E2-E4DC-4AF1-8FD7-B411278EEC6D}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
========== FireFox ==========
FF - prefs.js..browser.search.defaultthis.engineName: "Messenger Plus Live UK Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2516768&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.saynoto0870.com/numbersearch.php"
FF - prefs.js..extensions.enabledItems: {53c4d698-0a74-873e-7946-7d19bb035667}:2.6
FF - prefs.js..extensions.enabledItems: en-GB@dictionaries.addons.mozilla.org:1.19.1
FF - prefs.js..extensions.enabledItems: feedbar@efinke.com:5.0
FF - prefs.js..extensions.enabledItems: {81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}:7.0.3.0
FF - prefs.js..extensions.enabledItems: {c33c5b47-69c8-45a4-a5e0-af85bbe628dd}:1.6.1.3
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: CompactMenuCE@Merci.chao:4.2.1
FF - prefs.js..extensions.enabledItems: isreaditlater@ideashower.com:2.1.1
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.1.5
FF - prefs.js..extensions.enabledItems: reliby@gemal.dk:1.5.0
FF - prefs.js..extensions.enabledItems: {1f91cde0-c040-11da-a94d-0800200c9a66}:4.1
FF - prefs.js..extensions.enabledItems: savesession@noasobi.net:1.3.1.6
FF - prefs.js..extensions.enabledItems: {53A03D43-5363-4669-8190-99061B2DEBA5}:1.3.7
FF - prefs.js..extensions.enabledItems: firefox-extension@shareaholic.com:2.2.0
FF - prefs.js..extensions.enabledItems: {BEDED222-EAEC-11DA-9B41-B622A1EF5492}:1.0.12
FF - prefs.js..extensions.enabledItems: smartbookmarksbar@remy.juteau:1.4.3
FF - prefs.js..extensions.enabledItems: {64161300-e22b-11db-8314-0800200c9a66}:0.9.5.8
FF - prefs.js..extensions.enabledItems: taboo@runningfrombears.com:0.6.1
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.2.20100119091315
FF - prefs.js..extensions.enabledItems: zotero@chnm.gmu.edu:2.0.9
FF - prefs.js..network.proxy.type: 4
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.652: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.652: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/07/01 19:48:19 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2012/03/17 22:42:55 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/10 14:18:14 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/12 15:17:11 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 9.0.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012/01/11 12:59:02 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2012/01/12 15:17:14 | 000,000,000 | ---D | M]
[2008/07/01 19:15:03 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Extensions
[2012/03/23 22:37:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\extensions
[2011/12/09 10:41:53 | 000,000,000 | ---D | M] (iMacros for Firefox) -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}
[2010/12/23 22:31:05 | 000,000,000 | ---D | M] (British English Dictionary) -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\extensions\en-GB@dictionaries.addons.mozilla.org
[2011/11/07 17:47:35 | 000,000,000 | ---D | M] ("MemberPlugin") -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\extensions\MemberPlugin@edward.hibbert
[2010/02/09 20:50:18 | 000,000,000 | ---D | M] (Reliby) -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\extensions\reliby@gemal.dk
[2009/07/22 10:32:24 | 000,000,000 | ---D | M] (Save Session) -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\extensions\savesession@noasobi.net
[2012/03/03 05:46:54 | 000,000,000 | ---D | M] (Zotero) -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\extensions\zotero@chnm.gmu.edu
[2011/09/25 18:28:32 | 000,002,220 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\searchplugins\amabay-uk.xml
[2012/03/16 22:22:21 | 000,002,570 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\searchplugins\amazon-decouk.xml
[2010/02/06 22:17:22 | 000,000,947 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\searchplugins\conduit.xml
[2011/09/25 18:29:34 | 000,011,430 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\searchplugins\ebaycouk-search.xml
[2008/06/25 12:48:35 | 000,001,108 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\searchplugins\wikipedia-en.xml
[2011/07/09 20:01:05 | 000,002,323 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\searchplugins\youtube-ssl.xml
[2012/01/10 14:19:02 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/03/02 20:33:30 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2012/01/10 14:18:11 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/02/02 21:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2008/04/11 17:38:19 | 000,024,673 | ---- | M] (Check Point Software Technologies Ltd.) -- C:\Program Files\mozilla firefox\plugins\NPZoneSB.dll
[2012/01/10 14:17:49 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/01/10 14:17:49 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
========== Chrome ==========
CHR - default_search_provider: Google ()
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
O1 HOSTS File: ([2008/11/05 22:12:18 | 000,286,531 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.123haustiereundmehr.com
O1 - Hosts: 127.0.0.1 123haustiereundmehr.com
O1 - Hosts: 9901 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies)
O4 - HKLM..\Run: [PWRMGRTR] C:\Program Files\ThinkPad\Utilities\PWRMGRTR.DLL (IBM Corp.)
O4 - HKLM..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE (IBM Corp.)
O4 - HKLM..\Run: [TP4EX] C:\WINDOWS\System32\TP4EX.exe (IBM Corporation)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe ()
O4 - HKLM..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe (IBM Corp.)
O4 - HKLM..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe ()
O4 - HKLM..\Run: [ZoneAlarm] C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe (Check Point Software Technologies LTD)
O4 - Startup: C:\Documents and Settings\1 Sarah\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 227
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O8 - Extra context menu item: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} Reg Error: Value error. (Windows Genuine Advantage Validation Tool)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} http://www.eset.eu/buxus/docs/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BDC00D27-CAA4-4564-8568-4160324D1BAF}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Handler\widimg {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\BTXPPanel.dll (Broadcom Corporation)
O20 - AppInit_DLLs: (avgrsstx.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\psfus: DllName - (C:\Program Files\IBM fingerprint software\psfus.dll) - C:\Program Files\IBM fingerprint software\psfus.dll (UPEK Inc.)
O20 - Winlogon\Notify\QConGina: DllName - (QConGina.dll) - C:\WINDOWS\System32\QConGina.dll (IBM Corp.)
O20 - Winlogon\Notify\tphotkey: DllName - (tphklock.dll) - C:\WINDOWS\System32\tphklock.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\1 Sarah\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\1 Sarah\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/10/06 06:35:52 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{27e883a2-1d58-11df-9d61-001125d3afa3}\Shell - "" = AutoRun
O33 - MountPoints2\{27e883a2-1d58-11df-9d61-001125d3afa3}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{27e883a2-1d58-11df-9d61-001125d3afa3}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{b7cead68-1c05-11df-9d60-001125d3afa3}\Shell - "" = AutoRun
O33 - MountPoints2\{b7cead68-1c05-11df-9d60-001125d3afa3}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b7cead68-1c05-11df-9d60-001125d3afa3}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
NetSvcs: 6to4 - File not found
NetSvcs: HidServ - %SystemRoot%\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
CREATERESTOREPOINT
Restore point Set: OTL Restore Point
========== Files/Folders - Created Within 30 Days ==========
[2012/03/24 17:34:21 | 000,593,920 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\1 Sarah\Desktop\OTL.com
[2012/03/23 22:35:11 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\1 Sarah\Desktop\aswMBR.exe
[2012/03/18 02:28:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2012/03/17 22:44:56 | 000,237,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2012/03/17 22:41:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\PCHealth
[2012/03/17 22:40:19 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2012/03/17 18:39:30 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\1 Sarah\Desktop\dds.scr
[2012/03/17 18:34:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2012/03/17 18:34:09 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2012/03/17 18:33:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2012/03/17 08:58:44 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\1 Sarah\Recent
[2012/03/17 08:39:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Trusteer
[2012/03/03 06:25:19 | 006,600,192 | ---- | C] (Mirage Systems) -- C:\WINDOWS\System32\LicProtector310.exe
[2012/03/03 06:25:19 | 002,323,520 | ---- | C] (gdpicture.com) -- C:\WINDOWS\System32\gdpicturepro5.ocx
[2012/03/02 20:32:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Skype
[2012/03/02 20:32:54 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2012/03/24 17:43:13 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\PMTask.job
[2012/03/24 17:34:51 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\1 Sarah\Desktop\OTL.com
[2012/03/24 00:28:09 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2012/03/24 00:22:11 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/24 00:22:09 | 1600,638,976 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/23 23:49:34 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Desktop\MBR.dat
[2012/03/23 22:36:11 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\1 Sarah\Desktop\aswMBR.exe
[2012/03/17 22:41:22 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2012/03/17 22:40:05 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/03/17 21:21:13 | 000,262,232 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/17 21:11:28 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/03/17 18:39:38 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\1 Sarah\Desktop\dds.scr
[2012/03/17 18:34:46 | 000,000,778 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/03/17 18:34:11 | 000,000,603 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Desktop\ERUNT.lnk
[2012/03/17 18:33:01 | 000,000,962 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/03/17 09:01:40 | 000,582,406 | ---- | M] () -- C:\Documents and Settings\1 Sarah\My Documents\cc_backup changes 17.3.12.reg
[2012/03/06 09:31:11 | 000,435,154 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/03/06 09:31:11 | 000,068,892 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/03/06 09:21:41 | 000,000,127 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
========== Files Created - No Company Name ==========
[2012/03/23 23:49:34 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\1 Sarah\Desktop\MBR.dat
[2012/03/17 22:46:08 | 000,000,424 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2012/03/17 22:41:22 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2012/03/17 22:40:40 | 000,001,691 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/03/17 21:11:06 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2012/03/17 18:34:46 | 000,000,778 | ---- | C] () -- C:\Documents and Settings\1 Sarah\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/03/17 18:34:11 | 000,000,603 | ---- | C] () -- C:\Documents and Settings\1 Sarah\Desktop\ERUNT.lnk
[2012/03/17 18:33:01 | 000,000,962 | ---- | C] () -- C:\Documents and Settings\1 Sarah\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/03/17 09:00:57 | 000,582,406 | ---- | C] () -- C:\Documents and Settings\1 Sarah\My Documents\cc_backup changes 17.3.12.reg
[2012/03/06 09:21:41 | 000,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2012/02/20 18:26:17 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/10/10 10:28:05 | 000,000,302 | ---- | C] () -- C:\WINDOWS\System32\Remover.ini
[2011/09/24 20:22:09 | 003,600,384 | ---- | C] () -- C:\WINDOWS\ffmpeg.exe
[2010/05/05 20:26:20 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/04/11 19:50:23 | 000,000,272 | ---- | C] () -- C:\WINDOWS\_delis32.ini
========== LOP Check ==========
[2012/01/25 16:34:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Amorh
[2010/04/10 21:32:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\AVGTOOLBAR
[2010/07/24 09:37:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\CheckPoint
[2009/05/01 19:09:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/01/18 20:28:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Desktopicon
[2012/01/18 18:24:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\HTC
[2011/12/30 13:29:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\HTC.388BC06ACDAB6261375BCE37FBA2E023C0D7EE34.1
[2009/07/25 23:29:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\HTML Executable
[2005/10/07 15:43:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\IBM
[2005/10/30 10:41:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\InterVideo
[2008/04/03 19:10:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\iolo
[2009/05/22 07:25:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\MSNInstaller
[2010/01/19 19:38:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\MyPhoneExplorer
[2007/05/14 10:26:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Nikon
[2009/05/31 17:50:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Nokia Multimedia Player
[2007/04/12 14:36:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\OpenOffice.org1.9.79
[2011/12/30 13:33:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Outlook
[2012/03/03 07:25:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Suyguvl
[2010/02/19 12:04:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Tatara Systems
[2011/06/14 08:59:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\TeamViewer
[2009/12/31 13:26:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Teleca
[2012/01/11 12:59:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Thunderbird
[2011/05/09 20:14:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Uniblue
[2009/05/29 14:15:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\uTorrent
[2008/11/01 20:50:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\WinPatrol
[2010/09/23 11:09:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2012/01/11 11:53:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CheckPoint
[2005/10/11 11:32:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ibm
[2008/04/03 19:10:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iolo
[2008/02/18 09:49:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MailFrontier
[2010/02/19 12:00:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\O2CM-CE
[2011/03/04 18:58:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sage
[2005/11/26 11:00:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBT
[2009/12/28 11:05:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Teleca
[2010/01/19 19:40:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/03/17 08:39:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Trusteer
[2011/10/24 11:32:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2012/03/24 00:28:09 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2012/03/24 17:43:13 | 000,000,316 | ---- | M] () -- C:\WINDOWS\Tasks\PMTask.job
========== Purity Check ==========
========== Custom Scans ==========
< %SYSTEMDRIVE%\*.exe >
[2008/09/29 13:07:31 | 000,000,184 | ---- | M] () -- C:\setuplog.exe
< MD5 for: AGP440.SYS >
[2004/08/04 12:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:AGP440.sys
[2004/08/04 12:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/10/14 13:06:53 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/10/14 13:06:53 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 18:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 18:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 06:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
< MD5 for: ATAPI.SYS >
[2004/08/04 12:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:atapi.sys
[2004/08/04 12:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/10/14 13:06:53 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/10/14 13:06:53 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 05:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
< MD5 for: EVENTLOG.DLL >
[2008/04/14 00:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 00:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 12:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
< MD5 for: NETLOGON.DLL >
[2008/04/14 00:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 00:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 12:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
< MD5 for: SCECLI.DLL >
[2004/08/04 12:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 00:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 00:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll
< %systemroot%\*. /mp /s >
< %systemroot%\system32\*.dll /lockedfiles >
[9 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]
< %systemroot%\Tasks\*.job /lockedfiles >
< %systemroot%\system32\drivers\*.sys /lockedfiles >
< %systemroot%\System32\config\*.sav >
[2004/08/09 17:45:10 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
[2004/08/09 17:45:10 | 000,659,456 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
[2004/08/09 17:45:10 | 000,876,544 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav
< %systemroot%\system32\drivers\*.sys /90 >
[2012/01/09 16:20:25 | 000,139,784 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\rdpwd.sys
========== Alternate Data Streams ==========
@Alternate Data Stream - 229 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8FF81EB0
< End of report >
ecosarah
2012-03-24, 19:29
EXTRAS:
OTL Extras logfile created on: 24/03/2012 17:36:52 - Run 1
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\1 Sarah\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
1.49 Gb Total Physical Memory | 0.97 Gb Available Physical Memory | 65.37% Memory free
2.83 Gb Paging File | 2.31 Gb Available in Paging File | 81.64% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 33.29 Gb Total Space | 1.09 Gb Free Space | 3.27% Space Free | Partition Type: NTFS
Computer Name: MAXIMILLION | User Name: 1 Sarah | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1
========== System Restore Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\IBM\Updater\jre\bin\java.exe" = C:\Program Files\IBM\Updater\jre\bin\java.exe:*:Enabled:IBM Update Connector -- (IBM)
"C:\Program Files\IBM\Updater\jre\bin\javaw.exe" = C:\Program Files\IBM\Updater\jre\bin\javaw.exe:*:Enabled:IBM Update Connector -- (IBM)
"C:\Program Files\IBM\Updater\ucsmb.exe" = C:\Program Files\IBM\Updater\ucsmb.exe:*:Enabled:IBM Update Connector -- (IBM Corporation, Inc.)
"%windir%\explorer.exe" = %windir%\explorer.exe -- (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\IBM\Updater\jre\bin\java.exe" = C:\Program Files\IBM\Updater\jre\bin\java.exe:*:Enabled:IBM Update Connector -- (IBM)
"C:\Program Files\IBM\Updater\jre\bin\javaw.exe" = C:\Program Files\IBM\Updater\jre\bin\javaw.exe:*:Enabled:IBM Update Connector -- (IBM)
"C:\Program Files\IBM\Updater\ucsmb.exe" = C:\Program Files\IBM\Updater\ucsmb.exe:*:Enabled:IBM Update Connector -- (IBM Corporation, Inc.)
"C:\Program Files\ViaVoice\BIN\audmig.exe" = C:\Program Files\ViaVoice\BIN\audmig.exe:*:Enabled:audmig
"C:\Program Files\ViaVoice\BIN\macroeditor.exe" = C:\Program Files\ViaVoice\BIN\macroeditor.exe:*:Enabled:macroeditor
"C:\Program Files\ViaVoice\BIN\msaadmn.exe" = C:\Program Files\ViaVoice\BIN\msaadmn.exe:*:Enabled:msaadmn
"C:\Program Files\ViaVoice\BIN\navcentral.exe" = C:\Program Files\ViaVoice\BIN\navcentral.exe:*:Enabled:navcentral
"C:\Program Files\ViaVoice\BIN\smart.exe" = C:\Program Files\ViaVoice\BIN\smart.exe:*:Enabled:smart
"C:\Program Files\ViaVoice\BIN\speechbar.exe" = C:\Program Files\ViaVoice\BIN\speechbar.exe:*:Enabled:speechbar
"C:\Program Files\Microsoft Office\Office\WINWORD.EXE" = C:\Program Files\Microsoft Office\Office\WINWORD.EXE:*:Enabled:Microsoft Word for Windows -- (Microsoft Corporation)
"C:\Program Files\ViaVoice\BIN\engine.exe" = C:\Program Files\ViaVoice\BIN\engine.exe:*:Enabled:IBM ViaVoice ® Speech Recognition
"C:\WINDOWS\system32\fxsclnt.exe" = C:\WINDOWS\system32\fxsclnt.exe:*:Enabled:Microsoft Fax Console -- (Microsoft Corporation)
"C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager
"C:\WINDOWS\system32\ZoneLabs\vsmon.exe" = C:\WINDOWS\system32\ZoneLabs\vsmon.exe:*:Enabled:vsmon
"C:\Program Files\Sony Ericsson\Update Engine\Sony Ericsson Update Engine.exe" = C:\Program Files\Sony Ericsson\Update Engine\Sony Ericsson Update Engine.exe:*:Enabled:Update Engine -- ()
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"%windir%\explorer.exe" = %windir%\explorer.exe -- (Microsoft Corporation)
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00030409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Small Business
"{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Disc 2
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
"{0873B1A3-00A9-40D6-BACE-3DB4BC5DA840}" = IBM SATA Power Management Driver
"{0D09E359-0C98-4D93-B6F9-1FF68ED4B27C}" = Nokia Multimedia Player
"{1007F41F-7D69-468E-8017-3849A5A973C2}" = IBM ThinkVantage Technologies Welcome Message
"{11783F13-C3A9-44A8-929B-21A476F65272}" = IBM Rescue and Recovery with Rapid Restore
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = IBM DLA
"{1297C681-92D7-40EF-93BF-03F66EC5105C}" = IBM ThinkPad EasyEject Utility
"{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F7CCFA3-D926-4882-B2A5-A0217ED25597}" = PC-Doctor for Windows
"{2111B23F-7FDA-4A41-8309-E5A1663CA296}" = IBM ThinkPad Keyboard Customizer Utility
"{22B71A00-4DED-11D4-A5E5-0004AC564F43}" = IBM Access Connections
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{245F5D2D-6F34-4970-B8D7-D6F3C3C07575}" = ZoneAlarm Firewall
"{25BEC3AB-5CD4-481D-9143-215C1BBB189E}" = Sony Ericsson PC Suite
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 24
"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
"{28DA872A-0848-48CF-B749-19A198157A2A}" = mDriver
"{31A559C1-9E4D-423B-9DD3-34A6C5398752}" = HTC BMP USB Driver
"{343666E2-A059-48AC-AD67-230BF74E2DB2}" = Apple Application Support
"{34BFBF2A-06B9-4B5E-BB33-E78B67450ED7}" = IBM fingerprint software 4.5.3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4AE3A0CB-87B0-4F51-BECD-3D1F8DFDD62F}" = SAGEM F@st 800-840
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{526B2AE8-73DF-4CE0-B140-9968677A7C93}" = HTC Sync
"{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client
"{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6CE96A14-61E2-48CC-837E-22710A953ADE}" = IBM Themes
"{6D6664A9-3342-4948-9B7E-034EFE366F0F}" = HTC Driver Installer
"{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}" = mCore
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{72806716-7088-41B2-8FA6-717A2A164DAB}" = IBM Active Protection System
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support
"{82512BC9-BD5D-4C50-BE4D-B98E7DF78687}" = IBM ThinkPad UltraNav Wizard
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{884BB5CC-108E-41a9-936D-955C999C06A1}_x" = GlobeTrotter Connect
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver for Mobile
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8D815BF3-2399-459C-B121-49373FEFB9E8}" = IBM Update Connector
"{90535871-81B9-4D99-8A13-A7EE97F2D7FE}" = IBM Integrated Bluetooth IV Software
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = IBM RecordNow!
"{96ACE4A4-C769-47D2-9FCE-4F46754857E7}" = ZoneAlarm Security
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{A0E64EBA-8BF0-49FB-90C0-BB3D781A2016}" = IBM ThinkPad Power Manager
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
"{ACEB2BAF-96DF-48FD-ADD5-43842D4C443D}" = Adobe AIR
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
"{B7DBF6E8-0D17-4BE4-853B-ACD6EFBD4A1F}" = iTunes
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C60BA916-9E44-4DA4-B11A-9E27B7624EF5}" = Sony Ericsson Drivers
"{C6579A65-9CAE-4B31-8B6B-3306E0630A66}" = Apple Software Update
"{C92E7DF1-624A-4D95-A4C4-18CB491B44A4}" = Sony Ericsson Device Data
"{CB995BB2-4D75-4D6A-A164-E986CCD6C682}" = Targus USB Adapter
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6BF6477-8369-489F-8DE6-3731F4B88560}" = Sony Ericsson PC Suite
"{D8B883E4-DF64-4A91-B785-08FC9B78923D}" = i-Look 317
"{E64A463C-ABE6-4649-AFD5-F481E18F8E1F}" = GlobeTrotter Connect
"{E922961C-6DB6-41DE-9FEA-426DF3E9F81C}" = IBM 32-bit Runtime Environment for Java 2, v1.4.2
"{EA664480-3844-11D5-8C25-444553540000}" = IBM TrackPoint Accessibility Features
"{EC6AF20D-4376-4070-BEE4-D3A0DFF7E140}" = Access IBM
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.8
"{F09EF8F2-0976-42C1-8D9D-8DF78337C6E3}" = Sony Ericsson PC Companion 2.02.002
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F0CFDC72-63D2-4086-A54F-1514494394A0}" = Hercules DualPix HD Webcam
"{F386C340-DF4B-4BBA-9503-420FB7EDB395}" = Wallpapers
"{F413B3A4-EE5D-457C-BAE5-6E58D9589ED5}" = Access IBM Message Center
"{F45298E5-0083-426F-A668-1A2C5F04B8A0}" = FaxTools
"{FC081D4D-DF1B-4CF1-B530-027E4118D846}" = IBM ThinkPad Configuration
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CCleaner" = CCleaner
"CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_05591014" = IBM Integrated 56K Modem
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Easy-WebPrint" = Easy-WebPrint
"eBay Icon" = eBay Icon
"ERUNT_is1" = ERUNT 1.1j
"HijackThis" = HijackThis 2.0.2
"ie8" = Windows Internet Explorer 8
"InstallShield_{0D09E359-0C98-4D93-B6F9-1FF68ED4B27C}" = Nokia Multimedia Player
"InstallShield_{E922961C-6DB6-41DE-9FEA-426DF3E9F81C}" = IBM 32-bit Runtime Environment for Java 2, v1.4.2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Micrografx Picture Publisher 7" = Micrografx Picture Publisher 7
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox 9.0.1 (x86 en-US)" = Mozilla Firefox 9.0.1 (x86 en-US)
"Mozilla Thunderbird 9.0.1 (x86 en-US)" = Mozilla Thunderbird 9.0.1 (x86 en-US)
"MPE" = MyPhoneExplorer
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Power Management Driver" = IBM ThinkPad Power Management Driver
"Presentation Director" = IBM ThinkPad Presentation Director
"ProInst" = Intel(R) PROSet/Wireless Software
"RealPlayer 12.0" = RealPlayer
"Sunny Data" = Sunny Data
"SynTPDeinstKey" = IBM ThinkPad UltraNav Driver
"ThinkPad FullScreen Magnifier" = ThinkPad FullScreen Magnifier
"ThinkPadSoftwareInstaller" = ThinkPad Software Installer
"Update Engine" = Sony Ericsson Update Engine
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WindowsScriptHost" = Microsoft Windows Script Host
"WinPatrol" = WinPatrol 2008
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"ZoneAlarm Free" = ZoneAlarm Free
"ZoneAlarm Toolbar" = ZoneAlarm Toolbar
"ZoneAlarmSB Uninstall" = ZoneAlarm Spy Blocker
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = µTorrent
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 16/03/2012 14:15:49 | Computer Name = MAXIMILLION | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established
Error - 17/03/2012 17:21:35 | Computer Name = MAXIMILLION | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved
Error - 17/03/2012 18:41:05 | Computer Name = MAXIMILLION | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0x80070003, P2 moac, P3 cachereset, P4 3.0.8402.0,
P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.
Error - 17/03/2012 18:41:39 | Computer Name = MAXIMILLION | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0,
P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.
Error - 17/03/2012 18:42:09 | Computer Name = MAXIMILLION | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0,
P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.
Error - 17/03/2012 18:42:17 | Computer Name = MAXIMILLION | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0,
P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.
Error - 17/03/2012 22:28:16 | Computer Name = MAXIMILLION | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0,
P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.
Error - 17/03/2012 23:59:24 | Computer Name = MAXIMILLION | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0, P2 moaccapability, P3 3.0.8402.0, P4
0, P5 0, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.
Error - 23/03/2012 18:58:41 | Computer Name = MAXIMILLION | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0xffffffef, P2 patchapplication, P3 am bde,
P4 11.1.3927.0, P5 mpsigstub.exe, P6 3.0.8402.0, P7 microsoft security essentials,
P8 NIL, P9 NIL, P10 NIL.
Error - 23/03/2012 19:09:12 | Computer Name = MAXIMILLION | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 9.0.0.2717, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.
[ System Events ]
Error - 18/01/2012 12:48:48 | Computer Name = MAXIMILLION | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the stisvc service.
Error - 18/01/2012 13:14:16 | Computer Name = MAXIMILLION | Source = Service Control Manager | ID = 7000
Description = The General Purpose USB Driver (adildr.sys) service failed to start
due to the following error: %%2
Error - 18/01/2012 13:14:17 | Computer Name = MAXIMILLION | Source = Service Control Manager | ID = 7001
Description = The Print Spooler service depends on the LexBce Server service which
failed to start because of the following error: %%1058
Error - 18/01/2012 13:14:17 | Computer Name = MAXIMILLION | Source = Service Control Manager | ID = 7001
Description = The Fax service depends on the Print Spooler service which failed
to start because of the following error: %%1068
Error - 22/01/2012 16:21:43 | Computer Name = MAXIMILLION | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.1.65 on
the Network Card with network address 0013CE3779C3.
Error - 24/01/2012 06:14:00 | Computer Name = MAXIMILLION | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.1.64 on
the Network Card with network address 0013CE3779C3.
Error - 24/01/2012 08:11:39 | Computer Name = MAXIMILLION | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the Dnscache service.
Error - 25/01/2012 05:57:45 | Computer Name = MAXIMILLION | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.64 for the Network Card with network
address 0013CE3779C3 has been denied by the DHCP server 192.168.1.254 (The DHCP
Server sent a DHCPNACK message).
Error - 26/01/2012 08:18:26 | Computer Name = MAXIMILLION | Source = Service Control Manager | ID = 7001
Description = The Print Spooler service depends on the LexBce Server service which
failed to start because of the following error: %%1058
Error - 30/01/2012 06:00:26 | Computer Name = MAXIMILLION | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.64 for the Network Card with network
address 0013CE3779C3 has been denied by the DHCP server 192.168.1.254 (The DHCP
Server sent a DHCPNACK message).
< End of report >
Hello ecosarah
It was touch and go but we got there You did a good job getting that scan to run :bigthumb:
Security Programs
I can see from your log that you have a number of real-time security programs running, namely Microsoft Security Essentials and Avira AntiVir.
Whilst both of these programs provide good security, they may clash with each other which can leave your system vulnerable to infection.
You are advised to remove one of these programs.
Please make sure that you only have ONE Firewall and ONE real-time Antivirus running on your system.
P2P Programs:
P2P programs are a major source of Malware infections.
From your log I see you have µTorrent. We do not pass judgment on file-sharing, however we must inform you that engaging in this activity and having this kind of software installed on your system will always make you more susceptible to Malware infections.
The use of P2P programs may be contributing to your current situation, and you would certainly be doing yourself a favour by removing them.
If you wish to keep the program(s), please do not use them until your computer is cleaned.
Information regarding the risk of using these programs can be found from here (http://malwareremoval.com/p2pindex.php) and here. (http://www.internetworldstats.com/articles/art053.htm)
It is strongly recommend that you uninstall any P2P programs you have on your system.
To do this, Click on "Start" then on "Control Panel" and then on "Add or remove programs".
A list of currently installed programs will be displayed.
Find the "µTorrent" program, click on it once and then click on the "Remove" button.
If you are prompted to re-boot your computer to complete the uninstall please do so.
PLEASE NOTE:
Even if you are using a P2P program that is deemed safe, it is only the program that is safe. Any files that you receive using a "safe" P2P program may be infected with Malware. The malware writers use P2P file-sharing as a major conduit to spread infected files.
Please disable WinPatrol
Right click on the "Scotty Dog" icon in your system tray and select "Exit Program".
Please open OTL
Copy and paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL.
:OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} Reg Error: Value error. (Windows Genuine Advantage Validation Tool)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} http://www.eset.eu/buxus/docs/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab (Reg Error: Key error.)
O20 - AppInit_DLLs: (avgrsstx.dll) - File not found
O33 - MountPoints2\{27e883a2-1d58-11df-9d61-001125d3afa3}\Shell - "" = AutoRun
O33 - MountPoints2\{27e883a2-1d58-11df-9d61-001125d3afa3}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{27e883a2-1d58-11df-9d61-001125d3afa3}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{b7cead68-1c05-11df-9d60-001125d3afa3}\Shell - "" = AutoRun
O33 - MountPoints2\{b7cead68-1c05-11df-9d60-001125d3afa3}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b7cead68-1c05-11df-9d60-001125d3afa3}\Shell\AutoRun\command - "" = E:\AutoRun.exe
[9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
@Alternate Data Stream - 229 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8FF81EB0
:Commands
[purity]
[emptytemp]
[emptyflash]
[start explorer]
[Reboot]
Once you have pasted the information into the Custom Scans/Fixes box, click the "Run Fix" button at the top.
Allow the program to run unhindered.
Your machine will re-start itself. This is normal.
A log will be created after your machine reboots. Please post the contents of the log in your next reply.
Please make sure that WinPatrol is disabled before running Combofix:
Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216).
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes: Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
Should there be issues with internet afterward:
In IE: Tools Menu -> Internet Options -> Connections Tab -> Lan Settings -> uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.
In Firefox: Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.
Please post the OTL log and the Combofix log in your next reply.
ecosarah
2012-03-25, 15:58
HI JonTom,
big thanks for all this.
" Whilst both of these programs provide good security, they may clash with each other which can leave your system vulnerable to infection."
just to say that the MS one was only put on AFTER I got the trojan, to run a scan, and have removed it!!
ecosarah
2012-03-25, 16:22
OTL
winpatrol isn't in the tray, so dont think it is activated at the moment, as is down there when it is.
All processes killed
========== OTL ==========
No active process named explorer.exe was found!
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A057A204-BACC-4D26-9990-79A187E2698E} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}\ not found.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
Starting removal of ActiveX control {17492023-C23A-453E-A040-C7C580BBF700}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{17492023-C23A-453E-A040-C7C580BBF700}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{17492023-C23A-453E-A040-C7C580BBF700}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{17492023-C23A-453E-A040-C7C580BBF700}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{17492023-C23A-453E-A040-C7C580BBF700}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{17492023-C23A-453E-A040-C7C580BBF700}\ not found.
Starting removal of ActiveX control {56762DEC-6B0D-4AB4-A8AD-989993B5D08B}
C:\WINDOWS\Downloaded Program Files\OnlineScanner.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{56762DEC-6B0D-4AB4-A8AD-989993B5D08B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56762DEC-6B0D-4AB4-A8AD-989993B5D08B}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{56762DEC-6B0D-4AB4-A8AD-989993B5D08B}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56762DEC-6B0D-4AB4-A8AD-989993B5D08B}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:avgrsstx.dll deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{27e883a2-1d58-11df-9d61-001125d3afa3}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{27e883a2-1d58-11df-9d61-001125d3afa3}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{27e883a2-1d58-11df-9d61-001125d3afa3}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{27e883a2-1d58-11df-9d61-001125d3afa3}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{27e883a2-1d58-11df-9d61-001125d3afa3}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{27e883a2-1d58-11df-9d61-001125d3afa3}\ not found.
File E:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b7cead68-1c05-11df-9d60-001125d3afa3}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b7cead68-1c05-11df-9d60-001125d3afa3}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b7cead68-1c05-11df-9d60-001125d3afa3}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b7cead68-1c05-11df-9d60-001125d3afa3}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b7cead68-1c05-11df-9d60-001125d3afa3}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b7cead68-1c05-11df-9d60-001125d3afa3}\ not found.
File E:\AutoRun.exe not found.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\System32\SET129.tmp deleted successfully.
C:\WINDOWS\System32\SET12A.tmp deleted successfully.
C:\WINDOWS\System32\SET12C.tmp deleted successfully.
C:\WINDOWS\System32\SET12D.tmp deleted successfully.
C:\WINDOWS\System32\SET12E.tmp deleted successfully.
C:\WINDOWS\System32\SET12F.tmp deleted successfully.
C:\WINDOWS\System32\SET131.tmp deleted successfully.
C:\WINDOWS\System32\SET133.tmp deleted successfully.
C:\WINDOWS\003010_.tmp deleted successfully.
C:\WINDOWS\msdownld.tmp folder deleted successfully.
C:\WINDOWS\~GLC0000.TMP deleted successfully.
C:\WINDOWS\~GLH0000.TMP deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:8FF81EB0 deleted successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: 1 Sarah
->Temp folder emptied: 136527245 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 53728286 bytes
->Google Chrome cache emptied: 557424 bytes
->Flash cache emptied: 60516 bytes
User: Administrator
->Temp folder emptied: 0 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56475 bytes
User: IT Support
User: LocalService
->Temp folder emptied: 3041192 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: NetworkService
->Temp folder emptied: 2033990 bytes
->Temporary Internet Files folder emptied: 33170 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3376689 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 221944851 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 14610194 bytes
Total Files Cleaned = 416.00 mb
[EMPTYFLASH]
User: 1 Sarah
->Flash cache emptied: 0 bytes
User: Administrator
User: All Users
User: Default User
->Flash cache emptied: 0 bytes
User: IT Support
User: LocalService
User: NetworkService
Total Flash Files Cleaned = 0.00 mb
OTL by OldTimer - Version 3.2.39.2 log created on 03252012_150703
Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\1 Sarah\Local Settings\Temp\Perflib_Perfdata_c88.dat not found!
C:\Documents and Settings\1 Sarah\Local Settings\Temp\~DFE021.tmp moved successfully.
C:\Documents and Settings\1 Sarah\Local Settings\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\startupCache\startupCache.4.little moved successfully.
C:\Documents and Settings\1 Sarah\Local Settings\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\1 Sarah\Local Settings\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\1 Sarah\Local Settings\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\1 Sarah\Local Settings\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\1 Sarah\Local Settings\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\urlclassifier3.sqlite moved successfully.
C:\WINDOWS\temp\vtclrg41.tmp moved successfully.
File\Folder C:\WINDOWS\temp\ZLT04644.TMP not found!
Registry entries deleted on Reboot...
ecosarah
2012-03-25, 16:54
ComboFix didn't seem to want to connect to net for the Recovery Console. So I disabled the net when it said it was scanning for infectied files
Then it said: this typically doesn't take more than 10 minutes. However, scan times for badly infected machines mayh easily double
I has had over 20 mins and I think it has crashed because even the clock isnt up to date. the mouse moves but I couldn't open firefox...:oops:
I am leaving UTorrents on my computer for now. I wont use it, til it is clear, of course (not that I've used it for several years). Thanks for the explanation about why it is so dangerous.
please advise what to do next....
big thanks:thanks:
ecosarah
2012-03-25, 16:57
had definately crashed, so switched off.
didn't mean to sound stubborn about utorrents: am happy to remove if it helps you to help me.
Hello ecosarah
Thank you for the OTL log.
just to say that the MS one was only put on AFTER I got the trojan, to run a scan, and have removed it!! Thanks for letting me know.
didn't mean to sound stubborn about utorrents: am happy to remove if it helps you to help me No problem at all. Its actually helping you to help yourself. You'd be better off without it.
I has had over 20 minsSome scans can take up to an hour to run.
So I disabled the net when it said it was scanning for infectied files This may have contributed to the crash. Please do not click on anything when Combofix is running.
Please disable all of you security programs and try running Combofix again.
If it crashes, reboot into Safe Mode and try from there:
Reboot Your System in Safe Mode
Restart your computer.
As soon as BIOS is loaded begin tapping the F8 key until the "Advanced Options" menu appears.
Use the arrow keys to select the Safe mode menu item.
Press Enter.
If combofix is able to complete its run from either mode please post the log.
If you are still having problems come back and let me know.
ecosarah
2012-03-26, 16:48
Have followed your instructions again, leaving it connected to the internet. It is very scary thinking of it being connected to the net for an hour with no firewall or antivirus...:bomb:
ecosarah
2012-03-26, 16:57
screen has disappeared, so dont know where its at. Hard drive light not lit at all, like when it crashed. will leave an hour, unless i hear from you, however dont think it is doing anything!
Hello ecosarah
screen has disappeared Do you mean the Combofix screen or your desktop icons?
It is normal for the desktop icons to disappear when Combofix runs (they will re-appear when it has finished).
However, if the blue Combofix window has disappeared that is not normal.
If the machine has crashed again please see if Combofix will run from Safe Mode as mentioned earlier.
Let me know how you get on in your next reply :)
ecosarah
2012-03-26, 17:43
I meant screen is black all over with a light that means it hasn't switched off, but no light in the hard drive symbol... It has had nearly an hour now. Last time I tried to open in safe mode 3 times it crashed: will try again...
ecosarah
2012-03-26, 17:44
with a light that is below the screen, where the different symbols are lit up.
ecosarah
2012-03-26, 17:54
crashed in safe mode again with harddrive light permanently on, and on page two of list of pathways. Last time I left it 20mins or so and got no change.
when I choose safe mode, I then get a further choice: recovery console or xp windows prof. I always choose the latter, as that is what it normally starts in. Should I be choosing the former?
thanks
ecosarah
2012-03-26, 17:55
will start normally and try again with Combofix...
ecosarah
2012-03-26, 19:31
given it nearly 1.5hrs now. cursor still blinking, otherwise all is frozen, including clock from right at the beginning.
oh dear! :confused:
look forward to hearing from you,
sarah
Hello ecosarah
It does not sound as though Combofix is going to complete.
Please re-start and post another OTL scan log.
ecosarah
2012-03-26, 20:57
Hi JonTom,
thanks,
do I follow the instructions in post no. 5 that you gave me, including posting in the info in the custom scan section, or do I just run it normally?
thanks,
sarah
Hello ecosarah
do I follow the instructions in post no. 5 that you gave me, including posting in the info in the custom scan section Yes please :bigthumb:
ecosarah
2012-03-27, 03:56
OTL logfile created on: 27/03/2012 02:30:22 - Run 2
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\1 Sarah\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
1.49 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.80% Memory free
2.83 Gb Paging File | 2.33 Gb Available in Paging File | 82.36% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 33.29 Gb Total Space | 1.37 Gb Free Space | 4.11% Space Free | Partition Type: NTFS
Computer Name: MAXIMILLION | User Name: 1 Sarah | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2012/03/24 18:34:51 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\1 Sarah\Desktop\OTL.com
PRC - [2011/12/18 22:08:42 | 002,420,616 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
PRC - [2011/12/18 22:04:24 | 000,073,360 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
PRC - [2011/11/03 15:44:28 | 000,497,280 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
PRC - [2011/11/03 15:44:24 | 000,738,944 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
PRC - [2011/08/12 18:13:26 | 000,087,040 | ---- | M] () -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
PRC - [2011/07/01 20:10:23 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/04/30 09:52:26 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/12/24 13:02:23 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/06/19 16:19:26 | 000,304,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\WgaTray.exe
PRC - [2005/03/18 11:07:00 | 000,086,016 | ---- | M] (IBM Corp.) -- C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
PRC - [2005/03/18 11:07:00 | 000,077,824 | ---- | M] (IBM Corp.) -- C:\WINDOWS\system32\QCONSVC.EXE
PRC - [2005/03/04 01:10:32 | 000,094,208 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
PRC - [2004/12/16 12:49:44 | 000,385,024 | ---- | M] () -- C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
PRC - [2004/11/04 17:47:04 | 000,040,547 | ---- | M] (UPEK Inc.) -- C:\Program Files\Common Files\Virtual Token\vtserver.exe
PRC - [2004/09/07 00:03:52 | 000,077,824 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
PRC - [2003/07/12 02:19:22 | 000,032,768 | ---- | M] () -- C:\WINDOWS\system32\TpKmpSvc.exe
PRC - [2002/01/10 23:01:34 | 000,065,536 | ---- | M] (IBM Corporation) -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
========== Modules (No Company Name) ==========
MOD - [2011/08/12 18:13:26 | 000,087,040 | ---- | M] () -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
MOD - [2010/01/28 12:57:58 | 000,355,688 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2005/03/19 07:10:38 | 000,028,672 | ---- | M] () -- C:\Program Files\ThinkPad\ConnectUtilities\Res\US\IconRes.dll
MOD - [2005/03/04 01:10:32 | 000,094,208 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
MOD - [2005/01/21 09:00:00 | 000,065,536 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\PWRMGRIF.DLL
MOD - [2005/01/21 09:00:00 | 000,032,768 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\US\PWRMGRRT.DLL
MOD - [2004/12/16 12:49:44 | 000,385,024 | ---- | M] () -- C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
MOD - [2004/12/16 11:41:58 | 000,045,056 | ---- | M] () -- C:\WINDOWS\system32\pwdmon.dll
MOD - [2004/11/24 10:10:00 | 000,036,864 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\US\EZMAPRES.DLL
MOD - [2004/09/07 00:03:52 | 000,077,824 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
MOD - [2004/08/17 20:28:12 | 000,225,280 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\tpfnf7.dll
MOD - [2004/08/13 04:11:26 | 000,024,576 | ---- | M] () -- C:\WINDOWS\system32\tphklock.dll
MOD - [2003/07/12 02:19:22 | 000,032,768 | ---- | M] () -- C:\WINDOWS\system32\TpKmpSvc.exe
MOD - [2003/07/04 07:49:30 | 000,024,576 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY_2\tphk_2k.dll
========== Win32 Services (SafeList) ==========
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\system32\PsaSrv.exe -- (PsaSrv)
SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2012/02/15 14:30:18 | 000,158,856 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2011/12/18 22:08:42 | 002,420,616 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe -- (vsmon)
SRV - [2011/11/03 15:44:28 | 000,497,280 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe -- (IswSvc)
SRV - [2011/08/12 18:13:26 | 000,087,040 | ---- | M] () [Auto | Running] -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe -- (PassThru Service)
SRV - [2011/07/01 20:10:23 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/06/29 15:59:18 | 000,155,344 | ---- | M] (Avanquest Software) [On_Demand | Stopped] -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe -- (Sony Ericsson PCCompanion)
SRV - [2011/04/30 09:52:26 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009/04/02 16:52:56 | 000,543,744 | ---- | M] (OptionNV) [Disabled | Stopped] -- C:\Program Files\Option\GlobeTrotter Connect\GtDetectSc.exe -- (GtDetectSc)
SRV - [2008/08/29 11:01:22 | 000,033,752 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus(R) Helper) getPlus(R)
SRV - [2005/03/18 11:07:00 | 000,077,824 | ---- | M] (IBM Corp.) [Auto | Running] -- C:\WINDOWS\system32\QCONSVC.EXE -- (QCONSVC)
SRV - [2004/12/16 12:49:44 | 000,385,024 | ---- | M] () [Auto | Running] -- C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe -- (IBM Rapid Restore Ultra Service)
SRV - [2004/11/04 17:47:04 | 000,040,547 | ---- | M] (UPEK Inc.) [Auto | Running] -- C:\Program Files\Common Files\Virtual Token\vtserver.exe -- (vtserver)
SRV - [2004/10/01 23:06:34 | 000,163,840 | ---- | M] (Broadcom Corporation) [On_Demand | Stopped] -- C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe -- (btwdins)
SRV - [2003/07/12 02:19:22 | 000,032,768 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\TpKmpSvc.exe -- (TpKmpSVC)
========== Driver Services (SafeList) ==========
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | Boot | Stopped] -- system32\ZoneLabs\srescan.sys -- (srescan)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\LVCD.sys -- (QCDonner) Logitech QuickCam Express(PID_0840)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\glauiad.sys -- (iadusb)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\1SARAH~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\adiusbaw.sys -- (adiusbaw)
DRV - File not found [Kernel | Auto | Stopped] -- System32\Drivers\adildr.sys -- (ADILOADER) General Purpose USB Driver (adildr.sys)
DRV - [2011/12/18 22:04:24 | 000,525,840 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (Vsdatant)
DRV - [2011/11/03 15:44:20 | 000,027,016 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL)
DRV - [2011/07/01 20:10:25 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/07/01 20:10:25 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/06/22 19:01:50 | 000,021,248 | ---- | M] (Windows (R) Win 7 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\htcnprot.sys -- (htcnprot)
DRV - [2009/12/24 21:57:13 | 000,025,512 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ggsemc.sys -- (ggsemc)
DRV - [2009/12/24 21:57:13 | 000,013,224 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ggflt.sys -- (ggflt)
DRV - [2009/06/10 01:49:32 | 000,024,576 | ---- | M] (HTC, Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ANDROIDUSB.sys -- (HTCAND32)
DRV - [2009/05/11 11:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 09:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2008/10/21 09:22:48 | 000,114,600 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017mdm.sys -- (s0017mdm)
DRV - [2008/10/21 09:22:48 | 000,109,736 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017unic.sys -- (s0017unic) Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM)
DRV - [2008/10/21 09:22:48 | 000,108,328 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017mgmt.sys -- (s0017mgmt) Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM)
DRV - [2008/10/21 09:22:48 | 000,104,616 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017obex.sys -- (s0017obex)
DRV - [2008/10/21 09:22:48 | 000,086,824 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017bus.sys -- (s0017bus) Sony Ericsson Device 0017 driver (WDM)
DRV - [2008/10/21 09:22:48 | 000,026,024 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017nd5.sys -- (s0017nd5) Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS)
DRV - [2008/10/21 09:22:48 | 000,015,016 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017mdfl.sys -- (s0017mdfl)
DRV - [2008/04/13 19:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2008/02/18 17:14:38 | 000,106,624 | ---- | M] (Option N.V.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Gt51Ip.sys -- (GT72NDISIPXP)
DRV - [2008/02/08 13:00:22 | 000,059,648 | ---- | M] (Option N.V.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gt72ubus.sys -- (GT72UBUS)
DRV - [2008/02/01 16:43:22 | 000,103,720 | ---- | M] (Guillemot Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\camfilt2.sys -- (camfilt2)
DRV - [2008/01/09 13:28:34 | 000,027,632 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\seehcri.sys -- (seehcri)
DRV - [2007/12/10 14:22:22 | 000,110,120 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3017unic.sys -- (s3017unic) Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM)
DRV - [2007/12/10 14:22:22 | 000,100,648 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3017obex.sys -- (s3017obex)
DRV - [2007/12/10 14:22:20 | 000,104,616 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3017mgmt.sys -- (s3017mgmt) Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM)
DRV - [2007/12/10 14:22:20 | 000,025,512 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3017nd5.sys -- (s3017nd5) Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS)
DRV - [2007/12/10 14:22:18 | 000,110,632 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3017mdm.sys -- (s3017mdm)
DRV - [2007/12/10 14:22:18 | 000,015,016 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3017mdfl.sys -- (s3017mdfl)
DRV - [2007/12/10 14:22:14 | 000,083,880 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3017bus.sys -- (s3017bus) Sony Ericsson Device 3017 driver (WDM)
DRV - [2007/07/13 10:45:08 | 000,285,952 | ---- | M] (Akkord Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HDvidv.sys -- (APL531)
DRV - [2007/06/14 18:34:00 | 000,457,856 | ---- | M] (PixArt Imaging Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PAC7302.SYS -- (PAC7302)
DRV - [2007/05/21 08:29:26 | 000,235,648 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8187.sys -- (RTLWUSB)
DRV - [2007/04/23 16:54:50 | 000,100,488 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s115mgmt.sys -- (s115mgmt) Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM)
DRV - [2007/04/23 16:54:46 | 000,083,208 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s115bus.sys -- (s115bus) Sony Ericsson Device 115 driver (WDM)
DRV - [2007/04/23 14:54:50 | 000,098,568 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s115obex.sys -- (s115obex)
DRV - [2007/04/23 14:54:48 | 000,108,680 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s115mdm.sys -- (s115mdm)
DRV - [2007/04/23 14:54:48 | 000,015,112 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s115mdfl.sys -- (s115mdfl)
DRV - [2007/04/03 14:57:54 | 000,099,080 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116unic.sys -- (s116unic) Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (WDM)
DRV - [2007/04/03 14:57:52 | 000,098,696 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116obex.sys -- (s116obex)
DRV - [2007/04/03 14:57:52 | 000,023,176 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116nd5.sys -- (s116nd5) Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (NDIS)
DRV - [2007/04/03 14:57:50 | 000,100,488 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116mgmt.sys -- (s116mgmt) Sony Ericsson Device 116 USB WMC Device Management Drivers (WDM)
DRV - [2007/04/03 14:57:48 | 000,108,680 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116mdm.sys -- (s116mdm)
DRV - [2007/04/03 14:57:48 | 000,015,112 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116mdfl.sys -- (s116mdfl)
DRV - [2007/04/03 14:57:42 | 000,083,336 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116bus.sys -- (s116bus) Sony Ericsson Device 116 driver (WDM)
DRV - [2007/03/30 13:38:14 | 000,008,064 | ---- | M] (Option N.V.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gtptser.sys -- (GTPTSER)
DRV - [2005/08/15 20:25:50 | 000,013,184 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)
DRV - [2005/03/18 11:07:00 | 000,012,288 | ---- | M] (IBM Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\qcndisif.sys -- (QCNDISIF)
DRV - [2005/03/18 11:07:00 | 000,011,520 | ---- | M] (IBM Corp.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ANC.sys -- (ANC)
DRV - [2005/03/18 11:07:00 | 000,002,432 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\IBMBLDID.SYS -- (IBMTPCHK)
DRV - [2005/02/14 16:00:10 | 003,255,168 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel(R)
DRV - [2005/02/11 10:22:48 | 000,081,728 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\k750mgmt.sys -- (k750mgmt)
DRV - [2005/02/11 10:19:20 | 000,055,216 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\k750bus.sys -- (k750bus) Sony Ericsson 750 driver (WDM)
DRV - [2005/01/21 09:40:00 | 000,014,848 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SMAPINT.SYS -- (Smapint)
DRV - [2005/01/21 09:40:00 | 000,009,340 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TDSMAPI.SYS -- (TDSMAPI)
DRV - [2005/01/21 09:00:00 | 000,004,442 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TPPWRIF.SYS -- (TPPWRIF)
DRV - [2004/12/16 12:12:20 | 000,063,616 | ---- | M] (IBM) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ibmfilter.sys -- (ibmfilter)
DRV - [2004/12/07 01:55:20 | 000,126,720 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/12/03 00:14:44 | 000,014,208 | ---- | M] (IBM Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\TPDiskPM.sys -- (TPDiskPM)
DRV - [2004/12/02 23:54:12 | 000,006,016 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\TPInput.sys -- (TPInput)
DRV - [2004/12/01 10:33:00 | 000,007,168 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TSMAPIP.SYS -- (TSMAPIP)
DRV - [2004/11/11 00:47:30 | 000,200,448 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2004/11/11 00:46:24 | 000,685,184 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/11/11 00:45:50 | 001,041,664 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/10/15 18:20:04 | 000,011,354 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2004/10/01 22:51:46 | 000,017,024 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2004/10/01 22:48:30 | 001,241,482 | ---- | M] (Broadcom Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2004/10/01 22:47:06 | 000,147,896 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2004/10/01 22:44:22 | 000,030,299 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2004/10/01 22:43:44 | 000,054,488 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2004/08/04 13:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2004/08/04 13:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2004/05/19 21:41:26 | 000,013,757 | ---- | M] (National Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NscTpmDD.sys -- (portio)
DRV - [2003/12/08 11:53:48 | 000,053,600 | ---- | M] (THOMSON) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\alcan5wn.sys -- (alcan5wn) SpeedTouch USB ADSL PPP Networking Driver (NDISWAN)
DRV - [2003/12/08 11:53:46 | 000,070,688 | ---- | M] (THOMSON) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\alcaudsl.sys -- (alcaudsl)
DRV - [2002/02/19 13:06:28 | 000,021,019 | ---- | M] (Magic Control Technology Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\u2s2kxp.sys -- (U2SP) USB to Serial Converter Driver(Philips)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.saynoto0870.com/
IE - HKCU\..\SearchScopes,DefaultScope = {78F909E2-E4DC-4AF1-8FD7-B411278EEC6D}
IE - HKCU\..\SearchScopes\{04E563C9-734C-41AE-A368-E84AB98DF7A7}: "URL" = http://www.bing.com/search?q={searchTerms}&form=IE0006
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKCU\..\SearchScopes\{78F909E2-E4DC-4AF1-8FD7-B411278EEC6D}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
========== FireFox ==========
FF - prefs.js..browser.search.defaultthis.engineName: "Messenger Plus Live UK Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2516768&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.saynoto0870.com/numbersearch.php"
FF - prefs.js..extensions.enabledItems: {53c4d698-0a74-873e-7946-7d19bb035667}:2.6
FF - prefs.js..extensions.enabledItems: en-GB@dictionaries.addons.mozilla.org:1.19.1
FF - prefs.js..extensions.enabledItems: feedbar@efinke.com:5.0
FF - prefs.js..extensions.enabledItems: {81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}:7.0.3.0
FF - prefs.js..extensions.enabledItems: {c33c5b47-69c8-45a4-a5e0-af85bbe628dd}:1.6.1.3
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: CompactMenuCE@Merci.chao:4.2.1
FF - prefs.js..extensions.enabledItems: isreaditlater@ideashower.com:2.1.1
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.1.5
FF - prefs.js..extensions.enabledItems: reliby@gemal.dk:1.5.0
FF - prefs.js..extensions.enabledItems: {1f91cde0-c040-11da-a94d-0800200c9a66}:4.1
FF - prefs.js..extensions.enabledItems: savesession@noasobi.net:1.3.1.6
FF - prefs.js..extensions.enabledItems: {53A03D43-5363-4669-8190-99061B2DEBA5}:1.3.7
FF - prefs.js..extensions.enabledItems: firefox-extension@shareaholic.com:2.2.0
FF - prefs.js..extensions.enabledItems: {BEDED222-EAEC-11DA-9B41-B622A1EF5492}:1.0.12
FF - prefs.js..extensions.enabledItems: smartbookmarksbar@remy.juteau:1.4.3
FF - prefs.js..extensions.enabledItems: {64161300-e22b-11db-8314-0800200c9a66}:0.9.5.8
FF - prefs.js..extensions.enabledItems: taboo@runningfrombears.com:0.6.1
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.2.20100119091315
FF - prefs.js..extensions.enabledItems: zotero@chnm.gmu.edu:2.0.9
FF - prefs.js..network.proxy.type: 4
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.652: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.652: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/07/01 20:48:19 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2012/03/17 23:42:55 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/10 15:18:14 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/12 16:17:11 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 9.0.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012/01/11 13:59:02 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2012/01/12 16:17:14 | 000,000,000 | ---D | M]
[2008/07/01 20:15:03 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Extensions
[2012/03/23 23:37:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\extensions
[2011/12/09 11:41:53 | 000,000,000 | ---D | M] (iMacros for Firefox) -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}
[2010/12/23 23:31:05 | 000,000,000 | ---D | M] (British English Dictionary) -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\extensions\en-GB@dictionaries.addons.mozilla.org
[2011/11/07 18:47:35 | 000,000,000 | ---D | M] ("MemberPlugin") -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\extensions\MemberPlugin@edward.hibbert
[2010/02/09 21:50:18 | 000,000,000 | ---D | M] (Reliby) -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\extensions\reliby@gemal.dk
[2009/07/22 11:32:24 | 000,000,000 | ---D | M] (Save Session) -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\extensions\savesession@noasobi.net
[2012/03/03 06:46:54 | 000,000,000 | ---D | M] (Zotero) -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\extensions\zotero@chnm.gmu.edu
[2011/09/25 19:28:32 | 000,002,220 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\searchplugins\amabay-uk.xml
[2012/03/16 23:22:21 | 000,002,570 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\searchplugins\amazon-decouk.xml
[2010/02/06 23:17:22 | 000,000,947 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\searchplugins\conduit.xml
[2011/09/25 19:29:34 | 000,011,430 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\searchplugins\ebaycouk-search.xml
[2008/06/25 13:48:35 | 000,001,108 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\searchplugins\wikipedia-en.xml
[2011/07/09 21:01:05 | 000,002,323 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\searchplugins\youtube-ssl.xml
[2012/01/10 15:19:02 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/03/02 21:33:30 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2012/01/10 15:18:11 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/02/02 22:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2008/04/11 18:38:19 | 000,024,673 | ---- | M] (Check Point Software Technologies Ltd.) -- C:\Program Files\mozilla firefox\plugins\NPZoneSB.dll
[2012/01/10 15:17:49 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/01/10 15:17:49 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
========== Chrome ==========
CHR - default_search_provider: Google ()
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
O1 HOSTS File: ([2008/11/05 23:12:18 | 000,286,531 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.123haustiereundmehr.com
O1 - Hosts: 127.0.0.1 123haustiereundmehr.com
O1 - Hosts: 9901 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies)
O4 - HKLM..\Run: [PWRMGRTR] C:\Program Files\ThinkPad\Utilities\PWRMGRTR.DLL (IBM Corp.)
O4 - HKLM..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE (IBM Corp.)
O4 - HKLM..\Run: [TP4EX] C:\WINDOWS\System32\TP4EX.exe (IBM Corporation)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe ()
O4 - HKLM..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe (IBM Corp.)
O4 - HKLM..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe ()
O4 - HKLM..\Run: [ZoneAlarm] C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe (Check Point Software Technologies LTD)
O4 - Startup: C:\Documents and Settings\1 Sarah\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O8 - Extra context menu item: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Handler\widimg {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\BTXPPanel.dll (Broadcom Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\psfus: DllName - (C:\Program Files\IBM fingerprint software\psfus.dll) - C:\Program Files\IBM fingerprint software\psfus.dll (UPEK Inc.)
O20 - Winlogon\Notify\QConGina: DllName - (QConGina.dll) - C:\WINDOWS\System32\QConGina.dll (IBM Corp.)
O20 - Winlogon\Notify\tphotkey: DllName - (tphklock.dll) - C:\WINDOWS\System32\tphklock.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\1 Sarah\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\1 Sarah\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/10/06 07:35:52 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
NetSvcs: 6to4 - File not found
NetSvcs: HidServ - %SystemRoot%\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
CREATERESTOREPOINT
Restore point Set: OTL Restore Point
========== Files/Folders - Created Within 30 Days ==========
[2012/03/26 17:01:41 | 000,000,000 | --SD | C] -- C:\ComboFix
[2012/03/25 15:27:36 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/03/25 15:27:36 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/03/25 15:27:36 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/03/25 15:27:36 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/03/25 15:24:20 | 004,443,082 | R--- | C] (Swearware) -- C:\Documents and Settings\1 Sarah\Desktop\ComboFix.exe
[2012/03/25 15:07:03 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/03/24 18:34:21 | 000,593,920 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\1 Sarah\Desktop\OTL.com
[2012/03/23 23:35:11 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\1 Sarah\Desktop\aswMBR.exe
[2012/03/18 03:28:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2012/03/17 23:44:56 | 000,237,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2012/03/17 23:41:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\PCHealth
[2012/03/17 19:39:30 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\1 Sarah\Desktop\dds.scr
[2012/03/17 19:34:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2012/03/17 19:34:09 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2012/03/17 19:33:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2012/03/17 09:58:44 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\1 Sarah\Recent
[2012/03/17 09:39:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Trusteer
[2012/03/03 07:25:19 | 006,600,192 | ---- | C] (Mirage Systems) -- C:\WINDOWS\System32\LicProtector310.exe
[2012/03/03 07:25:19 | 002,323,520 | ---- | C] (gdpicture.com) -- C:\WINDOWS\System32\gdpicturepro5.ocx
[2012/03/02 21:32:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Skype
[2012/03/02 21:32:54 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
========== Files - Modified Within 30 Days ==========
[2012/03/27 02:30:46 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\PMTask.job
[2012/03/26 19:49:04 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/26 19:49:03 | 1600,638,976 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/26 15:37:57 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/03/25 15:24:24 | 004,443,082 | R--- | M] (Swearware) -- C:\Documents and Settings\1 Sarah\Desktop\ComboFix.exe
[2012/03/25 15:18:06 | 000,435,154 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/03/25 15:18:06 | 000,068,892 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/03/25 15:05:45 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2012/03/24 18:34:51 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\1 Sarah\Desktop\OTL.com
[2012/03/24 00:49:34 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Desktop\MBR.dat
[2012/03/23 23:36:11 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\1 Sarah\Desktop\aswMBR.exe
[2012/03/17 22:21:13 | 000,262,232 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/17 22:11:28 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/03/17 19:39:38 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\1 Sarah\Desktop\dds.scr
[2012/03/17 19:34:46 | 000,000,778 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/03/17 19:34:11 | 000,000,603 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Desktop\ERUNT.lnk
[2012/03/17 19:33:01 | 000,000,962 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/03/17 10:01:40 | 000,582,406 | ---- | M] () -- C:\Documents and Settings\1 Sarah\My Documents\cc_backup changes 17.3.12.reg
[2012/03/06 10:21:41 | 000,000,127 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
========== Files Created - No Company Name ==========
[2012/03/25 15:27:36 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/03/25 15:27:36 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/03/25 15:27:36 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/03/25 15:27:36 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/03/25 15:27:36 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/03/24 00:49:34 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\1 Sarah\Desktop\MBR.dat
[2012/03/17 23:41:22 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2012/03/17 22:11:06 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2012/03/17 19:34:46 | 000,000,778 | ---- | C] () -- C:\Documents and Settings\1 Sarah\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/03/17 19:34:11 | 000,000,603 | ---- | C] () -- C:\Documents and Settings\1 Sarah\Desktop\ERUNT.lnk
[2012/03/17 19:33:01 | 000,000,962 | ---- | C] () -- C:\Documents and Settings\1 Sarah\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/03/17 10:00:57 | 000,582,406 | ---- | C] () -- C:\Documents and Settings\1 Sarah\My Documents\cc_backup changes 17.3.12.reg
[2012/03/06 10:21:41 | 000,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2012/02/20 19:26:17 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/10/10 11:28:05 | 000,000,302 | ---- | C] () -- C:\WINDOWS\System32\Remover.ini
[2011/09/24 21:22:09 | 003,600,384 | ---- | C] () -- C:\WINDOWS\ffmpeg.exe
[2010/05/05 21:26:20 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/04/11 20:50:23 | 000,000,272 | ---- | C] () -- C:\WINDOWS\_delis32.ini
========== LOP Check ==========
[2012/01/25 17:34:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Amorh
[2010/04/10 22:32:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\AVGTOOLBAR
[2010/07/24 10:37:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\CheckPoint
[2009/05/01 20:09:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/01/18 21:28:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Desktopicon
[2012/01/18 19:24:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\HTC
[2011/12/30 14:29:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\HTC.388BC06ACDAB6261375BCE37FBA2E023C0D7EE34.1
[2009/07/26 00:29:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\HTML Executable
[2005/10/07 16:43:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\IBM
[2005/10/30 11:41:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\InterVideo
[2008/04/03 20:10:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\iolo
[2009/05/22 08:25:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\MSNInstaller
[2010/01/19 20:38:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\MyPhoneExplorer
[2007/05/14 11:26:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Nikon
[2009/05/31 18:50:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Nokia Multimedia Player
[2007/04/12 15:36:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\OpenOffice.org1.9.79
[2011/12/30 14:33:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Outlook
[2012/03/03 08:25:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Suyguvl
[2010/02/19 13:04:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Tatara Systems
[2011/06/14 09:59:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\TeamViewer
[2009/12/31 14:26:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Teleca
[2012/01/11 13:59:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Thunderbird
[2011/05/09 21:14:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Uniblue
[2009/05/29 15:15:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\uTorrent
[2008/11/01 21:50:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\WinPatrol
[2010/09/23 12:09:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2012/01/11 12:53:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CheckPoint
[2005/10/11 12:32:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ibm
[2008/04/03 20:10:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iolo
[2008/02/18 10:49:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MailFrontier
[2010/02/19 13:00:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\O2CM-CE
[2011/03/04 19:58:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sage
[2005/11/26 12:00:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBT
[2009/12/28 12:05:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Teleca
[2010/01/19 20:40:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/03/17 09:39:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Trusteer
[2011/10/24 12:32:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2012/03/27 02:30:46 | 000,000,316 | ---- | M] () -- C:\WINDOWS\Tasks\PMTask.job
========== Purity Check ==========
========== Custom Scans ==========
< %SYSTEMDRIVE%\*.exe >
[2008/09/29 14:07:31 | 000,000,184 | ---- | M] () -- C:\setuplog.exe
< MD5 for: AGP440.SYS >
[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:AGP440.sys
[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/10/14 14:06:53 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/10/14 14:06:53 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 07:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
< MD5 for: ATAPI.SYS >
[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:atapi.sys
[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/10/14 14:06:53 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/10/14 14:06:53 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 06:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
< MD5 for: EVENTLOG.DLL >
[2008/04/14 01:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 01:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 13:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
< MD5 for: NETLOGON.DLL >
[2008/04/14 01:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 01:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 13:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
< MD5 for: SCECLI.DLL >
[2004/08/04 13:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 01:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 01:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll
< %systemroot%\*. /mp /s >
< %systemroot%\system32\*.dll /lockedfiles >
< %systemroot%\Tasks\*.job /lockedfiles >
< %systemroot%\system32\drivers\*.sys /lockedfiles >
< %systemroot%\System32\config\*.sav >
[2004/08/09 18:45:10 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
[2004/08/09 18:45:10 | 000,659,456 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
[2004/08/09 18:45:10 | 000,876,544 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav
< %systemroot%\system32\drivers\*.sys /90 >
[2012/01/09 17:20:25 | 000,139,784 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\rdpwd.sys
< End of report >
ecosarah
2012-03-27, 04:01
cant find an extras.txt this time: is that correct?
thanks JonTom,
sarah
Hello ecosarah
cant find an extras.txt this time: is that correct? No need to worry about that. No extras log is produced after the first run.
There is not a great deal jumping out from your latest OTL log.
Lets see where we are after doing the following:
Reset your Firefox browser proxies
Open Firefox, click on "Tools" then "Options" and then on "Advanced".
Click on the "Network" tab, and then on the "Settings" button.
Please make sure that the "No Proxy" option is selected.
Please download SystemLook by JPShortstuff
Please download SystemLook by JPShortstuff by clicking here (http://jpshortstuff.247fixes.com/SystemLook.exe) or here (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe) and save the file (called SystemLook.exe) to your desktop.
Double click SystemLook.exe to run the program.
Copy the content of the following codebox into the main textfield:
:dir
C:\Documents and Settings\1 Sarah\Application Data\Amorh /s
C:\Documents and Settings\1 Sarah\Application Data\Suyguvl /s
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Please run the following scan
Note:Internet Explorer is preferred for this scan, although it will run with other browsers.
Note for Vista/Windows 7 Users: ESET is compatible but Internet Explorer must be run as Administrator. To do this, right-click on your Internet Explorer icon and select "Run as Administrator".
Please disable your real time security programs before performing the scan.
Scan your system with Eset Online Scanner (http://www.eset.com/onlinescan/)
Place a check mark in the box YES, I accept the Terms Of Use.
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps).
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option to "Remove Found Threats" is UN checked.
Push the "Start" button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please post the SystemLook log and the ESET log in your next reply.
ecosarah
2012-03-28, 00:26
SystemLook 30.07.11 by jpshortstuff
Log created at 23:25 on 27/03/2012 by 1 Sarah
Administrator - Elevation successful
========== dir ==========
C:\Documents and Settings\1 Sarah\Application Data\Amorh - Parameters: "/s"
---Files---
aqiffi.ibu --a--c- 135420 bytes [16:34 25/01/2012] [12:38 06/03/2012]
aqiffi.tmp --a--c- 370 bytes [16:24 25/01/2012] [16:24 25/01/2012]
No folders found.
C:\Documents and Settings\1 Sarah\Application Data\Suyguvl - Parameters: "/s"
---Files---
None found.
No folders found.
-= EOF =-
ecosarah
2012-03-28, 02:25
C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll Win32/Toolbar.MyWebSearch application
C:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL Win32/Toolbar.MyWebSearch application
C:\Program Files\ZoneAlarmSB\bar\1.bin\Z4PLUGIN.DLL a variant of Win32/Toolbar.MyWebSearch application
:thanks:
ecosarah
2012-03-28, 09:54
JonTom, I wanted to say about 2 strange things that have happened:
yesterday Zonealarm said there was a new IP address, and asked if I wanted it to be in the trusted or public zone. Nothing has changed and my fathers computer hasn't registered anything.
a few days ago, MS told me I dont have a genuine copy, and I have never had a message tell me that in all the years. This message now pops up regularly.
Hello ecosarah
a few days ago, MS told me I dont have a genuine copy, and I have never had a message tell me that in all the years. This message now pops up regularly. Lets see what the following can tell us:
MGADiag
Please download MGADiag by clicking here (http://go.microsoft.com/fwlink/?linkid=52012) and save it to your desktop.
Double click the http://billy-oneal.com/Canned%20Speeches/speechimages/mgadiag/diagicon.png icon on your desktop.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/mgadiag/continue.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/mgadiag/copy.png
Go to Start -> Run and type in "Notepad"
Go to Edit -> Paste in notepad.
"x" out all of the numbers and letters in the line beginning with "Windows Product Key:"
Copy and paste that log here.
CKScanner
Download CKScanner by askey127 from here (http://downloads.malwareremoval.com/CKScanner.exe) and save it to your Desktop.
Double click CKScanner.exe then click on Search For Files.
When the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply
Please post both logs in your next reply.
ecosarah
2012-03-28, 20:07
Hello JonTom,
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Validation Control not Installed
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-xxxxx-xxxxx-xxxxx
Windows Product Key Hash: 6994t4LQCbvkXhtNbqQCL4+auQs=
Windows Product ID: 76487-OEM-2211906-00107
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010100.3.0.pro
ID: {A3ED1712-C52B-4C8D-9C33-11B6FC0D18F7}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A
Windows XP Notifications Data-->
Cached Result: 5
File Exists: Yes
Version: 1.5.540.0
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{A3ED1712-C52B-4C8D-9C33-11B6FC0D18F7}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-BKVRW</PKey><PID>76487-OEM-2211906-00107</PID><PIDType>2</PIDType><SID>S-1-5-21-3694052557-2359500833-1512941615</SID><SYSTEM><Manufacturer>IBM</Manufacturer><Model>1871F1G</Model></SYSTEM><BIOS><Manufacturer>IBM</Manufacturer><Version>70ET57WW (1.17 )</Version><SMBIOSVersion major="2" minor="33"/><Date>20050715000000.000000+000</Date><SLPBIOS>IBM CORPORATION,IBM CORPORATION</SLPBIOS></BIOS><HWID>24963207018400F2</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>IBM Corporation</name><model></model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.5.540.0"/><File Name="WgaLogon.dll" Version="1.5.540.0"/></GANotification></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>
Licensing Data-->
N/A
Windows Activation Technologies-->
N/A
HWID Data-->
N/A
OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 13FD5:IBM|14090:Lenovo
Marker string from OEMBIOS.DAT: IBM CORPORATION,IBM CORPORATION
OEM Activation 2.0 Data-->
N/A
Do I uninstall any of these progs I am downloading: or do we do that at the end? or keep them? I have been deleting the logs I have pasted, as there is a record on the forum.
Not got an hour glass, will post this so can close window, to help scan. There are no instructions to shut down firewall and antivirus, so haven't.
ecosarah
2012-03-28, 20:09
so far it has come up with
CK Scanner- Aditional Security Risks - These are not necessarily bad scanner sequence 3.RP.11.AJNAJV
-----EOF-----
dont know if that means its finished or whether I need to wait a couple of hours like I did last night?
Please advise,
thanks,
sarah
ecosarah
2012-03-28, 20:22
CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11.AJNAJV
----- EOF -----
I ran it again, and noticed the hourglass this time!!!
and here is the result:
CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11.NVAAHT
----- EOF -----
glad you know what it all means!!
thakns,
sarah:)
Hello ecosarah
Thank you for the logs.
Do I uninstall any of these progs I am downloading: or do we do that at the end? Keep everything for now as we may need to run some of the scans again. I will let you know when (and how) to remove them.
It does not appear that the copy of Windows you have has been validated.
In order to receive assistance at this forum you must validate your Copy of Windows.
Activation of Windows XP
Click Start, point to All Programs, Accessories, System Tools and then click Activate Windows. Alternatively you can click the Windows Activation icon in the notification area.
Click Yes, let's activate Windows over the Internet now.
Click Read the Windows Product Activation Privacy Statement, click Back, and then click Next.
Use one of the following methods:
If you want to register and activate Windows at the same time, click Yes, I want to register and activate Windows at the same time, click Read the Windows Registration Privacy Statement, click Back, click Next, type your contact information in the appropriate boxes in the registration form, and then click Next. An asterisk (*) appears next to required information.
If you only want to activate Windows, click No, I don't want to register now; let's just activate Windows, and then click Next.
The wizard establishes a connection with an activation server, and then processes the activation request.
When activation is completed and you receive the following message: You have successfully activated your copy of Windows, click OK.
More information and alternative methods of activations can be found here: http://support.microsoft.com/kb/307890
Once your Windows has been validated please re-run MGADiag and post the log in your next reply.
ecosarah
2012-03-28, 23:15
Hi JonTom,
am completely confused :confused:. COuldn't follow your instructions because the last step wasn't available. Tried clicking on the tray icon and it wasn't available there either, and eventually got one of the options from the icon to work. The message said it was validating my copy and after a while a page came up that offered me some products. It said said ...because your copy is genuine or something however the icon in the tray is still saying it might not be genuine!!
Last time I was on this site (no malware was found), none of this happened, so presumably I was helped without a validated copy? Also confused because on MS site it says I wont receive updates after 30 days without validating, yet been receiving them for years!!
re-run MGAdiagnostics...
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-xxxxx-xxxxx-xxxxx
Windows Product Key Hash: 6994t4LQCbvkXhtNbqQCL4+auQs=
Windows Product ID: 76487-OEM-2211906-00107
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010100.3.0.pro
ID: {A3ED1712-C52B-4C8D-9C33-11B6FC0D18F7}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A
Windows XP Notifications Data-->
Cached Result: 5
File Exists: Yes
Version: 1.5.540.0
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{A3ED1712-C52B-4C8D-9C33-11B6FC0D18F7}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-BKVRW</PKey><PID>76487-OEM-2211906-00107</PID><PIDType>2</PIDType><SID>S-1-5-21-3694052557-2359500833-1512941615</SID><SYSTEM><Manufacturer>IBM</Manufacturer><Model>1871F1G</Model></SYSTEM><BIOS><Manufacturer>IBM</Manufacturer><Version>70ET57WW (1.17 )</Version><SMBIOSVersion major="2" minor="33"/><Date>20050715000000.000000+000</Date><SLPBIOS>IBM CORPORATION,IBM CORPORATION</SLPBIOS></BIOS><HWID>24963207018400F2</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>IBM Corporation</name><model></model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.5.540.0"/><File Name="WgaLogon.dll" Version="1.5.540.0"/></GANotification></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>
Licensing Data-->
N/A
Windows Activation Technologies-->
N/A
HWID Data-->
N/A
OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 13FD5:IBM|14090:Lenovo
Marker string from OEMBIOS.DAT: IBM CORPORATION,IBM CORPORATION
OEM Activation 2.0 Data-->
N/A
thanks
sarah
Hello ecosarah
Your latest MGADiag log confirms that you have validated your Windows :bigthumb:
Lets continue:
Please open OTL
Copy and paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL.
:OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
:Files
C:\Documents and Settings\1 Sarah\Application Data\Suyguvl
C:\Documents and Settings\1 Sarah\Application Data\Amorh
C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll
C:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL
C:\Program Files\ZoneAlarmSB\bar\1.bin\Z4PLUGIN.DLL
:Commands
[purity]
[emptytemp]
[emptyflash]
[start explorer]
[Reboot]
Once you have pasted the information into the Custom Scans/Fixes box, click the "Run Fix" button at the top.
Allow the program to run unhindered.
Your machine will re-start itself. This is normal.
A log will be created after your machine reboots. Please post the contents of the log in your next reply.
Please post the OTL log that is produced after you run the fix along with a new OTL scan log.
How is the machine running now?
ecosarah
2012-03-29, 11:06
All processes killed
========== OTL ==========
No active process named explorer.exe was found!
========== FILES ==========
C:\Documents and Settings\1 Sarah\Application Data\Suyguvl folder moved successfully.
C:\Documents and Settings\1 Sarah\Application Data\Amorh folder moved successfully.
C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll moved successfully.
C:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL moved successfully.
C:\Program Files\ZoneAlarmSB\bar\1.bin\Z4PLUGIN.DLL moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: 1 Sarah
->Temp folder emptied: 1119366 bytes
->Temporary Internet Files folder emptied: 171112 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 61631001 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 759 bytes
User: Administrator
->Temp folder emptied: 0 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: IT Support
User: LocalService
->Temp folder emptied: 1983800 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: NetworkService
->Temp folder emptied: 2974280 bytes
->Temporary Internet Files folder emptied: 33170 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1429471 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 284982 bytes
Total Files Cleaned = 66.00 mb
[EMPTYFLASH]
User: 1 Sarah
->Flash cache emptied: 0 bytes
User: Administrator
User: All Users
User: Default User
->Flash cache emptied: 0 bytes
User: IT Support
User: LocalService
User: NetworkService
Total Flash Files Cleaned = 0.00 mb
OTL by OldTimer - Version 3.2.39.2 log created on 03292012_095442
Files\Folders moved on Reboot...
C:\Documents and Settings\1 Sarah\Local Settings\Temp\~DF4095.tmp moved successfully.
C:\Documents and Settings\1 Sarah\Local Settings\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\startupCache\startupCache.4.little moved successfully.
C:\Documents and Settings\1 Sarah\Local Settings\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\1 Sarah\Local Settings\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\1 Sarah\Local Settings\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\1 Sarah\Local Settings\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\1 Sarah\Local Settings\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\urlclassifier3.sqlite moved successfully.
C:\WINDOWS\temp\vtclrg41.tmp moved successfully.
File\Folder C:\WINDOWS\temp\ZLT046e8.TMP not found!
Registry entries deleted on Reboot...
will check how computer is running now...
ecosarah
2012-03-29, 11:32
A sign came up saying that Avira is out of date. just tried to update Avira to 2012 version, and it says I need to uninstall the following:
spybot V1.6
check point antiphishing
malwarebytes
AVG
I dont use the last two - except when you ask me to use Malwarebytes.
I have cancelled the installation, and am hoping you are happy to advise me here.
thanks!
sarah
ecosarah
2012-03-29, 12:10
Am unsure how to answer your question: how is the computer running now.
It didn't have any visable signs of having a trojan, so I cannot check for that.
I have had problems with it running slowly for ages. The HD is full, and I dont know why. It is too full to run defrag.
Perhaps you could be more specific?
thanks,
sarah
ecosarah
2012-03-29, 12:45
Wondering if you can understand the following: doc and settings/all users/documents access denied :police:. As far as I know I am always logged on as admin. This has been unaccessable for at least 2 years. it occured to me that that might be where all the HD is taken up, so I was wanting to look.
thanks!:)
Hello ecosarah
Is this a business/company machine?
I have cancelled the installation, and am hoping you are happy to advise me here Sounds as though the new version of Avira may not be compatible with the applications you listed. If you want to stick with Avira you'll have to uninstall those other applications.
The HD is full, and I dont know why. It is too full to run defrag. Lets see if we can find out what is taking up all of the space:
WinDirStat
Please download WinDirStat by clicking here (http://windirstat.info/wds_current_setup.exe) and save it to your desktop.
Once saved, open the program.
Make sure that All Local Drives is selected, then press OK and let it run.
Please post a screenshot of the results in your next reply.
ecosarah
2012-03-29, 20:00
Cannot get the prtSc to paste into here. Have put it into windows word, and copied from there, same problem.
The laptop is my personal one.
Yes sounds like avira isn't compatible, do you have any advice here: shall I disable the required progs?
thanks,
sarah
Hello ecosarah
Yes sounds like avira isn't compatible, do you have any advice here: shall I disable the required progs? Its really up to you. MBAM and S&D are good programs. I can provide some alternatives to Avira which may allow you to keep them if you wish.
Cannot get the prtSc to paste into here You need to upload the screenshot to a host such as photobucket, in order to link to it.
Once you run the scan and take a screenshot, it can be pasted into an application such as Paint.
Once pasted into paint, save the screenshot to your desktop as a JPEG file.
Once saved, go to your image host of choice (there are a few available, but I use photobucket) and upload the file into your account.
The screenshot will be displayed in your account. Copy the Direct Link to the image and post it back here.
If you run into any problems just come back and let me know :)
ecosarah
2012-03-30, 00:07
Yes please suggest an alternative to Avira.
I am loving the pic windirstat produced. Have discovered a chunk of the colours is ERDNT back up everyday for a number of days: says ERDNT/autobackup... Dont think I have the space to be backing so much up so often?
WinDirStat is hopefully at:
https://protectedenvironment.files.wordpress.com/2012/03/amazing-image-of-my-computer.jpeg
:thanks: you're an :angel:
Hello ecosarah
Yes please suggest an alternative to Avira I will once we have taken care of the remaining issues. Until then, please keep your browsing to an absolute minimum.
WinDirStat is hopefully at It is. Good job :bigthumb:
Have discovered a chunk of the colours is ERDNT back up everyday for a number of days: says ERDNT/autobackup...
Dont think I have the space to be backing so much up so often?Aha, you have ERUNT configured to make daily backups. That may very well be it.
ERUNT is a tool that is used to create backups of your system registry. Once created, the backup are usually stored at %WINDIR%\ERDNT\AutoBackup in the forum of a folder named YYYY-MM-DD.
I cannot see how much space is being taken up by the backups from the screenshot you have posted.
How many backups are present and how much space are they taking up?
ecosarah
2012-03-30, 15:43
Hi JonTom,
7 folders, with dates as you say, 58.8mb per folder when I hover over the folder of each date. 17 and 18 march, then 25th onwards to today.:bigthumb:
best wishes,
sarah
Hello ecosarah
The majority of file space appears to be taken up by Documents and Settings. It may be worthwhile taking a look in there to see if there are any things that are not required, or that look suspicious.
Lets configure erunt to save a smaller number of backups:
By default ERUNT will save the last 30 copies of the registry.
Go to your Start button > Programs > Startup > Shortcut to AUTOBACK.EXE
Right click on > Shortcut to AUTOBACK.EXE and click on properties
The Target should already be highlighted
Right click on it and choose Copy
Paste it into Notepad or Word, it should look something like this: (the path may be different on your computer)
"C:\Program Files\ERUNT\AUTOBACK.EXE" %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /noprogresswindow
Now add this to the end: /days:3 (after noprogresswindow - note the space between the "w" and the "/).
The number indicates the number of backups being saved, you can set it to what ever you want, 3 is reasonable but you can make it more or less if you wish.
The edited code should now look like this:
"C:\Program Files\ERUNT\AUTOBACK.EXE" %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /noprogresswindow /days:3
Go back to the Shortcut to AUTOBACK.EXE, the Target should already be highlighted > hit your delete key > now copy and paste in the new target you created.
Make sure the Run: box says Minimized > click Apply and OK to close it out.
These automatic backups are stored in the C:\WINDOWS\ERDNT\AutoBackup folder.
Once you have adjusted Erunt to save the number of backups you require, navigate to (and delete) the older ones.
Once deleted empty the recycle bin.
If the above does not help matters let me know in your next reply.
ecosarah
2012-03-30, 18:50
Hello,
have done as suggested. Cannot run defrag as this requires 15% space and I now have 4% space!
Could you tell me where we have got with the Trojan?: I have not been using the computer except to try to ascertain how it is working to answer your questions, as I don't want to take any risks.
I could try running combofix to see if it will run now? Or is there another test you can suggest.
Have looked at docs and settings, have no idea how to tell if something is suspicious. The figures on the files add up to the total: eg music 7.6; pics 3.7; ebooks &vids 1; and other bits and pieces which could make up to 14.7. Then thunderbird is 2.6 (is that high??); all users .5; IBM tools 1; so this could come to 18.7 with the bits and pieces.
Lower down is a folder called 1386 with 462mb, dont know what this is?
thanks very much for all your help,
sarah
Hello ecosarah
Lower down is a folder called 1386 with 462mb, dont know what this is?
The i386 folder is a required directory and can be left where it is.
Although we have dealt with all of the detections made by ESET, lets try the following:
Please delete the copy of Combofix on your desktop by dragging it to the recycle bin, then empty the bin.
Please make file extensions Visible:
Click "Start" Go to My Computer-> Tools-> Folder Options-> View tab:
Un check "Hide extensions for known file types" boxes.
Close the window with "OK".
Download a new copy of Combofix from the link below and rename it to jontom.com
Link (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Disable all of your security programs and run the renamed Combofix.
If the scan completes, please post the log in your next reply.
If the scan causes the machine to crash let me know.
ecosarah
2012-03-31, 20:50
Hi JonTom,
file extension box was already unticked.
renamed ComboFix,and it warned me about changing the file extension from .exe to .com (may make it unstable it said). followed instructions.
It ran until the bit before the dashes start coming across the screen below the writing about it scanning. The hard drive light stopped flashing, but then the screen went into screen saver (forgot to disable before hand) so I couldn't see what was happening, just that the hard drive light wasn't flashing. After 10 mins or so the laptop tried to standby, however it got stuck. The mouse arrow still moved but nothing happened. I shut it down with the power button.
thanks JonTom,:rockon:
sarah
Hello ecosarah
If you use this machine for any financial transactions, and if you have not already done so, please use an uninfected machine to change all of your passwords.
In the meantime I am conferring with others about your system issues. I'll get back to you as soon as I can.
Hello ecosarah
Lets try this:
Delete the copy of Combofix on your desktop as you did before and download a new copy to your desktop.
Once Combofix is on your desktop, disable all of you security (and you screensaver).
Click on your START button and then on RUN.
A run box will open.
Copy and paste the following command into the run box:
Combofix /nombr
Click on OK.
Allow Combofix to run unhindered.
If Combofix completes its run, please post the log in your next reply.
ecosarah
2012-04-01, 15:44
Says it cannot find that file, or something to that effect.
ecosarah
2012-04-01, 15:54
Keep meaning to say: Avira says it is out of date and my computer is at risk: do you remember I told you it wouldn't update due to some of the programs I have on here? so am wondering whether to do something about this now, so I dont get more malware on here, what do you think?
:) thanks
ecosarah
2012-04-01, 15:57
I wonder if there is some antimalware on here that I am not disabling? In the tray is Zone Alarm and Avira. I have checked that spybot is not on. Could there be a MS prog or something else that I haven't not allowed to show in tray, that is running, and therefore stopping ComboFix?
Hello ecosarah
or something to that effect Please post the exact message.
Could there be a MS prog or something else that I haven't not allowed to show in tray, that is running, and therefore stopping ComboFix? I do not believe so since Combofix also crashes when in safe mode (all non essential processes are disabled in safe mode).
Please provide a screenshot of the opened Documents and Settings tree opened from WinDirStat.
Remove your outdated Avira then download and install one of the following:
Security programs
I have provided links to two trusted programs (just choose one).
Avast! (http://www.avast.com/free-antivirus-download)
MicroSoft Security Essentials (http://www.microsoft.com/security_essentials/)
Once you have installed the program open it, update it and perform a full system scan.
If anything is detected let me know (post the log) along with a new OTL scan.
ecosarah
2012-04-02, 11:35
Well the angels have finished singing alehula cos I've had a fright when pev.3XE wanted to enter my trusted zone. Checked, and found it is part of ComboFix, and then it took another 15mins of me holding my breath to come up with.... (fanfare):
ComboFix 12-03-31.03 - 1 Sarah 02/04/2012 9:40.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.1005 [GMT 1:00]
Running from: c:\documents and settings\1 Sarah\Desktop\ComboFix.exe
Command switches used :: /nombr
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AVG *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Free Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\1 Sarah\Application Data\Desktopicon
c:\documents and settings\1 Sarah\Application Data\Desktopicon\eBay.ico
c:\documents and settings\1 Sarah\Application Data\Desktopicon\uninst.exe
c:\documents and settings\1 Sarah\WINDOWS
c:\documents and settings\All Users\Application Data\TEMP
c:\program files\IBM\Updater\ucstartup.exe
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\CF11881.exe
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\pwdmon.dll
c:\windows\system32\regobj.dll
c:\windows\system32\TPAPSLOG.LOG
c:\windows\system32\TPHDLOG0.LOG
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_npf
.
.
((((((((((((((((((((((((( Files Created from 2012-03-02 to 2012-04-02 )))))))))))))))))))))))))))))))
.
.
2012-03-29 17:50 . 2012-03-29 17:50 -------- d-----w- c:\program files\WinDirStat
2012-03-28 17:59 . 2012-03-28 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2012-03-27 22:34 . 2012-03-27 22:34 -------- d-----w- c:\program files\ESET
2012-03-25 14:07 . 2012-03-25 14:07 -------- dc----w- C:\_OTL
2012-03-18 02:28 . 2012-03-18 02:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-03-17 22:44 . 2012-01-31 12:44 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-03-17 22:41 . 2012-03-17 22:41 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2012-03-17 18:34 . 2012-03-17 18:34 -------- d-----w- c:\program files\ERUNT
2012-03-17 08:39 . 2012-03-17 08:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-03 09:22 . 1980-01-01 07:00 1860096 ------w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-20 18:26 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2004-08-09 17:51 139784 ------w- c:\windows\system32\drivers\rdpwd.sys
2009-03-11 19:23 . 2009-03-11 19:15 69076264 -c--a-w- c:\program files\iTunesSetup.exe
2009-02-22 20:52 . 2009-02-22 20:52 270128 -c--a-w- c:\program files\utorrent.exe
2006-10-17 19:52 . 2006-10-17 19:52 2855080 -c----w- c:\program files\aawsepersonal.exe
2005-11-01 12:14 . 2005-11-01 12:12 1148416 -c----w- c:\program files\PA082.exe
2012-01-10 14:18 . 2012-01-10 14:18 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TpShocks"="TpShocks.exe" [2005-01-24 106496]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-05 897024]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-03-04 94208]
"TP4EX"="tp4ex.exe" [2004-11-12 40960]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-01-21 135168]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2004-11-24 212992]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-09-02 127035]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-24 281768]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-11-03 738944]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-12-18 73360]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-07-01 273544]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\1 Sarah\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2004-11-04 16:51 108636 ------w- c:\program files\IBM fingerprint software\psfus.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 10:07 262144 ------w- c:\windows\system32\QConGina.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2004-08-13 03:11 24576 ------w- c:\windows\system32\tphklock.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\WINWORD.EXE"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Engine\\Sony Ericsson Update Engine.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\explorer.exe"= %windir%\explorer.exe
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [15/08/2005 20:07 14208]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/04/2010 21:31 136360]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [03/11/2011 15:44 27016]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [03/11/2011 15:44 497280]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [12/08/2011 18:13 87040]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [24/12/2010 21:20 27632]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [15/08/2005 20:07 6016]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [15/02/2012 14:30 158856]
S3 APL531;Hercules Dualpix HD Webcam;c:\windows\system32\drivers\HDvidv.sys [24/09/2011 21:22 285952]
S3 camfilt2;camfilt2;c:\windows\system32\drivers\camfilt2.sys [24/09/2011 21:22 103720]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [24/12/2009 21:59 13224]
S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [13/11/2007 16:50 106624]
S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [09/10/2007 13:53 59648]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [30/12/2011 14:27 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [22/06/2010 19:01 21248]
S3 iadusb;MT882;c:\windows\system32\DRIVERS\glauiad.sys --> c:\windows\system32\DRIVERS\glauiad.sys [?]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [15/08/2005 20:27 12288]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [26/01/2011 18:00 235648]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [04/05/2011 21:16 86824]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [04/05/2011 21:16 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [04/05/2011 21:16 114600]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [04/05/2011 21:16 108328]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [04/05/2011 21:16 26024]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [04/05/2011 21:16 104616]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [04/05/2011 21:16 109736]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [31/12/2009 14:28 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [23/04/2007 14:54 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [23/04/2007 14:54 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [31/12/2009 14:28 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [23/04/2007 14:54 98568]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [23/09/2010 12:09 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [23/09/2010 12:09 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [23/09/2010 12:09 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [23/09/2010 12:09 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [23/09/2010 12:09 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [23/09/2010 12:09 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [23/09/2010 12:09 110120]
S3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;c:\program files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe [04/05/2011 20:24 155344]
S4 GtDetectSc;GtDetectSc;c:\program files\Option\GlobeTrotter Connect\GtDetectSc.exe [02/04/2009 16:52 543744]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [19/10/2009 08:42 133104]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [19/10/2009 08:42 133104]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2012-04-02 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2005-08-15 08:00]
.
2012-04-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3694052557-2359500833-1512941615-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 09:47]
.
2012-03-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3694052557-2359500833-1512941615-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 09:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.saynoto0870.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Send To &Bluetooth - c:\program files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2516768&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.saynoto0870.com/numbersearch.php
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-UC_Start - c:\program files\IBM\Updater\\ucstartup.exe
AddRemove-eBay Icon - c:\documents and settings\1 Sarah\Application Data\Desktopicon\uninst.exe
AddRemove-{27310A4F-6A97-43C0-928C-FE5313B9949B} - c:\documents and settings\All Users\Application Data\{5BD198FE-6337-4D45-AAF8-F81D83B87D05}\FFOv2011-8_Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-02 09:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(712)
c:\program files\IBM fingerprint software\psfus.dll
c:\program files\Common Files\Virtual Token\psutil.dll
c:\windows\system32\tphklock.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(768)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'explorer.exe'(4056)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Virtual Token\vtserver.exe
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\System32\QCONSVC.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\System32\TPHDEXLG.EXE
c:\windows\system32\TpKmpSVC.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\TpShocks.exe
c:\windows\system32\rundll32.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
.
**************************************************************************
.
Completion time: 2012-04-02 10:25:21 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-02 09:25
.
Pre-Run: 1,439,768,576 bytes free
Post-Run: 1,326,112,768 bytes free
.
- - End Of File - - 624A43909A18EB03BE1736D6FBC8BA6C
ecosarah
2012-04-02, 11:39
what I did was copy/paste the command into run and an extra space at the end (I had the middle one in before) came up and it ran!! phew!!
after log came up I opened firefox and got this msg: firefox is not currentl set as your default browser...
It has been set for years, so I wonder how it got unset during or after running combofix - is this normal?
do you still want screen print of docs and settings?
Hello ecosarah
Great job with Combofix :crowned:
is this normal? Yes. You can select firefox as your default browser once we are done.
do you still want screen print of docs and settings? Yes please, along with the following:
Do you recognise the following file: c:\program files\PA082.exe ?
Please scan the following files
Please go to VirusTotal (http://www.virustotal.com/)
On the page you'll find a "Choose File" button.
Click on the Choose File button.
In the File Upload window which opens, copy and paste this into the File Name box.
c:\program files\PA082.exe
Next, click the Open button.
Then click the "Send File" button just below.
This will scan the file. Please be patient.
If you get a message saying File has already been analyzed: click Reanalyze file now.
Post the link to the Virus total results page in your next reply along with the link to the documents and settings screenshot.
ecosarah
2012-04-03, 22:28
Hi,
dont recognise that file, tried what you suggested and got "there was an error attempting to upload the file". Tried twice.
Am trying to upload pics of windirstat of docs and settings: having trouble, dont know why.
thanks,
sarah
Hello ecosarah
"there was an error attempting to upload the file" Odd. Please make sure that you disable your security programs before scanning the file. try again with Virus Total and if the file does not scan try this scanner instead:
Jotti
Please scan the files using Jotti's Malware File Scanner by clicking here (http://virusscan.jotti.org/)
Click on the "Browse" button located at the top of the screen.
Navigate to the requested file ().
Click on the file you want to be analysed and then click "open".
You will see your file appear in the text box on the Jotti site.
Click the "Submit" button and wait for your file to be analysed.
Once the file has been analysed, a log will be created. Please post the log for each file that you have scanned in your next reply.
Please download SystemLook by JPShortstuff
Please download SystemLook by JPShortstuff by clicking here (http://jpshortstuff.247fixes.com/SystemLook.exe) or here (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe) and save the file (called SystemLook.exe) to your desktop.
Double click SystemLook.exe to run the program.
Copy the content of the following codebox into the main textfield:
:file
c:\program files\PA082.exe
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
You mentioned that you uninstalled AVG but there are some leftovers showing in your system log.
Please work through the following steps
Open Notepad (Click on "Start", then on "Run" and type "notepad" (without quotations) in the Open field, then click on "OK").
NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.
Copy and Paste the text in the quotebox below into the open Notepad window:
SecCenter::
AV: AVG *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FileLook::
c:\program files\PA082.exe
Skipfix::
Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.
Close any open browsers.
Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Refering to the picture below, drag CFScript.txt into ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Once the log is produced, re-engage your resident anti virus.
Please post the scan results along with the Systemlook log and the Combofix log in your next reply.
ecosarah
2012-04-04, 22:35
hi JonTom,
Uploaded settings and docs to photobucket. Password is JonTom. URL...
Dont seem to have uploaded...cant find it.... so frustrating...will have to keep trying...
Before I got rid of Avira, it updated and has had no more messages: wonder if it was malware problem, cos it struck me as strange to suddenly say Avira had a newer version and that the old one was no longer protecting. Usually I get warnings for a while, that I need to update newer version.
Joti is taking for ever to upload file: when I browsed for it, it had the symbol of a zip file next to it.
[ArcaVir]
2012-04-04 Found nothing
[Frisk F-Prot Antivirus]
2012-04-04 Found nothing
[Avast! antivirus]
2012-04-04 Found nothing
[F-Secure Anti-Virus]
2012-04-04 Found nothing
[Grisoft AVG Anti-Virus]
2012-04-04 Found nothing
[G DATA]
2012-04-04 Found nothing
[Avira AntiVir]
2012-04-04 Found nothing
[Ikarus]
2012-04-04 Found nothing
[Softwin BitDefender]
2012-04-04 Found nothing
[Kaspersky Anti-Virus]
2012-04-04 Found nothing
[ClamAV]
2012-04-04 Found nothing
[Panda Antivirus]
2012-04-04 Found nothing
[CPsecure]
2012-04-04 Found nothing
[Quick Heal]
2012-04-04 Found nothing
[Dr.Web]
2012-04-04 Found nothing
[Sophos]
2012-04-04 Found nothing
[Emsisoft Anti-Malware]
2012-04-04 Found nothing
[VirusBlokAda VBA32]
2012-04-04 Found nothing
[ESET]
2012-04-04 Found nothing
[VirusBuster]
2012-04-04 Found nothing
File size: 1148416 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 3f0bdc06fbe6fdbe48870d6f40fbfb35
SHA1: b30195452ae378f931a5162a85aba55d5cb8f813
Filename: PA082.exe
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Wed 4 Apr 2012 22:25:21 (CET) Permalink
Wasn't sure what to post, so posted all of Jotti
SystemLook 30.07.11 by jpshortstuff
Log created at 21:22 on 04/04/2012 by 1 Sarah
Administrator - Elevation successful
========== file ==========
c:\program files\PA082.exe - File found and opened.
MD5: 3F0BDC06FBE6FDBE48870D6F40FBFB35
Created at 12:12 on 01/11/2005
Modified at 12:14 on 01/11/2005
Size: 1148416 bytes
Attributes: -----c-
No version information available.
-= EOF =-
thanks!!:D:
ecosarah
2012-04-04, 23:10
settings and docs are here:
http://s760.photobucket.com/albums/xx245/eco-sarah/
password JonTom
will do combo fix now
ecosarah
2012-04-04, 23:30
Hi JonTom,
Combofix seems to be up to its old tricks, and although the clock is still going, the thing appears stuck with no light on the hd.
Also, can you let me know when I can remove the photos from photobucket, as I am wanting to post some photos of a vehicle for another forum, and dont want ppl seeing my computer contents! :lip:
thanks :santa:
Hello ecosarah
can you let me know when I can remove the photos from photobucket You can remove them now. Your hard drive appears to be full with pictures and music files. The drive itself is quite small, which is the most likely explanation as to why it is full.
Drive C: | 33.29 Gb Total Space | 1.09 Gb Free Space | 3.27% Space Free | Partition Type: NTFS 1GB of free drive space. Windows needs around 10% of HD space completely free for performance reasons.
If you have many music files and picture you need to keep it may be worthwhile investing in a new hard drive or an external storage device.
One short term way or releasing a little space would be to check to see if the hibernation facility is enabled on your machine and disable it (your hiberfil.sys file is currently very large).
If you would like to try this:
Click on "Start" then on "Control Panel" then double-click on Power Options.
Click the Hibernate tab, de-select the 'Enable hibernate support' check box, and then click Apply.
Restart your computer and hiberfil.sys should be automatically deleted.
If you change your mind in the future and would like to use hibernation, go back to the Hibernate tab as described in the first three steps and check the box 'enable hibernation'.
Wasn't sure what to post, so posted all of Jotti You did the right thing :)
Although the file appears to be clean, it is still my belief that it is slightly unusual/suspicious. Were it me I would move the file to my recycle bin and leave it there for a week or so. If there are no ill effects after that time it could then be removed.
Security Check
Please download Security Check by screen317 from here (http://screen317.spywareinfoforum.org/SecurityCheck.exe) or here (http://screen317.changelog.fr/SecurityCheck.exe) and save the file (called securitycheck.exe) to your desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box (NOTE: If you are running Vista or Win7 please Right click and select "Run as Administrator"..
A Notepad document should open automatically called checkup.txt; please post the contents of that document in your next reply.
Please post the security check log and a new OTL scan log in your next reply.
ecosarah
2012-04-06, 21:53
Hi,
I use hybinate, so reluctant to remove: Yes, there is only 1Gb free on HD, and you say it is cos of the size of my music and pictures? I dont understand as they only add up to 7.6 and 2.6 Gig = 10.4Gb, and thunderbird is next biggest at 2.5 Gig. That is not that big compared to 32Gb. Although there is obviously lots of other stuff, the whole of my docs is 14 Gb if I remember correctly, and with progs, 17? what I am puzzled by is why I only have 1 Gb free.
Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Avira AntiVir Personal - Free Antivirus
ESET Online Scanner v3
ZoneAlarm Firewall
ZoneAlarm Free
ZoneAlarm Toolbar
ZoneAlarm Spy Blocker
ZoneAlarm Security
Antivirus out of date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:
WinPatrol 2008 (Outdated! Latest version is WinPatrol 2011)
Malwarebytes' Anti-Malware
HijackThis 2.0.2
CCleaner
IBM 32-bit Runtime Environment for Java 2, v1.4.2
Java(TM) 6 Update 24
IBM 32-bit Runtime Environment for Java 2, v1.4.2
Java version out of date!
Adobe Flash Player 11.1.102.55
Adobe Reader X (10.1.2)
Mozilla Firefox (9.0.1)
Mozilla Thunderbird (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent
WinPatrol winpatrol.exe is disabled!
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
CheckPoint ZoneAlarm vsmon.exe
CheckPoint ZoneAlarm zatray.exe
``````````End of Log````````````
thanks
Hello ecosarah
Please post another OTL scan log as requested.
Also, let me know if you are still getting the PWS:win32/zbot.gen!AC warning, and if there are any remaining symptoms (popups, redirects, error messages etc).
ecosarah
2012-04-08, 12:22
Hi JonTom,
Didn't have a warning about the Zbot more than the time I told u about. I didn't have any more symptoms except the strange thing with Avira that h told u about. However, I haven't been using the computer except to do what u'v asked, cos I presumed its not safe. RU suggesting I use it now?
I didn't notice the request for The OLT log! WIll do it when next xIth computer- am probably away til Tue now.
Thanks, Sarah
Hello ecosarah
Browse to a small number of trusted sites to see how things are running.
Let me know how it goes and post the OTL log in your next reply.
ecosarah
2012-04-11, 00:29
OTL logfile created on: 10/04/2012 20:42:02 - Run 3
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\1 Sarah\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
1.49 Gb Total Physical Memory | 0.76 Gb Available Physical Memory | 51.25% Memory free
2.83 Gb Paging File | 2.19 Gb Available in Paging File | 77.26% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 33.29 Gb Total Space | 1.16 Gb Free Space | 3.47% Space Free | Partition Type: NTFS
Computer Name: MAXIMILLION | User Name: 1 Sarah | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2012/03/24 18:34:51 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\1 Sarah\Desktop\OTL.com
PRC - [2012/01/10 15:18:08 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/12/18 22:08:42 | 002,420,616 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
PRC - [2011/12/18 22:04:24 | 000,073,360 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
PRC - [2011/11/03 15:44:28 | 000,497,280 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
PRC - [2011/11/03 15:44:24 | 000,738,944 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
PRC - [2011/08/12 18:13:26 | 000,087,040 | ---- | M] () -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
PRC - [2011/07/01 20:47:23 | 000,490,112 | ---- | M] (RealNetworks, Inc.) -- c:\Program Files\Real\realplayer\realplay.exe
PRC - [2011/07/01 20:47:15 | 000,273,544 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\realplayer\Update\realsched.exe
PRC - [2011/07/01 20:10:23 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/04/30 09:52:26 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/12/24 13:02:23 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/03/18 11:07:00 | 000,086,016 | ---- | M] (IBM Corp.) -- C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
PRC - [2005/03/18 11:07:00 | 000,077,824 | ---- | M] (IBM Corp.) -- C:\WINDOWS\system32\QCONSVC.EXE
PRC - [2005/03/04 01:10:32 | 000,094,208 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
PRC - [2004/12/16 12:49:44 | 000,385,024 | ---- | M] () -- C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
PRC - [2004/12/16 12:40:40 | 000,036,864 | ---- | M] () -- C:\IBMTOOLS\eGatherer\launcheg.exe
PRC - [2004/11/04 17:47:04 | 000,040,547 | ---- | M] (UPEK Inc.) -- C:\Program Files\Common Files\Virtual Token\vtserver.exe
PRC - [2004/09/07 00:03:52 | 000,077,824 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
PRC - [2003/07/12 02:19:22 | 000,032,768 | ---- | M] () -- C:\WINDOWS\system32\TpKmpSvc.exe
PRC - [2002/01/10 23:01:34 | 000,065,536 | ---- | M] (IBM Corporation) -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
========== Modules (No Company Name) ==========
MOD - [2012/01/10 15:18:04 | 002,124,760 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/08/12 18:13:26 | 000,087,040 | ---- | M] () -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
MOD - [2010/01/28 12:57:58 | 000,355,688 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2006/03/09 19:45:36 | 000,081,920 | R--- | M] () -- C:\Program Files\Common Files\Teleca Shared\boost_log-vc71-mt-1_33.dll
MOD - [2005/03/19 07:10:38 | 000,028,672 | ---- | M] () -- C:\Program Files\ThinkPad\ConnectUtilities\Res\US\IconRes.dll
MOD - [2005/03/04 01:10:32 | 000,094,208 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
MOD - [2005/01/21 09:00:00 | 000,065,536 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\PWRMGRIF.DLL
MOD - [2005/01/21 09:00:00 | 000,032,768 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\US\PWRMGRRT.DLL
MOD - [2004/12/16 12:49:44 | 000,385,024 | ---- | M] () -- C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
MOD - [2004/12/16 12:40:40 | 000,036,864 | ---- | M] () -- C:\IBMTOOLS\eGatherer\launcheg.exe
MOD - [2004/11/24 10:10:00 | 000,036,864 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\US\EZMAPRES.DLL
MOD - [2004/09/07 00:03:52 | 000,077,824 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
MOD - [2004/08/17 20:28:12 | 000,225,280 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\tpfnf7.dll
MOD - [2004/08/13 04:11:26 | 000,024,576 | ---- | M] () -- C:\WINDOWS\system32\tphklock.dll
MOD - [2003/07/12 02:19:22 | 000,032,768 | ---- | M] () -- C:\WINDOWS\system32\TpKmpSvc.exe
MOD - [2003/07/04 07:49:30 | 000,024,576 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY_2\tphk_2k.dll
========== Win32 Services (SafeList) ==========
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\system32\PsaSrv.exe -- (PsaSrv)
SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2012/02/15 14:30:18 | 000,158,856 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2011/12/18 22:08:42 | 002,420,616 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe -- (vsmon)
SRV - [2011/11/03 15:44:28 | 000,497,280 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe -- (IswSvc)
SRV - [2011/08/12 18:13:26 | 000,087,040 | ---- | M] () [Auto | Running] -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe -- (PassThru Service)
SRV - [2011/07/01 20:10:23 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/06/29 15:59:18 | 000,155,344 | ---- | M] (Avanquest Software) [On_Demand | Stopped] -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe -- (Sony Ericsson PCCompanion)
SRV - [2011/06/26 07:45:56 | 000,256,000 | R--- | M] () [Auto | Stopped] -- C:\ComboFix\pev.3XE -- (PEVSystemStart)
SRV - [2011/04/30 09:52:26 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009/04/02 16:52:56 | 000,543,744 | ---- | M] (OptionNV) [Disabled | Stopped] -- C:\Program Files\Option\GlobeTrotter Connect\GtDetectSc.exe -- (GtDetectSc)
SRV - [2008/08/29 11:01:22 | 000,033,752 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus(R) Helper) getPlus(R)
SRV - [2005/03/18 11:07:00 | 000,077,824 | ---- | M] (IBM Corp.) [Auto | Running] -- C:\WINDOWS\system32\QCONSVC.EXE -- (QCONSVC)
SRV - [2004/12/16 12:49:44 | 000,385,024 | ---- | M] () [Auto | Running] -- C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe -- (IBM Rapid Restore Ultra Service)
SRV - [2004/11/04 17:47:04 | 000,040,547 | ---- | M] (UPEK Inc.) [Auto | Running] -- C:\Program Files\Common Files\Virtual Token\vtserver.exe -- (vtserver)
SRV - [2004/10/01 23:06:34 | 000,163,840 | ---- | M] (Broadcom Corporation) [On_Demand | Stopped] -- C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe -- (btwdins)
SRV - [2003/07/12 02:19:22 | 000,032,768 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\TpKmpSvc.exe -- (TpKmpSVC)
========== Driver Services (SafeList) ==========
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | Boot | Stopped] -- system32\ZoneLabs\srescan.sys -- (srescan)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\LVCD.sys -- (QCDonner) Logitech QuickCam Express(PID_0840)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\glauiad.sys -- (iadusb)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\adiusbaw.sys -- (adiusbaw)
DRV - File not found [Kernel | Auto | Stopped] -- System32\Drivers\adildr.sys -- (ADILOADER) General Purpose USB Driver (adildr.sys)
DRV - [2011/12/18 22:04:24 | 000,525,840 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (Vsdatant)
DRV - [2011/11/03 15:44:20 | 000,027,016 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL)
DRV - [2011/07/01 20:10:25 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/07/01 20:10:25 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/06/22 19:01:50 | 000,021,248 | ---- | M] (Windows (R) Win 7 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\htcnprot.sys -- (htcnprot)
DRV - [2009/12/24 21:57:13 | 000,025,512 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ggsemc.sys -- (ggsemc)
DRV - [2009/12/24 21:57:13 | 000,013,224 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ggflt.sys -- (ggflt)
DRV - [2009/06/10 01:49:32 | 000,024,576 | ---- | M] (HTC, Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ANDROIDUSB.sys -- (HTCAND32)
DRV - [2009/05/11 11:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 09:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2008/10/21 09:22:48 | 000,114,600 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017mdm.sys -- (s0017mdm)
DRV - [2008/10/21 09:22:48 | 000,109,736 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017unic.sys -- (s0017unic) Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM)
DRV - [2008/10/21 09:22:48 | 000,108,328 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017mgmt.sys -- (s0017mgmt) Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM)
DRV - [2008/10/21 09:22:48 | 000,104,616 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017obex.sys -- (s0017obex)
DRV - [2008/10/21 09:22:48 | 000,086,824 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017bus.sys -- (s0017bus) Sony Ericsson Device 0017 driver (WDM)
DRV - [2008/10/21 09:22:48 | 000,026,024 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017nd5.sys -- (s0017nd5) Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS)
DRV - [2008/10/21 09:22:48 | 000,015,016 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017mdfl.sys -- (s0017mdfl)
DRV - [2008/04/13 19:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2008/02/18 17:14:38 | 000,106,624 | ---- | M] (Option N.V.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Gt51Ip.sys -- (GT72NDISIPXP)
DRV - [2008/02/08 13:00:22 | 000,059,648 | ---- | M] (Option N.V.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gt72ubus.sys -- (GT72UBUS)
DRV - [2008/02/01 16:43:22 | 000,103,720 | ---- | M] (Guillemot Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\camfilt2.sys -- (camfilt2)
DRV - [2008/01/09 13:28:34 | 000,027,632 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\seehcri.sys -- (seehcri)
DRV - [2007/12/10 14:22:22 | 000,110,120 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3017unic.sys -- (s3017unic) Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM)
DRV - [2007/12/10 14:22:22 | 000,100,648 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3017obex.sys -- (s3017obex)
DRV - [2007/12/10 14:22:20 | 000,104,616 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3017mgmt.sys -- (s3017mgmt) Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM)
DRV - [2007/12/10 14:22:20 | 000,025,512 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3017nd5.sys -- (s3017nd5) Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS)
DRV - [2007/12/10 14:22:18 | 000,110,632 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3017mdm.sys -- (s3017mdm)
DRV - [2007/12/10 14:22:18 | 000,015,016 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3017mdfl.sys -- (s3017mdfl)
DRV - [2007/12/10 14:22:14 | 000,083,880 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3017bus.sys -- (s3017bus) Sony Ericsson Device 3017 driver (WDM)
DRV - [2007/07/13 10:45:08 | 000,285,952 | ---- | M] (Akkord Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HDvidv.sys -- (APL531)
DRV - [2007/06/14 18:34:00 | 000,457,856 | ---- | M] (PixArt Imaging Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PAC7302.SYS -- (PAC7302)
DRV - [2007/05/21 08:29:26 | 000,235,648 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8187.sys -- (RTLWUSB)
DRV - [2007/04/23 16:54:50 | 000,100,488 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s115mgmt.sys -- (s115mgmt) Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM)
DRV - [2007/04/23 16:54:46 | 000,083,208 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s115bus.sys -- (s115bus) Sony Ericsson Device 115 driver (WDM)
DRV - [2007/04/23 14:54:50 | 000,098,568 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s115obex.sys -- (s115obex)
DRV - [2007/04/23 14:54:48 | 000,108,680 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s115mdm.sys -- (s115mdm)
DRV - [2007/04/23 14:54:48 | 000,015,112 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s115mdfl.sys -- (s115mdfl)
DRV - [2007/04/03 14:57:54 | 000,099,080 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116unic.sys -- (s116unic) Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (WDM)
DRV - [2007/04/03 14:57:52 | 000,098,696 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116obex.sys -- (s116obex)
DRV - [2007/04/03 14:57:52 | 000,023,176 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116nd5.sys -- (s116nd5) Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (NDIS)
DRV - [2007/04/03 14:57:50 | 000,100,488 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116mgmt.sys -- (s116mgmt) Sony Ericsson Device 116 USB WMC Device Management Drivers (WDM)
DRV - [2007/04/03 14:57:48 | 000,108,680 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116mdm.sys -- (s116mdm)
DRV - [2007/04/03 14:57:48 | 000,015,112 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116mdfl.sys -- (s116mdfl)
DRV - [2007/04/03 14:57:42 | 000,083,336 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116bus.sys -- (s116bus) Sony Ericsson Device 116 driver (WDM)
DRV - [2007/03/30 13:38:14 | 000,008,064 | ---- | M] (Option N.V.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gtptser.sys -- (GTPTSER)
DRV - [2005/08/15 20:25:50 | 000,013,184 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)
DRV - [2005/03/18 11:07:00 | 000,012,288 | ---- | M] (IBM Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\qcndisif.sys -- (QCNDISIF)
DRV - [2005/03/18 11:07:00 | 000,011,520 | ---- | M] (IBM Corp.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ANC.sys -- (ANC)
DRV - [2005/03/18 11:07:00 | 000,002,432 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\IBMBLDID.SYS -- (IBMTPCHK)
DRV - [2005/02/14 16:00:10 | 003,255,168 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel(R)
DRV - [2005/02/11 10:22:48 | 000,081,728 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\k750mgmt.sys -- (k750mgmt)
DRV - [2005/02/11 10:19:20 | 000,055,216 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\k750bus.sys -- (k750bus) Sony Ericsson 750 driver (WDM)
DRV - [2005/01/21 09:40:00 | 000,014,848 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SMAPINT.SYS -- (Smapint)
DRV - [2005/01/21 09:40:00 | 000,009,340 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TDSMAPI.SYS -- (TDSMAPI)
DRV - [2005/01/21 09:00:00 | 000,004,442 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TPPWRIF.SYS -- (TPPWRIF)
DRV - [2004/12/16 12:12:20 | 000,063,616 | ---- | M] (IBM) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ibmfilter.sys -- (ibmfilter)
DRV - [2004/12/07 01:55:20 | 000,126,720 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/12/03 00:14:44 | 000,014,208 | ---- | M] (IBM Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\TPDiskPM.sys -- (TPDiskPM)
DRV - [2004/12/02 23:54:12 | 000,006,016 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\TPInput.sys -- (TPInput)
DRV - [2004/12/01 10:33:00 | 000,007,168 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TSMAPIP.SYS -- (TSMAPIP)
DRV - [2004/11/11 00:47:30 | 000,200,448 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2004/11/11 00:46:24 | 000,685,184 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/11/11 00:45:50 | 001,041,664 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/10/15 18:20:04 | 000,011,354 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2004/10/01 22:51:46 | 000,017,024 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2004/10/01 22:48:30 | 001,241,482 | ---- | M] (Broadcom Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2004/10/01 22:47:06 | 000,147,896 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2004/10/01 22:44:22 | 000,030,299 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2004/10/01 22:43:44 | 000,054,488 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2004/08/04 13:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2004/08/04 13:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2004/05/19 21:41:26 | 000,013,757 | ---- | M] (National Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NscTpmDD.sys -- (portio)
DRV - [2003/12/08 11:53:48 | 000,053,600 | ---- | M] (THOMSON) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\alcan5wn.sys -- (alcan5wn) SpeedTouch USB ADSL PPP Networking Driver (NDISWAN)
DRV - [2003/12/08 11:53:46 | 000,070,688 | ---- | M] (THOMSON) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\alcaudsl.sys -- (alcaudsl)
DRV - [2002/02/19 13:06:28 | 000,021,019 | ---- | M] (Magic Control Technology Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\u2s2kxp.sys -- (U2SP) USB to Serial Converter Driver(Philips)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.saynoto0870.com/
IE - HKCU\..\SearchScopes,DefaultScope = {78F909E2-E4DC-4AF1-8FD7-B411278EEC6D}
IE - HKCU\..\SearchScopes\{04E563C9-734C-41AE-A368-E84AB98DF7A7}: "URL" = http://www.bing.com/search?q={searchTerms}&form=IE0006
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKCU\..\SearchScopes\{78F909E2-E4DC-4AF1-8FD7-B411278EEC6D}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
========== FireFox ==========
FF - prefs.js..browser.search.defaultthis.engineName: "Messenger Plus Live UK Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2516768&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.saynoto0870.com/numbersearch.php"
FF - prefs.js..extensions.enabledItems: {53c4d698-0a74-873e-7946-7d19bb035667}:2.6
FF - prefs.js..extensions.enabledItems: en-GB@dictionaries.addons.mozilla.org:1.19.1
FF - prefs.js..extensions.enabledItems: feedbar@efinke.com:5.0
FF - prefs.js..extensions.enabledItems: {81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}:7.0.3.0
FF - prefs.js..extensions.enabledItems: {c33c5b47-69c8-45a4-a5e0-af85bbe628dd}:1.6.1.3
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: CompactMenuCE@Merci.chao:4.2.1
FF - prefs.js..extensions.enabledItems: isreaditlater@ideashower.com:2.1.1
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.1.5
FF - prefs.js..extensions.enabledItems: reliby@gemal.dk:1.5.0
FF - prefs.js..extensions.enabledItems: {1f91cde0-c040-11da-a94d-0800200c9a66}:4.1
FF - prefs.js..extensions.enabledItems: savesession@noasobi.net:1.3.1.6
FF - prefs.js..extensions.enabledItems: {53A03D43-5363-4669-8190-99061B2DEBA5}:1.3.7
FF - prefs.js..extensions.enabledItems: firefox-extension@shareaholic.com:2.2.0
FF - prefs.js..extensions.enabledItems: {BEDED222-EAEC-11DA-9B41-B622A1EF5492}:1.0.12
FF - prefs.js..extensions.enabledItems: smartbookmarksbar@remy.juteau:1.4.3
FF - prefs.js..extensions.enabledItems: {64161300-e22b-11db-8314-0800200c9a66}:0.9.5.8
FF - prefs.js..extensions.enabledItems: taboo@runningfrombears.com:0.6.1
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.2.20100119091315
FF - prefs.js..extensions.enabledItems: zotero@chnm.gmu.edu:2.0.9
FF - prefs.js..network.proxy.type: 0
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.652: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.652: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/07/01 20:48:19 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2012/03/17 23:42:55 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/10 15:18:14 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/03/29 09:54:45 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 9.0.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012/01/11 13:59:02 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2012/01/12 16:17:14 | 000,000,000 | ---D | M]
[2008/07/01 20:15:03 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Extensions
[2012/04/06 20:10:23 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\extensions
[2011/12/09 11:41:53 | 000,000,000 | ---D | M] (iMacros for Firefox) -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}
[2010/12/23 23:31:05 | 000,000,000 | ---D | M] (British English Dictionary) -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\extensions\en-GB@dictionaries.addons.mozilla.org
[2011/11/07 18:47:35 | 000,000,000 | ---D | M] ("MemberPlugin") -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\extensions\MemberPlugin@edward.hibbert
[2010/02/09 21:50:18 | 000,000,000 | ---D | M] (Reliby) -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\extensions\reliby@gemal.dk
[2009/07/22 11:32:24 | 000,000,000 | ---D | M] (Save Session) -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\extensions\savesession@noasobi.net
[2012/03/03 06:46:54 | 000,000,000 | ---D | M] (Zotero) -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\extensions\zotero@chnm.gmu.edu
[2011/09/25 19:28:32 | 000,002,220 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\searchplugins\amabay-uk.xml
[2012/03/16 23:22:21 | 000,002,570 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\searchplugins\amazon-decouk.xml
[2010/02/06 23:17:22 | 000,000,947 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\searchplugins\conduit.xml
[2011/09/25 19:29:34 | 000,011,430 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\searchplugins\ebaycouk-search.xml
[2008/06/25 13:48:35 | 000,001,108 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\searchplugins\wikipedia-en.xml
[2011/07/09 21:01:05 | 000,002,323 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\searchplugins\youtube-ssl.xml
[2012/01/10 15:19:02 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/03/02 21:33:30 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
() (No name found) -- C:\DOCUMENTS AND SETTINGS\1 SARAH\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\WYOR7N6S.DEFAULT\EXTENSIONS\PBUPLOAD@PHOTOBUCKET.COM.XPI
[2012/01/10 15:18:11 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/02/02 22:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012/01/10 15:17:49 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/01/10 15:17:49 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
========== Chrome ==========
CHR - default_search_provider: Google ()
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
O1 HOSTS File: ([2012/04/02 09:55:39 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies)
O4 - HKLM..\Run: [PWRMGRTR] C:\Program Files\ThinkPad\Utilities\PWRMGRTR.DLL (IBM Corp.)
O4 - HKLM..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE (IBM Corp.)
O4 - HKLM..\Run: [TkBellExe] C:\program files\real\realplayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [TP4EX] C:\WINDOWS\System32\TP4EX.exe (IBM Corporation)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe ()
O4 - HKLM..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe (IBM Corp.)
O4 - HKLM..\Run: [ZoneAlarm] C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe (Check Point Software Technologies LTD)
O4 - Startup: C:\Documents and Settings\1 Sarah\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O8 - Extra context menu item: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BDC00D27-CAA4-4564-8568-4160324D1BAF}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Handler\widimg {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\BTXPPanel.dll (Broadcom Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\psfus: DllName - (C:\Program Files\IBM fingerprint software\psfus.dll) - C:\Program Files\IBM fingerprint software\psfus.dll (UPEK Inc.)
O20 - Winlogon\Notify\QConGina: DllName - (QConGina.dll) - C:\WINDOWS\System32\QConGina.dll (IBM Corp.)
O20 - Winlogon\Notify\tphotkey: DllName - (tphklock.dll) - C:\WINDOWS\System32\tphklock.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\1 Sarah\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\1 Sarah\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/10/06 07:35:52 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2012/04/05 12:46:59 | 000,000,000 | --SD | C] -- C:\ComboFix
[2012/04/03 19:49:43 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/04/01 14:38:28 | 004,452,445 | R--- | C] (Swearware) -- C:\Documents and Settings\1 Sarah\Desktop\ComboFix.exe
[2012/03/29 18:50:38 | 000,000,000 | ---D | C] -- C:\Program Files\WinDirStat
[2012/03/29 18:50:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\1 Sarah\Start Menu\Programs\WinDirStat
[2012/03/29 18:47:40 | 000,645,729 | ---- | C] (WDS Team) -- C:\Documents and Settings\1 Sarah\Desktop\windirstat1_1_2_setup.exe
[2012/03/28 18:59:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2012/03/28 18:57:35 | 002,031,992 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\1 Sarah\Desktop\MGADiag.exe
[2012/03/27 23:34:15 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/03/25 15:27:36 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/03/25 15:27:36 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/03/25 15:27:36 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/03/25 15:27:36 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/03/25 15:07:03 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/03/24 18:34:21 | 000,593,920 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\1 Sarah\Desktop\OTL.com
[2012/03/23 23:35:11 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\1 Sarah\Desktop\aswMBR.exe
[2012/03/18 03:28:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2012/03/17 23:44:56 | 000,237,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2012/03/17 23:41:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\PCHealth
[2012/03/17 19:39:30 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\1 Sarah\Desktop\dds.scr
[2012/03/17 19:34:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2012/03/17 19:34:09 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2012/03/17 19:33:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2012/03/17 09:58:44 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\1 Sarah\Recent
[2012/03/17 09:39:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Trusteer
========== Files - Modified Within 30 Days ==========
[2012/04/06 20:32:18 | 000,879,714 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Desktop\SecurityCheck.exe
[2012/04/06 20:09:38 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/04/06 20:08:44 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-3694052557-2359500833-1512941615-1005.job
[2012/04/06 20:08:37 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\PMTask.job
[2012/04/06 20:08:20 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/04/06 20:08:19 | 1600,638,976 | -HS- | M] () -- C:\hiberfil.sys
[2012/04/04 21:21:55 | 000,139,264 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Desktop\SystemLook.exe
[2012/04/02 09:55:39 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/04/01 14:38:39 | 004,452,445 | R--- | M] (Swearware) -- C:\Documents and Settings\1 Sarah\Desktop\ComboFix.exe
[2012/03/30 17:22:17 | 000,000,794 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/03/29 18:47:42 | 000,645,729 | ---- | M] (WDS Team) -- C:\Documents and Settings\1 Sarah\Desktop\windirstat1_1_2_setup.exe
[2012/03/29 10:58:47 | 000,000,290 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-3694052557-2359500833-1512941615-1005.job
[2012/03/29 10:05:03 | 087,031,672 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Desktop\avira_free_antivirus_en.exe
[2012/03/28 19:04:29 | 000,458,240 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Desktop\CKScanner.exe
[2012/03/28 18:57:39 | 002,031,992 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\1 Sarah\Desktop\MGADiag.exe
[2012/03/25 15:18:06 | 000,435,154 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/03/25 15:18:06 | 000,068,892 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/03/25 15:05:45 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2012/03/24 18:34:51 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\1 Sarah\Desktop\OTL.com
[2012/03/23 23:36:11 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\1 Sarah\Desktop\aswMBR.exe
[2012/03/17 22:21:13 | 000,262,232 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/17 22:11:28 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/03/17 19:39:38 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\1 Sarah\Desktop\dds.scr
[2012/03/17 19:34:11 | 000,000,603 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Desktop\ERUNT.lnk
[2012/03/17 19:33:01 | 000,000,962 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/03/17 10:01:40 | 000,582,406 | ---- | M] () -- C:\Documents and Settings\1 Sarah\My Documents\cc_backup changes 17.3.12.reg
========== Files Created - No Company Name ==========
[2012/04/06 20:32:11 | 000,879,714 | ---- | C] () -- C:\Documents and Settings\1 Sarah\Desktop\SecurityCheck.exe
[2012/03/29 10:58:47 | 000,000,282 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-3694052557-2359500833-1512941615-1005.job
[2012/03/29 10:58:46 | 000,000,290 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-3694052557-2359500833-1512941615-1005.job
[2012/03/29 10:02:53 | 087,031,672 | ---- | C] () -- C:\Documents and Settings\1 Sarah\Desktop\avira_free_antivirus_en.exe
[2012/03/28 19:04:29 | 000,458,240 | ---- | C] () -- C:\Documents and Settings\1 Sarah\Desktop\CKScanner.exe
[2012/03/27 23:24:20 | 000,139,264 | ---- | C] () -- C:\Documents and Settings\1 Sarah\Desktop\SystemLook.exe
[2012/03/25 15:27:36 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/03/25 15:27:36 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/03/25 15:27:36 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/03/25 15:27:36 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/03/25 15:27:36 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/03/17 23:41:22 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2012/03/17 22:11:06 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2012/03/17 19:34:46 | 000,000,794 | ---- | C] () -- C:\Documents and Settings\1 Sarah\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/03/17 19:34:11 | 000,000,603 | ---- | C] () -- C:\Documents and Settings\1 Sarah\Desktop\ERUNT.lnk
[2012/03/17 19:33:01 | 000,000,962 | ---- | C] () -- C:\Documents and Settings\1 Sarah\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/03/17 10:00:57 | 000,582,406 | ---- | C] () -- C:\Documents and Settings\1 Sarah\My Documents\cc_backup changes 17.3.12.reg
[2012/03/06 10:21:41 | 000,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2012/02/20 19:26:17 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/10/10 11:28:05 | 000,000,302 | ---- | C] () -- C:\WINDOWS\System32\Remover.ini
[2011/09/24 21:22:09 | 003,600,384 | ---- | C] () -- C:\WINDOWS\ffmpeg.exe
[2010/05/05 21:26:20 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/04/11 20:50:23 | 000,000,272 | ---- | C] () -- C:\WINDOWS\_delis32.ini
< End of report >
ecosarah
2012-04-11, 00:41
been surfing a craft site: is fine. slow: which is normal, tho sometimes laptop was so slow it ground to a halt, and i re-hybinated, then tryed again.
as i didnt notice a difference wen i got the trojan, i cant tell if its all ok now.:laugh:
:present:
Hello ecosarah
Your latest OTL log appears to be clean.
The following may help with your system speed issues:
Defragment your hard drive
Download and run Auslogics Disc Defragmenter.
You can find it here (http://forums.whatthetech.com/redirect.php?url=http%3A%2F%2Fwww.auslogics.com%2Fen%2Fsoftware%2Fdisk-defrag%2Fdownload).
StartupLight
You may wish to try StartupLite. Simply download this tool to your desktop and run it.
It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup.
This will result in fewer programs running when you boot your system, and should improve performance.
You can find it here (http://www.malwarebytes.org/startuplite.php).
More information can be found in the link below:
http://www.bleepingcomputer.com/forums/index.php?showtopic=87058&view=findpost&p=487112
Lets remove our tools and get you updated in the steps below:
Please Uninstall Combofix
Click on "Start" and then on "Run".
Now type combofix /uninstall in the run box and click "OK". Please note the space between the "x" and the "/Uninstall", it needs to be there.
Please perform the following cleanup procedure
Double click on the OTL.exe icon on your desktop to run the program.
Once OTL has opened, click on the "CleanUp!" button.
Follow any prompts that you receive.
Removal of Tools
You no longer need Systemlook, MGADiag, CKScanner or WinDirStat. Please delete them from your machine.
Please update your Java
To update your Java, Click on "Start" then on "Control Panel" and then on the Java icon (looks like a coffee cup).
In the window that opens, click on the "Update" tab, and then on "Update Now".
Your Java should begin to update. Please follow any prompts that you receive.
Your WinPatrol is out of date
Your WinPatrol (2008) is outdated and ought to be uninstalled.
You can get the latest version of Winpatrol from here (http://www.winpatrol.com/).
Once you have completed the above steps you should be good to go! If you have any further questions, please feel free to ask.
Finally, please take the time to read through the information provided below:
Enhance your System Security
For an excellent list of free anti virus software, free online virus scanners, free spyware detection/removal and free firewalls, click here. (http://www.geekstogo.com/forum/Free-Antivirus-Antispyware-Software-t38.html)
IMPORTANT! Please make sure you only have ONE firewall and ONE real-time antivirus installed on your system. When using "on demand" scanners, first update the detection signature files, then disconnect from the internet and disable your resident security program before running the scan.
Once complete, remember to re-engage your resident security before going online.
Web Browsers and Browser Security
Firefox
You can download Firefox from here. (http://www.mozilla.com/en-US/firefox/)
No-Script
If you use Firefox as your default browser, No-Script can provide additional security by preventing malicious scripts from being executed on your system.
You can download No-Script by clicking here. (https://addons.mozilla.org/en-US/firefox/addon/722)
Internet Explorer
The newest version of Internet Explorer is available from here. (http://www.microsoft.com/windows/internet-explorer/?ocid=ie8_s_94735d11-65d1-4bb8-bf6f-72d7b059a928)
Please Note: IE9 is not configured to run on XP machines.
SpywareBlaster
If you use Internet Explorer as your default browser, SpywareBlaster would be a valuable addition to your online security.
SpywareBlaster prevents malicious ActiveX objects from being downloaded onto your system.
You can download SpywareBlaster by clicking here. (http://www.javacoolsoftware.com/sbdownload.html)
Web of Trust
When using search engines, Web of Trust provides you with an easy way of telling the good sites from the bad and is compatible with both Firefox and Internet Explorer.
Coloured symbols are displayed next to search results, giving you more confidence in the links you choose to click on: Green (To go), Yellow (Caution) and Red (Stop).
You can download Web of Trust by clicking here. (http://www.mywot.com/)
Keep your Software Updated
Outdated software can sometimes have vulnerabilities that are exploitable by malware.
Check if there are available updates for your installed software with Secunia's Online Software Inspector by clicking here. (http://secunia.com/vulnerability_scanning/online/)
Passwords
Learn how to create strong passwords by clicking here (http://www.microsoft.com/protect/yourself/password/create.mspx) and test the strength of the passwords you already use by clicking here. (http://www.microsoft.com/protect/yourself/password/checker.mspx)
General Reading
PC Safety and Security - What do I need? (http://www.techsupportforum.com/security-center/general-computer-security/115548-pc-safety-security-what-do-i-need.html)
How to prevent Malware (by Miekiemoes) (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)
Learn How To Combat Malware
Would you like to learn how to fight back against malware and help others? Enroll at the What The Tech (Formerly Tom Coyotes) Malware Classroom by clicking here. (http://forums.whatthetech.com/What_Tech_Classroom_t80368.html)
ecosarah
2012-04-12, 00:43
Hi JonTom,
I think you are saying that you have helped me remove all the malware? did you find much?
according to report, defrag didnt do much
Disk Size 33.29 GB
Free Space Size 1.00 GB
Clusters 8726122
Sectors per cluster 8
Bytes per sector 512
Started defragmentation 11/04/2012 21:14:59
Completed defragmentation 11/04/2012 21:18:29
Elapsed time 00:03:29
Total Files 83064
Total Directories 11993
Fragmented Files 8947
Defragmented Files 1686
Skipped Files 7261
Fragmentation Before 42.39% ||||||||||||||||||||||
Fragmentation After 42.12% ||||||||||||||||||||||
lite startup:one unnecessary start up found & removed
when i re-started after Cleanup, several of the progs we used disappeared off desktop: including CKscanner, systemlook, windirstat (tho the last was in prog files, so i uninstalled). also the msg about avira being out of date has returned (will follow your earlier advice for this).
am deleting MGAdiag from desktop, what about: erunt, security check, aswMBR? notice ESET in my add/remove file: did we put this on?
am installing winpatrol from link, is that a realtime antivirus? or do i want it running all the time?
something strange mayb going on with wifi: it just said it was having trouble connecting to "friends birmingham". We are the only wifi available, and we are called Thompsonxxxx, this was a weird message especially as it sounds like a community network in Birmingham, which is 200 miles away.
thanks for all the work you have put into helping me: i shall be really pleased if i can use this laptop again!!
:thanks: :bigthumb:
sarah
Hello ecosarah
I think you are saying that you have helped me remove all the malware? I believe so. As far as I can tell your system logs look clean. I am not convinced that your drive issues are malware related. We removed some minor bits and pieces and Combofix also removed one or two things from the machine.
when i re-started after Cleanup, several of the progs we used disappeared off desktop Thats normal :)
security check, aswMBR? notice ESET in my add/remove file Those can be removed/uninstalled. ERUNT was already installed on your machine when you first posted. If you do not want to keep it thats up to you, but a backup of your registry may come in handy in the future.
am installing winpatrol from link, is that a realtime antivirus? Winpatrol is not an antivirus. It blocks unauthorised changes from being made to the system registry.
something strange mayb going on with wifi Networking is not my strong point so should you require any additional support for this issue I recommend you contact our sister site (WhatThe Tech).
WTT Networking Forum (http://forums.whatthetech.com/index.php?showforum=128)
WTT General Hardware Forum (http://forums.whatthetech.com/index.php?showforum=126)
Best wishes
JonTom
ecosarah
2012-04-12, 13:57
Hi JonTom,
It looks like we are done here and I am very very grateful to you. :present: :rockon:
I just want to check one thing and because I dont know how to use the quote facility, then I will copy and paste:
"I am not convinced that your drive issues are malware related."
Do you mean we've got rid of the PWS:win32/zbot.gen!AC and the slowness is because my computer is full of something? or do you mean you are not convinced that I had any problems caused by PWS:win32/zbot.gen!AC in teh first place even though I got a message saying I was infected with it? :confused:
Thank you also for the info to keep me safer!!
Can you suggest a safer file to open files as it was downloading MS's suggestion of Free File Opener that caused all this hassle in the first place!!
thanks again, JonTom,
sarah
Hello ecosarah
Do you mean we've got rid of the PWS:win32/zbot.gen!AC and the slowness is because my computer is full of something? or do you mean you are not convinced that I had any problems caused by PWS:win32/zbot.gen!AC in teh first place even though I got a message saying I was infected with it? I mean that now we have cleaned it, your computer appears to be malware free.
Your hard drive needs at least 10% free space for Windows to function efficiently. We can see the following from your last OTL log (red):
Drive C: | 33.29 Gb Total Space | 1.16 Gb Free Space | 3.47% Space Free | Partition Type: NTFS Your drive is almost full (the size of the drive (33 GB) is actually very small by todays standards - I have a 300 GB drive on my machine and that is considered "reasonable" but by no means large). Since drive space is finite, you either need to remove some files from the drive to free up some room, or get a bigger drive.
Can you suggest a safer file to open files as it was downloading MS's suggestion of Free File Opener that caused all this hassle in the first place!! I have never had to use the type of program you describe so I cannot really comment on which ones are trustworthy. If you are trying to open a .docx file using XP then perhaps give the Microsoft Compatibility PacK (http://www.microsoft.com/download/en/details.aspx?id=3) a try.
ecosarah
2012-04-12, 21:41
Thanks, I am relieved to be using my computer again!!!
I have been having lots of problems, however, until I have found a way to free up space, I cannot tell what is causing it. As you say my computer is probably malware free, I shall work on space next. I am still puzzled, as when I synch my phone with my docs, there is no-where near as many gigs on my phone!! Yes, 33 is tiny!
- am trying to update Java, and cannot find an update button: the tabs are:
General,Java, Security,Advanced. I have been through them all and cannot find update anywhere! please advise.
I found an AVG folder in my programs, so deleted it as there is no sign of there being any program to uninstall, in add/remove or in Ccleaner.
will look at MS compatibility pack: thanks!!
and thanks again for all your efforts and help!!
Hello ecosarah
am trying to update Java, and cannot find an update button No problem, it can be updated manually:
Please update your Java
Click on "Start", then on "Control Panel".
Go to "Add or Remove Programs" and uninstall any previous versions of Java that you find (Java(TM) 6 Update 24).
Reboot your computer.
Download the latest version of Java Runtime Environment (JRE) 7 (http://www.oracle.com/technetwork/java/javase/downloads/index.html)
Scroll down the page until you reach "Java Platform Standard Edition".
Beneath this and to the right, you will see a red button marked "Download" for Java SE 7.
Click the "Download" button.
Accept the licence agreement.
Under "Product / File Description" download the jre-7u3-windows-i586.exe file for Windows x86 (32-bit) Offline.
Save the file to your desktop.
From your desktop double click on jre-7u3-windows-i586.exe to install the newest version.
Delete the downloaded installation file after completing the above procedure and reboot your system if not prompted to do so.
I found an AVG folder in my programs, so deleted it as there is no sign of there being any program to uninstall You can remove any other leftovers with the following tool:
Please download and run the AVG Removal Tool
The AVG removal tool will locate and remove all traces of AVG products from your computer.
To download the tool, click here (http://download.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe) and save the file (called avgremover.exe) to your desktop.
Double click on the avgremover.exe icon to run the program.
Follow any prompts you receive.
Once you have run the removal tool you may delete it from your machine.
thanks again for all your efforts and help!! You are Very Welcome :)
ecosarah
2012-04-13, 00:02
loaded avast (typing reduced by injury,so being brief),updated,signed up for 20 day trial,disconnected their firewall, so when it ends i will still have a firewall.
ran full scan. more slow than even my computer usually runs. left it running. upon return, it auto restart,then had msg that it had recovered from serious problem. so assume scan didnt finish. also found that ccleaner couldnt do a one pass wipe over my empty disc space-got stuck twice.
as i have more space than usual, i am puzzled. meanwhile wat du recommend re scanning?
:thanks:
Hello ecosarah
Sorry to hear about your injury.
recovered from serious problem This may point to a potential hardware issue. I have already provided you with links to trustworthy forums to tackle the hardware/drive space problems you are having and I recommend that you post in those forms for hardware assistance.
If the Tech Crew at WTT are not able to help with your machine issues (and I would be very surprised if they were not able to) back up all of your data and perform a reformat and reinstallation of the operating system (the Tech Crew will advise you on how to do this).
I am not seeing any malware in your logs so there is nothing more I can suggest.
ecosarah
2012-04-13, 13:46
thx.
also found bits of ad aware: do you have a link to get rid of bits?
:thanks:
ecosarah
2012-04-13, 17:42
HI
instructions say:
Download the latest version of Java Runtime Environment (JRE) 7
Scroll down the page until you reach "Java Platform Standard Edition".
Beneath this and to the right, you will see a red button marked "Download" for Java SE 7.
Click the "Download" button.
It isn't clear as there are lots of choices: do I download
a) "Java SE 7 Documentation";
b)"Java SE 7u3 -JRE" (which is one of 2 options just below "Java Platform SE" banner);
c) do I download Java Runtime Environment (JRE) 7 (which I cannot find) and then scroll down whatever is downloaded?
:thanks:
Hello ecosarah
My apologies if the instructions were not clear enough for you. The file you need to download and install is here (http://download.oracle.com/otn-pub/java/jdk/7u3-b05/jre-7u3-windows-i586.exe)
also found bits of ad aware: do you have a link to get rid of bits? Unfortunately, I do not have an ad aware removal tool.
Any leftovers can be deleted manually (just make sure you know exactly what it is that you are deleting)
You may find the following notes (http://www.ehow.com/how_5092681_remove-adaware-se.html) helpful.
Let me know how the Java update goes.
ecosarah
2012-04-13, 18:56
thx for link. it gave me this
Sorry!
In order to download products from Oracle Technology Network you must agree to the OTN license terms.
Be sure that...
Your browser has "cookies" and JavaScript enabled.
You clicked on "Accept License" for the product you wish to download.
You attempt the download within 30 minutes of accepting the license.
From here you can go...
Back to Previous Page
Site Map
OTN Homepage
please advise,
thx!
Hello ecosarah
Lets try it this way:
Please update your Java
Click on "Start", then on "Control Panel".
Go to "Add or Remove Programs" and uninstall any previous versions of Java that you find (Java(TM) 6 Update 24).
Reboot your computer.
Download the latest version of Java Runtime Environment (JRE) 7 (http://www.oracle.com/technetwork/java/javase/downloads/index.html)
Scroll down the page until you reach "Java Platform Standard Edition".
Beneath this and to the right, you will see a red button marked "Download" for Java SE 7.
Click the red "Download" button (shown n the picture below).
http://i625.photobucket.com/albums/tt335/JonTom_2009/eco1.jpg
Accept the licence agreement (see below).
http://i625.photobucket.com/albums/tt335/JonTom_2009/eco2.jpg
Under "Product / File Description" download the jre-7u3-windows-i586.exe file for Windows x86 (32-bit) Offline by clicking on the link to the file (see picture below).
http://i625.photobucket.com/albums/tt335/JonTom_2009/eco3.jpg
Save the file to your desktop.
From your desktop double click on the downloaded jre-7u3-windows-i586.exe file to install the newest version.
Delete the downloaded installation file after completing the above procedure and reboot your system if not prompted to do so.
ecosarah
2012-04-14, 13:22
Hi JonTom,
Yeah! have updated Java. Think Stop Script was the problem.
Think we are done now! I will follow up your suggestions.
Many thanks for all your help, persistance and patience!!
go well,
sarah :present: :thanks: :angel:
Hello ecosarah
Glad to hear you got it sorted out :bigthumb:
Many thanks for all your help, persistance and patience!! You are Very Welcome :)
As your malware issues appear to be resolved this thread is now closed.
Best wishes
JonTom