I'm very sorry, I posted the wrong long in the other thread. My bad. Hopefully I did it right this time:

I recently acquired an infection, presumably from a certain website (will post if needed). The symptoms included internet access being blocked, and a fake skype window popping up. I let MSE and Spybot scan, they both found a few things (about 10 each), but the viruses were so scattered that I suspect some more are still hiding. It wouldn't surprise me if I also had viruses sitting undetected for months before this. Any help would be very appreciated.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
Run by Owner at 20:15:23 on 2012-07-18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1279 [GMT 2:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Hamachi\hamachi-2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
D:\Program Files\VMware Player\vmware-authd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\VMware Player\hqtray.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HDD Health\HDDHealth.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Logitech\SetPointG\SetPointII.exe
D:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Logitech\SetPointG\LU\LULnchr.exe
C:\Program Files\Logitech\SetPointG\LU\LogitechUpdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\erunt-setup.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\is-LNT5T.tmp\is-814RV.tmp
C:\Program Files\ERUNT\ERUNT.EXE
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - d:\progra~1\micros~1\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Microsoft Web Test Recorder 10.0 Helper: {dda57003-0068-4ed2-9d32-4d1ec707d94d} - d:\program files\microsoft visual studio\common7\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Web Test Recorder 10.0: {5802d092-1784-4908-8cdb-99b6842d353d} - mscoree.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [HDDHealth] c:\program files\hdd health\HDDHealth.exe -wl
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [QuickTime Task] "c:\program files\quicktime alternative\QTTask.exe" -atboottime
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [VMware hqtray] "d:\program files\vmware player\hqtray.exe"
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [LogMeIn Hamachi Ui] "d:\program files\hamachi\hamachi-2-ui.exe" --auto-start
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\magicd~1.lnk - d:\program files\magicdisc\MagicDisc.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - d:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
LSP: d:\program files\vmware player\vsocklib.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: Interfaces\{C32928A9-FED3-4FCB-8C9B-0AD9245A7619} : DhcpNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\a6qryu2v.default\
FF - plugin: c:\program files\java\jre6\bin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\npjpi160_31.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: d:\progra~1\micros~1\office14\NPAUTHZ.DLL
FF - plugin: d:\progra~1\micros~1\office14\NPSPWRAP.DLL
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: d:\program files\real alternative\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\real alternative\browser\plugins\nprpjplug.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 171064]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2011-6-17 162544]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2011-6-17 44720]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-4-14 14336]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;d:\program files\hamachi\hamachi-2.exe [2012-2-28 1373576]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2010-11-11 70768]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2010-11-11 539248]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2007-11-1 36864]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2011-5-16 111280]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2011-5-16 122224]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2010-10-6 10448]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-11-18 1691480]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 VSPerfDrv100;Performance Tools Driver 10.0;d:\program files\microsoft visual studio\team tools\performance tools\VSPerfDrv100.sys [2009-12-8 48128]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-07-18 15:25:41 6891424 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{cf615d28-a386-4c66-84f5-dc2c8f5f9be0}\mpengine.dll
2012-07-18 15:07:56 -------- d-----w- c:\documents and settings\all users\application data\036DFF860009EDE7A4B897917B07D329
2012-07-18 00:17:22 6891424 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-07-12 20:33:48 -------- d-----w- c:\program files\GOG.com
2012-06-25 04:40:54 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-24 07:31:30 -------- d-----w- c:\program files\Pando Networks
2012-06-24 07:31:12 -------- d-----w- c:\program files\GamersFirst
2012-06-24 07:28:11 354318 ----a-w- c:\windows\system32\rsync.exe
2012-06-24 01:32:30 -------- d-----w- c:\documents and settings\owner\local settings\application data\Floating Minds
.
==================== Find3M ====================
.
2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50:25 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 13:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 13:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 13:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 13:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 13:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 13:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 13:18:58 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 13:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:42:33 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:16:13 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-24 00:15:19 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-24 00:15:18 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
1 ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\Harddisk0\DR0[0x8A6D5AB8]
3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\Ide\IdeDeviceP0T1L0-c[0x8A6C5D98]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user != kernel MBR !!!
.
============= FINISH: 20:16:16.98 ===============

:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Running programs with Vista or Windows 7 , you need to Right Click on the program and select RUN AS ADMINISTATOR


Your possibly infected with a rootkit, lets check further

Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png

It asked me to install Avast when it started, I said no.


aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-19 06:20:34
-----------------------------
06:20:34.468 OS Version: Windows 5.1.2600 Service Pack 3
06:20:34.468 Number of processors: 2 586 0xF0B
06:20:34.468 ComputerName: PRIVAT-D79A2942 UserName: Owner
06:20:34.890 Initialize success
06:21:57.265 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c
06:21:57.265 Disk 0 Vendor: Size: 0MB BusType: 0
06:21:57.281 Disk 0 MBR read successfully
06:21:57.281 Disk 0 MBR scan
06:21:57.281 Disk 0 Windows XP default MBR code
06:21:57.281 Disk 0 MBR hidden
06:21:57.281 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 29996 MB offset 63
06:21:57.281 Disk 0 Partition - 00 0F Extended LBA 208476 MB offset 61432560
06:21:57.296 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 208476 MB offset 61432623
06:21:57.328 Disk 0 scanning C:\WINDOWS\system32\drivers
06:22:03.296 Service scanning
06:22:08.031 Service MpKsl784fd177 C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF615D28-A386-4C66-84F5-DC2C8F5F9BE0}\MpKsl784fd177.sys **LOCKED** 32
06:22:14.593 Modules scanning
06:22:18.140 Disk 0 trace - called modules:
06:22:18.140 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
06:22:18.140 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a69dab8]
06:22:18.140 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T1L0-c[0x8a6a1b00]
06:22:18.140 Scan finished successfully
06:23:10.890 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
06:23:10.890 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"

Good Morning,

aswMBR is written by Avast and it just wanted to download new definition updates, but it looks ok


Download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop.
Be sure to disable your security programs
Double click on the file to run it
A window will open on your desktop
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
If nothing unusual is found just press Enter A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
Please post the contents of that file.





Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please

I did all that. Also, Malwarebytes blocked some attempted traffic to a malicious website, both before and after removing the threat it found.



MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000017c

Kernel Drivers (total 139):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xB85A8000 \WINDOWS\system32\KDCOM.DLL
0xB84B8000 \WINDOWS\system32\BOOTVID.dll
0xB7F79000 ACPI.sys
0xB85AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB7F68000 pci.sys
0xB80A8000 isapnp.sys
0xB8670000 pciide.sys
0xB8328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xB80B8000 MountMgr.sys
0xB7F49000 ftdisk.sys
0xB8330000 PartMgr.sys
0xB80C8000 VolSnap.sys
0xB7F31000 atapi.sys
0xB7E69000 iaStor.sys
0xB80D8000 disk.sys
0xB80E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB7E49000 fltMgr.sys
0xB7E37000 sr.sys
0xB7E0F000 MpFilter.sys
0xB80F8000 PxHelp20.sys
0xB7DF8000 KSecDD.sys
0xB7D6B000 Ntfs.sys
0xB7D3E000 NDIS.sys
0xB7CDE000 timntr.sys
0xB84BC000 speedfan.sys
0xB7CC3000 snapman.sys
0xB7CA9000 Mup.sys
0xB8671000 giveio.sys
0xB8258000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB71F4000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB71E0000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB83C8000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB71BC000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xB83D0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB7194000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB8288000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB8298000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB82A8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB7171000 \SystemRoot\system32\DRIVERS\ks.sys
0xB83E0000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xB82B8000 \SystemRoot\system32\DRIVERS\l151x86.sys
0xB85C2000 \SystemRoot\system32\DRIVERS\ASACPI.sys
0xB82C8000 \SystemRoot\system32\DRIVERS\serial.sys
0xB7C51000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB82D8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB83E8000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB83F8000 \??\C:\WINDOWS\system32\drivers\VMkbd.sys
0xB8400000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB7141000 \SystemRoot\system32\drivers\windrvr6.sys
0xB85C4000 \SystemRoot\system32\drivers\USBD.SYS
0xB87D2000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB82F8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB7C4D000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB712A000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB8308000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB8318000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB8410000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB7079000 \SystemRoot\system32\DRIVERS\psched.sys
0xB8168000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB8418000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB8420000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB7037000 \SystemRoot\system32\DRIVERS\VBoxNetAdp.sys
0xB8430000 \SystemRoot\system32\DRIVERS\hamachi.sys
0xB8178000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB701A000 \SystemRoot\system32\DRIVERS\mcdbus.sys
0xB7002000 \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
0xB6FE6000 \SystemRoot\system32\DRIVERS\VBoxNetFlt.sys
0xB85C6000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB6F88000 \SystemRoot\system32\DRIVERS\update.sys
0xB7C31000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB7C2D000 \SystemRoot\system32\DRIVERS\vmnetadapter.sys
0xB7C29000 \SystemRoot\system32\DRIVERS\VMNET.SYS
0xB8188000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB81B8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB484F000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xB482B000 \SystemRoot\system32\drivers\portcls.sys
0xB81D8000 \SystemRoot\system32\drivers\drmk.sys
0xB85DC000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB871D000 \SystemRoot\System32\Drivers\Null.SYS
0xB8478000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB8480000 \SystemRoot\System32\drivers\vga.sys
0xB85E0000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xB85E2000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB8488000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB8490000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB6F6C000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB4768000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB470F000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB46E7000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB46C1000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB85A0000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xB469F000 \SystemRoot\System32\drivers\afd.sys
0xB81E8000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB81F8000 \SystemRoot\system32\DRIVERS\VBoxUSBMon.sys
0xB4651000 \SystemRoot\system32\DRIVERS\VBoxDrv.sys
0xB4626000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB45B6000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB8208000 \SystemRoot\System32\Drivers\Fips.SYS
0xB84A8000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB4813000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB8228000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xB84B0000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
0xB8238000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xB447D000 \SystemRoot\System32\Drivers\wdf01000.sys
0xB4803000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB8378000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
0xB7051000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB8248000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB446C000 \SystemRoot\System32\Drivers\Udfs.SYS
0xB8268000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB4454000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xB85EE000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB47AB000 \SystemRoot\System32\drivers\Dxapi.sys
0xB8388000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xB879D000 \SystemRoot\System32\drivers\dxgthk.sys
0xBD012000 \SystemRoot\System32\nv4_disp.dll
0xBD61F000 \SystemRoot\System32\ATMFD.DLL
0xB8408000 \SystemRoot\system32\DRIVERS\tifsfilt.sys
0xB8380000 \SystemRoot\system32\DRIVERS\vmnetbridge.sys
0xB4120000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB3D9F000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB41C4000 \??\C:\WINDOWS\system32\drivers\hcmon.sys
0xB41B4000 \??\C:\WINDOWS\system32\Drivers\vmci.sys
0xB3CD0000 \??\C:\WINDOWS\system32\Drivers\vmx86.sys
0xB8468000 \??\C:\WINDOWS\system32\drivers\vmnetuserif.sys
0xB3B60000 \SystemRoot\system32\DRIVERS\srv.sys
0xB3A04000 \??\D:\Program Files\VMware Player\vstor2-ws60.sys
0xB36EB000 \SystemRoot\system32\drivers\wdmaud.sys
0xB3768000 \SystemRoot\system32\drivers\sysaudio.sys
0xB35BC000 \SystemRoot\System32\Drivers\HTTP.sys
0xB3C98000 \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\aswMBR.sys
0xB3A38000 \??\C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF615D28-A386-4C66-84F5-DC2C8F5F9BE0}\MpKsl784fd177.sys
0xAF247000 \SystemRoot\system32\drivers\kmixer.sys
0xB8654000 \SystemRoot\system32\drivers\splitter.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 54):
0 System Idle Process
4 System
952 C:\WINDOWS\system32\smss.exe
1400 csrss.exe
1424 C:\WINDOWS\system32\winlogon.exe
1468 C:\WINDOWS\system32\services.exe
1480 C:\WINDOWS\system32\lsass.exe
1684 C:\WINDOWS\system32\nvsvc32.exe
1784 C:\WINDOWS\system32\svchost.exe
1828 svchost.exe
308 C:\Program Files\Microsoft Security Client\MsMpEng.exe
344 C:\WINDOWS\system32\svchost.exe
872 svchost.exe
1320 svchost.exe
1780 C:\WINDOWS\system32\spoolsv.exe
724 svchost.exe
812 C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
828 C:\WINDOWS\system32\svchost.exe
832 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
848 C:\Program Files\Bonjour\mDNSResponder.exe
1064 D:\Program Files\Hamachi\hamachi-2.exe
1128 C:\Program Files\Java\jre6\bin\jqs.exe
1200 C:\WINDOWS\system32\svchost.exe
1984 C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
580 C:\WINDOWS\system32\vmnat.exe
652 C:\WINDOWS\system32\vmnetdhcp.exe
1280 D:\Program Files\VMware Player\vmware-authd.exe
3048 alg.exe
2028 C:\Program Files\iPod\bin\iPodService.exe
1000 C:\WINDOWS\explorer.exe
3968 C:\WINDOWS\RTHDCPL.EXE
4040 C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
2912 C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
3020 C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
2940 D:\Program Files\TortoiseSVN\bin\TSVNCache.exe
3608 C:\WINDOWS\system32\rundll32.exe
2088 D:\Program Files\iTunes\iTunesHelper.exe
3216 C:\WINDOWS\system32\ctfmon.exe
2564 D:\Program Files\VMware Player\hqtray.exe
3160 C:\WINDOWS\vsnpstd3.exe
3104 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2976 C:\Program Files\Microsoft Security Client\msseces.exe
1216 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
3944 C:\Program Files\HDD Health\hddhealth.exe
4024 D:\Program Files\MagicDisc\MagicDisc.exe
2196 wmiprvse.exe
2512 C:\Program Files\Logitech\SetPointG\SetPointII.exe
3096 C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe
4008 C:\Program Files\Logitech\SetPointG\LU\LULnchr.exe
3664 C:\Program Files\Logitech\SetPointG\LU\LogitechUpdate.exe
4032 MpCmdRun.exe
2728 C:\WINDOWS\system32\wscntfy.exe
3444 C:\WINDOWS\system32\svchost.exe
1208 C:\Documents and Settings\Owner\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000007`52c65e00 (NTFS)

PhysicalDrive0 Model Number: ST3250824A, Rev: 3.AAD

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!





Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.19.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: PRIVAT-D79A2942 [limited]

Protection: Enabled

19/07/2012 10:43:17
mbam-log-2012-07-19 (10-43-17).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 211391
Time elapsed: 4 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\4481\SMBHelper.exe (Trojan.Ransom) -> Quarantined and deleted successfully.

(end)

I was concerned that your Master Boot Record was infected as there is lots of that going around now but yours looks fine.

The Pro version of Malwarebytes will block attempts to bad sites, did you upgrade to this ?


ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.

Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

Malwarebytes offered a free trial of the pro version when I installed it, so I took it.
When the ESET scan was at 99%, it seemed to crash (An unhandled win32 exception occured in OnlineCmdLineScanner.exe [2632].). After I declined to use a just-in-time debugger, ESET acted like nothing had happened and produced a log.


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BrothersoftExtremeCT.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\15\4e6ab64f-1c3aace0 a variant of Java/Exploit.Blacole.AF trojan
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\37\1bbf2f65-72f3c92f a variant of Win32/Injector.TYT trojan

You will be real happy with Malwarebytes Pro, its a life saver sometimes, I have it on all my systems. The cost is minimal , a one time fee and you own it so if you ever sell your computer you can uninstall it and reinstall on the new one, just dont lose your keycode.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery<--Open Spy bot and go into the Recovery folder and delete it all, but not the Recovery folder itself


You also have some bad entries in your Java Cache, run this cleaner and it will flush it all out along with other not needed garbage

Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean




Then let me take a final look

OTL by OldTimer

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

When I start TFC, the desktop disappears but the progress bar doesn't move and the only messages it gives are "Getting user folders." and "Stopping running processes.". When I click on the TFC window, it says it's not responding. I'm posting from a second PC while TFC is still open, should I just keep waiting?

No, go ahead and close it and run OTL, we can clean the Java cache using OTL

OTL logfile created on: 19/07/2012 19:45:06 - Run 1
OTL by OldTimer - Version 3.2.54.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.27 Gb Available Physical Memory | 63.55% Memory free
3.85 Gb Paging File | 3.29 Gb Available in Paging File | 85.56% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.29 Gb Total Space | 4.39 Gb Free Space | 15.00% Space Free | Partition Type: NTFS
Drive D: | 203.59 Gb Total Space | 10.68 Gb Free Space | 5.24% Space Free | Partition Type: NTFS
Drive F: | 3.22 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: PRIVAT-D79A2942 | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
PRC - D:\Program Files\TortoiseSVN\bin\TSVNCache.exe (http://tortoisesvn.net)
PRC - D:\Program Files\Hamachi\hamachi-2.exe (LogMeIn Inc.)
PRC - C:\WINDOWS\system32\vmnetdhcp.exe (VMware, Inc.)
PRC - C:\WINDOWS\system32\vmnat.exe (VMware, Inc.)
PRC - D:\Program Files\VMware Player\hqtray.exe (VMware, Inc.)
PRC - D:\Program Files\VMware Player\vmware-authd.exe (VMware, Inc.)
PRC - C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe (VMware, Inc.)
PRC - C:\Program Files\Logitech\SetPointG\SetPointII.exe (Logitech, Inc.)
PRC - C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe (Logitech, Inc.)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - D:\Program Files\MagicDisc\MagicDisc.exe (MagicISO, Inc.)
PRC - C:\Program Files\HDD Health\hddhealth.exe (PANTERASoft)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)
PRC - C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
PRC - C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
PRC - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Acronis)
PRC - C:\WINDOWS\vsnpstd3.exe ()


========== Modules (No Company Name) ==========

MOD - D:\Program Files\TortoiseSVN\bin\libsasl32.dll ()
MOD - D:\Program Files\VMware Player\zlib1.dll ()
MOD - D:\Program Files\VMware Player\libxml2.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Acronis\Common\gc.dll ()
MOD - C:\WINDOWS\vsnpstd3.exe ()


========== Win32 Services (SafeList) ==========

SRV - (AppMgmt) -- %SystemRoot%\System32\appmgmts.dll File not found
SRV - (Akamai) -- c:\program files\common files\akamai/netsession_win_4f7fccd.dll ()
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (MsMpSvc) -- C:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV - (Hamachi2Svc) -- D:\Program Files\Hamachi\hamachi-2.exe (LogMeIn Inc.)
SRV - (VMnetDHCP) -- C:\WINDOWS\system32\vmnetdhcp.exe (VMware, Inc.)
SRV - (VMware NAT Service) -- C:\WINDOWS\system32\vmnat.exe (VMware, Inc.)
SRV - (VMAuthdService) -- D:\Program Files\VMware Player\vmware-authd.exe (VMware, Inc.)
SRV - (VMUSBArbService) -- C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe (VMware, Inc.)
SRV - (ufad-ws60) -- D:\Program Files\VMware Player\vmware-ufad.exe (VMware, Inc.)
SRV - (LBTServ) -- C:\Program Files\Common Files\LogiShrd\Bluetooth\LBTServ.exe (Logitech, Inc.)
SRV - (AcrSch2Svc) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Acronis)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (Changer) -- File not found
DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (VBoxDrv) -- C:\WINDOWS\system32\drivers\VBoxDrv.sys (Oracle Corporation)
DRV - (VBoxNetFlt) -- C:\WINDOWS\system32\drivers\VBoxNetFlt.sys (Oracle Corporation)
DRV - (VBoxNetAdp) -- C:\WINDOWS\system32\drivers\VBoxNetAdp.sys (Oracle Corporation)
DRV - (VBoxUSBMon) -- C:\WINDOWS\system32\drivers\VBoxUSBMon.sys (Oracle Corporation)
DRV - (speedfan) -- C:\WINDOWS\system32\speedfan.sys (Almico Software)
DRV - (vmci) -- C:\WINDOWS\system32\drivers\vmci.sys (VMware, Inc.)
DRV - (vmx86) -- C:\WINDOWS\system32\drivers\vmx86.sys (VMware, Inc.)
DRV - (vmkbd) -- C:\WINDOWS\system32\drivers\VMkbd.sys (VMware, Inc.)
DRV - (VMnetBridge) -- C:\WINDOWS\system32\drivers\vmnetbridge.sys (VMware, Inc.)
DRV - (VMnetuserif) -- C:\WINDOWS\system32\drivers\vmnetuserif.sys (VMware, Inc.)
DRV - (hcmon) -- C:\WINDOWS\system32\drivers\hcmon.sys (VMware, Inc.)
DRV - (vmusb) -- C:\WINDOWS\system32\drivers\vmusb.sys (VMware, Inc.)
DRV - (VMnetAdapter) -- C:\WINDOWS\system32\drivers\vmnetadapter.sys (VMware, Inc.)
DRV - (timounter) -- C:\WINDOWS\system32\drivers\timntr.sys (Acronis)
DRV - (tifsfilter) -- C:\WINDOWS\system32\drivers\tifsfilt.sys (Acronis)
DRV - (snapman) -- C:\WINDOWS\system32\drivers\snapman.sys (Acronis)
DRV - (vstor2-ws60) -- D:\Program Files\VMware Player\vstor2-ws60.sys (VMware, Inc.)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (LMouFilt) -- C:\WINDOWS\system32\drivers\LMouFilt.Sys (Logitech, Inc.)
DRV - (LHidFilt) -- C:\WINDOWS\system32\drivers\LHidFilt.Sys (Logitech, Inc.)
DRV - (LBeepKE) -- C:\WINDOWS\system32\drivers\LBeepKE.sys (Logitech, Inc.)
DRV - (VSPerfDrv100) -- D:\Program Files\Microsoft Visual Studio\Team Tools\Performance Tools\VSPerfDrv100.sys (Microsoft Corporation)
DRV - (Monfilt) -- C:\WINDOWS\system32\drivers\Monfilt.sys (Creative Technology Ltd.)
DRV - (Ambfilt) -- C:\WINDOWS\system32\drivers\Ambfilt.sys (Creative)
DRV - (RivaTuner32) -- D:\Program Files\Rivatuner 2.24\RivaTuner32.sys ()
DRV - (hamachi) -- C:\WINDOWS\system32\drivers\hamachi.sys (LogMeIn, Inc.)
DRV - (mcdbus) -- C:\WINDOWS\system32\drivers\mcdbus.sys (MagicISO, Inc.)
DRV - (WinDriver6) -- C:\WINDOWS\system32\drivers\windrvr6.sys (Jungo)
DRV - (AtcL001) -- C:\WINDOWS\system32\drivers\l151x86.sys (Atheros Communications, Inc.)
DRV - (SNPSTD3) USB PC Camera (SNPSTD3) -- C:\WINDOWS\system32\drivers\snpstd3.sys (Sonix Co. Ltd.)
DRV - (MTsensor) -- C:\WINDOWS\system32\drivers\ASACPI.sys ()
DRV - (SilverLink) Texas Instruments SilverLink (USB GraphLink) -- C:\WINDOWS\system32\drivers\SilvrLnk.sys (Texas Instruments Incorporated)
DRV - (giveio) -- C:\WINDOWS\system32\giveio.sys ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C}: "URL" = http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&query={searchTerms}&invocationType=tb50winampie7


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>


IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-220523388-838170752-682003330-1003\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-220523388-838170752-682003330-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-220523388-838170752-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-220523388-838170752-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}:6.0.31
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: D:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: D:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: D:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.450: D:\Program Files\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.448: D:\Program Files\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/02/28 16:58:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/04/24 02:15:34 | 000,000,000 | ---D | M]

[2010/10/06 17:31:56 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2012/07/19 06:18:46 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\a6qryu2v.default\extensions
[2011/09/15 09:11:48 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\a6qryu2v.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/07/18 19:55:29 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/04/24 02:15:35 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
[2012/04/24 02:15:21 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2012/04/24 02:15:21 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2012/07/18 19:22:42 | 000,443,488 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 15236 more lines...
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - D:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Microsoft Web Test Recorder 10.0 Helper) - {DDA57003-0068-4ed2-9D32-4D1EC707D94D} - D:\Program Files\Microsoft Visual Studio\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.)
O4 - HKLM..\Run: [LogMeIn Hamachi Ui] D:\Program Files\Hamachi\hamachi-2-ui.exe (LogMeIn Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime Alternative\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe ()
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKLM..\Run: [VMware hqtray] D:\Program Files\VMware Player\hqtray.exe (VMware, Inc.)
O4 - HKU\S-1-5-21-220523388-838170752-682003330-1003..\Run: [HDDHealth] C:\Program Files\HDD Health\HDDHealth.exe (PANTERASoft)
O4 - HKU\S-1-5-21-220523388-838170752-682003330-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\MagicDisc.lnk = D:\Program Files\MagicDisc\MagicDisc.exe (MagicISO, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowLegacyWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowUnhashedWebView = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-21-220523388-838170752-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-220523388-838170752-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - D:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - D:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - D:\Program Files\VMware Player\vsocklib.dll (VMware, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - D:\Program Files\VMware Player\vsocklib.dll (VMware, Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C32928A9-FED3-4FCB-8C9B-0AD9245A7619}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LBTWlgn: DllName - (c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll) - c:\Program Files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O24 - Desktop Components:0 () - E:\things\isp\2007-03 (Mrz)-20\desktops\14528.jpg
O24 - Desktop Components:1 () - E:\things\isp\2007-03 (Mrz)-20\desktops\black wp.bmp
O24 - Desktop Components:2 (My Current Home Page) - About:Home
O24 - Desktop WallPaper:
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\LeoparDo.bmp
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/10/06 15:57:12 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/07/19 19:43:43 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2012/07/19 18:44:17 | 000,448,512 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\TFC.exe
[2012/07/19 12:53:40 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/07/19 12:53:23 | 002,322,184 | ---- | C] (ESET) -- C:\Documents and Settings\Owner\Desktop\esetsmartinstaller_enu.exe
[2012/07/19 10:42:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2012/07/19 10:41:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/07/19 10:41:48 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/07/19 10:41:48 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/07/19 10:40:59 | 010,652,120 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mbam-setup-1.62.0.1300.exe
[2012/07/19 06:19:13 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Owner\Desktop\aswMBR.exe
[2012/07/18 20:15:23 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Owner\My Documents\My Videos
[2012/07/18 20:15:08 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2012/07/18 20:14:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/07/18 20:14:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2012/07/18 20:14:26 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2012/07/18 20:13:58 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Owner\Desktop\erunt-setup.exe
[2012/07/18 19:37:01 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Owner\Desktop\HijackThis.exe
[2012/07/18 17:07:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\036DFF860009EDE7A4B897917B07D329
[2012/07/12 22:33:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\GOG.com
[2012/07/12 22:33:48 | 000,000,000 | ---D | C] -- C:\Program Files\GOG.com
[2012/06/25 06:40:54 | 000,521,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jsdbgui.dll
[2012/06/24 09:31:30 | 000,000,000 | ---D | C] -- C:\Program Files\Pando Networks
[2012/06/24 09:31:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\GamersFirst
[2012/06/24 09:31:12 | 000,000,000 | ---D | C] -- C:\Program Files\GamersFirst
[2012/06/24 09:28:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Warkeepers
[2012/06/24 03:32:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Floating Minds
[38 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[38 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[180 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/07/19 19:43:45 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2012/07/19 19:37:55 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/07/19 19:37:53 | 2146,545,664 | -HS- | M] () -- C:\hiberfil.sys
[2012/07/19 18:57:01 | 000,000,974 | -H-- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-220523388-838170752-682003330-1005UA.job
[2012/07/19 18:44:18 | 000,448,512 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\TFC.exe
[2012/07/19 15:16:01 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/07/19 14:50:48 | 000,259,252 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\untitled.PNG
[2012/07/19 12:53:24 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\Owner\Desktop\esetsmartinstaller_enu.exe
[2012/07/19 10:41:55 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/07/19 10:41:28 | 010,652,120 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mbam-setup-1.62.0.1300.exe
[2012/07/19 10:38:23 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MBRCheck.exe
[2012/07/19 06:23:10 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MBR.dat
[2012/07/19 06:19:34 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Owner\Desktop\aswMBR.exe
[2012/07/18 20:21:35 | 000,004,946 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\attach.zip
[2012/07/18 20:21:23 | 000,000,041 | ---- | M] () -- C:\WINDOWS\Filzip.ini
[2012/07/18 20:15:18 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2012/07/18 20:14:36 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/07/18 20:14:28 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\ERUNT.lnk
[2012/07/18 20:14:01 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Owner\Desktop\erunt-setup.exe
[2012/07/18 19:37:02 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Owner\Desktop\HijackThis.exe
[2012/07/18 19:22:42 | 000,443,488 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/07/18 19:17:18 | 000,000,257 | RHS- | M] () -- C:\boot.ini
[2012/07/18 05:57:00 | 000,000,922 | -H-- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-220523388-838170752-682003330-1005Core.job
[2012/07/16 22:07:55 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/07/12 22:33:53 | 000,001,844 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Tyrian 2000.lnk
[2012/07/12 03:21:19 | 000,254,272 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/07/12 03:06:30 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/06/25 19:45:05 | 000,496,068 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/06/25 19:45:05 | 000,085,012 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[38 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[38 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[180 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/07/19 15:16:01 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/07/19 14:50:48 | 000,259,252 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\untitled.PNG
[2012/07/19 10:41:55 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/07/19 10:37:52 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\MBRCheck.exe
[2012/07/19 06:23:10 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\MBR.dat
[2012/07/18 20:21:35 | 000,004,946 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\attach.zip
[2012/07/18 20:14:36 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/07/18 20:14:28 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\ERUNT.lnk
[2012/07/12 22:33:53 | 000,001,844 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Tyrian 2000.lnk
[2012/06/24 09:28:11 | 000,354,318 | ---- | C] () -- C:\WINDOWS\System32\rsync.exe
[2012/06/14 16:10:12 | 000,040,960 | R--- | C] () -- C:\WINDOWS\System32\psfind.dll
[2012/04/07 15:01:28 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/03/24 22:31:27 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2012/03/24 22:31:27 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2012/03/24 22:31:27 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2011/05/18 19:50:34 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\initdebug.nfo
[2011/05/06 17:29:40 | 000,000,292 | ---- | C] () -- C:\WINDOWS\EReg176.dat
[2011/03/18 21:58:10 | 000,000,056 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsidmv.dat
[2011/03/04 00:13:37 | 000,300,032 | ---- | C] () -- C:\WINDOWS\unin0411.exe
[2011/01/02 10:45:18 | 002,692,722 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-220523388-838170752-682003330-1005-0.dat
[2011/01/02 10:45:17 | 000,295,746 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2010/10/09 04:57:28 | 000,165,376 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2010/10/06 19:13:20 | 000,009,728 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/10/06 17:57:37 | 000,232,968 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2010/10/06 17:57:35 | 000,232,968 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2010/10/06 17:57:35 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
[2010/10/06 17:42:18 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/10/06 17:40:58 | 000,254,272 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/10/06 17:28:33 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/10/06 16:56:59 | 000,000,041 | ---- | C] () -- C:\WINDOWS\Filzip.ini
[2010/10/06 16:10:45 | 000,001,376 | ---- | C] () -- C:\Documents and Settings\Owner\SQL9EE.mft
[2010/10/06 16:10:45 | 000,001,376 | ---- | C] () -- C:\Documents and Settings\Owner\SQL97A.mft
[2010/10/06 16:08:46 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/10/06 15:54:53 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat

========== LOP Check ==========

[2012/07/18 17:29:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\036DFF860009EDE7A4B897917B07D329
[2012/07/12 21:59:19 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Acronis
[2012/05/19 17:30:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Battle.net
[2010/10/16 17:06:35 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\C-Free
[2010/12/25 01:55:11 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\NFS Underground
[2011/01/01 05:57:28 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\PreEmptive Solutions
[2012/01/06 14:43:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/10/06 19:11:37 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\TmForever
[2010/10/16 16:35:36 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Vernier
[2011/01/23 17:58:48 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2010/10/08 20:18:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/10/08 04:15:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\AQUATRA
[2010/11/02 04:00:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\C-Free
[2010/11/11 23:43:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Downloaded Installations
[2011/01/23 17:55:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\GetRightToGo
[2011/05/18 19:38:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\HD Tune Pro
[2010/10/06 18:35:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Irfanview
[2010/10/06 18:47:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Leadertech
[2011/11/13 13:29:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mumble
[2012/04/10 17:54:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Subversion
[2012/06/16 02:51:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SystemRequirementsLab
[2011/09/16 01:36:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\TeamViewer
[2011/11/01 06:46:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Wargaming.net
[2010/10/08 00:31:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\AQUATRA
[2012/06/22 08:56:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\BITS
[2010/10/16 17:06:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\C-Free
[2010/11/11 23:41:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Downloaded Installations
[2012/01/26 19:24:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\FlashGet
[2012/01/26 19:16:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\FlashGetBHO
[2012/01/26 19:16:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\FlashgetSetup
[2010/10/30 00:27:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\foobar2000
[2012/03/24 22:38:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\GetRightToGo
[2010/10/06 19:56:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Irfanview
[2012/01/16 04:13:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mumble
[2010/10/08 21:22:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\OpenOffice.org
[2011/10/19 18:38:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\spiral
[2012/02/02 14:07:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\splitscreen
[2012/04/07 15:02:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Subversion
[2012/06/14 15:06:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\SystemRequirementsLab
[2011/09/16 03:23:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\TeamViewer
[2010/12/30 14:00:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Three Rings Design
[2010/10/07 01:37:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Thunderbird
[2010/10/16 22:17:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\TS3Client
[2011/01/18 20:50:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Unity
[2012/07/19 11:15:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\uTorrent
[2011/10/26 00:28:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\wargaming.net
[2012/01/06 11:28:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\yoclient

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BA85A56C

< End of report >

OTL Extras logfile created on: 19/07/2012 19:45:06 - Run 1
OTL by OldTimer - Version 3.2.54.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.27 Gb Available Physical Memory | 63.55% Memory free
3.85 Gb Paging File | 3.29 Gb Available in Paging File | 85.56% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.29 Gb Total Space | 4.39 Gb Free Space | 15.00% Space Free | Partition Type: NTFS
Drive D: | 203.59 Gb Total Space | 10.68 Gb Free Space | 5.24% Space Free | Partition Type: NTFS
Drive F: | 3.22 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: PRIVAT-D79A2942 | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /k "cd %L" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"D:\Program Files\VMware Player\vmware-authd.exe" = D:\Program Files\VMware Player\vmware-authd.exe:*:Enabled:VMware Authd -- (VMware, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\TmNationsForever\TmForever.exe" = C:\Program Files\TmNationsForever\TmForever.exe:*:Enabled:TmForever
"D:\Program Files\Steam\Steam.exe" = D:\Program Files\Steam\Steam.exe:*:Enabled:Steam -- (Valve Corporation)
"D:\Program Files\uTorrent\uTorrent.exe" = D:\Program Files\uTorrent\uTorrent.exe:*:Disabled:µTorrent -- (BitTorrent, Inc.)
"D:\Program Files\Microsoft Office\Office14\ONENOTE.EXE" = D:\Program Files\Microsoft Office\Office14\ONENOTE.EXE:*:Enabled:Microsoft OneNote -- (Microsoft Corporation)
"D:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" = D:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Earth\client\googleearth.exe" = C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Earth\client\googleearth.exe:*:Disabled:Google Earth -- (Google)
"D:\Program Files\VMware Player\vmware-authd.exe" = D:\Program Files\VMware Player\vmware-authd.exe:*:Enabled:VMware Authd -- (VMware, Inc.)
"E:\games\SteelStorm\steelstorm.exe" = E:\games\SteelStorm\steelstorm.exe:*:Disabled:DarkPlaces Game Engine
"E:\things\NEED.FOR.SPEED.UNDERGROUND+NO-CD.CRACK+PATCH+KEY\Speed.exe" = E:\things\NEED.FOR.SPEED.UNDERGROUND+NO-CD.CRACK+PATCH+KEY\Speed.exe:*:Disabled:Speed
"E:\games\Borderlands\Binaries\Borderlands.exe" = E:\games\Borderlands\Binaries\Borderlands.exe:*:Disabled:Borderlands
"C:\Documents and Settings\User\Desktop\WinBattle_demo\server.exe" = C:\Documents and Settings\User\Desktop\WinBattle_demo\server.exe:*:Disabled:server
"C:\Documents and Settings\User\Desktop\WinBattle_demo\winbattle.exe" = C:\Documents and Settings\User\Desktop\WinBattle_demo\winbattle.exe:*:Disabled:winbattle
"E:\games\Gruntz p\Gruntz.exe" = E:\games\Gruntz p\Gruntz.exe:*:Disabled:The Ultimate Puzzle-Strategy-Action Game
"C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Earth\plugin\geplugin.exe" = C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Earth\plugin\geplugin.exe:*:Disabled:Google Earth -- (Google)
"E:\games\Nexuiz\nexuiz.exe" = E:\games\Nexuiz\nexuiz.exe:*:Disabled:Nexuiz
"E:\games\Portal 2\portal2.exe" = E:\games\Portal 2\portal2.exe:*:Disabled:portal2
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Disabled:Firefox -- (Mozilla Corporation)
"D:\Program Files\Fraps\fraps.exe" = D:\Program Files\Fraps\fraps.exe:*:Disabled:fraps.exe
"D:\games\Serious Sam 2\Bin\Sam2.exe" = D:\games\Serious Sam 2\Bin\Sam2.exe:*:Disabled:Sam2
"D:\games\kf inst\Killing Floor\System\KillingFloor.exe" = D:\games\kf inst\Killing Floor\System\KillingFloor.exe:*:Disabled:KillingFloor
"D:\Program Files\Mathematica\Mathematica.exe" = D:\Program Files\Mathematica\Mathematica.exe:*:Enabled:Wolfram Mathematica 7 for Students -- (Wolfram Research, Inc.)
"D:\Program Files\Mathematica\MathKernel.exe" = D:\Program Files\Mathematica\MathKernel.exe:*:Enabled:Wolfram Mathematica 7 for Students Kernel -- (Wolfram Research, Inc.)
"D:\Program Files\Mathematica\math.exe" = D:\Program Files\Mathematica\math.exe:*:Enabled:math.exe -- (Wolfram Research, Inc.)
"D:\Program Files\Teamviewer 6\TeamViewer.exe" = D:\Program Files\Teamviewer 6\TeamViewer.exe:*:Enabled:Teamviewer Remote Control Application -- (TeamViewer GmbH)
"D:\Program Files\Teamviewer 6\TeamViewer_Service.exe" = D:\Program Files\Teamviewer 6\TeamViewer_Service.exe:*:Enabled:Teamviewer Remote Control Service -- (TeamViewer GmbH)
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Disabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)
"D:\games\World of Tanks\WorldOfTanks.exe" = D:\games\World of Tanks\WorldOfTanks.exe:*:Enabled:World of Tanks -- (Wargaming.net)
"D:\games\World of Tanks\WOTLauncher.exe" = D:\games\World of Tanks\WOTLauncher.exe:*:Enabled:World of Tanks Launcher -- (Wargaming.net)
"C:\Documents and Settings\User\Local Settings\Application Data\Akamai\netsession_win.exe" = C:\Documents and Settings\User\Local Settings\Application Data\Akamai\netsession_win.exe:*:Disabled:netsession_win -- (Akamai Technologies, Inc)
"D:\Program Files\FlashGet 3\Flashget3.exe" = D:\Program Files\FlashGet 3\Flashget3.exe:*:Disabled:FlashGet3 -- (Trend Media Corporation Limited)
"D:\games\MOD\MoD.exe" = D:\games\MOD\MoD.exe:*:Disabled:Multimedia Fusion Stand Alone Application -- (Clickteam)
"C:\WINDOWS\system32\dplaysvr.exe" = C:\WINDOWS\system32\dplaysvr.exe:*:Disabled:Microsoft DirectPlay Helper -- (Microsoft Corporation)
"D:\games\You Have to Win the Game\TheGame.exe" = D:\games\You Have to Win the Game\TheGame.exe:*:Enabled:TheGame -- ()
"C:\Documents and Settings\All Users\Application Data\Battle.net\Agent\Agent.524\Agent.exe" = C:\Documents and Settings\All Users\Application Data\Battle.net\Agent\Agent.524\Agent.exe:*:Enabled:Blizzard Agent -- (Blizzard Entertainment)
"C:\Documents and Settings\All Users\Application Data\Battle.net\Agent\Agent.954\Agent.exe" = C:\Documents and Settings\All Users\Application Data\Battle.net\Agent\Agent.954\Agent.exe:*:Enabled:Blizzard Agent -- (Blizzard Entertainment)
"D:\games\Titan Quest IT\Tqit.exe" = D:\games\Titan Quest IT\Tqit.exe:*:Disabled:Tqit -- ()
"C:\WINDOWS\system32\rsync.exe" = C:\WINDOWS\system32\rsync.exe:*:Enabled:Update service -- ()
"D:\Program Files\eMule0.50a\emule.exe" = D:\Program Files\eMule0.50a\emule.exe:*:Enabled:eMule


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{09C8B025-F0C5-4EF2-BC4F-399269BDE0C8}" = Asterix Mega Madness
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0DDCEC37-369C-484B-B16D-B4413FD42FB9}" = Microsoft SQL Server 2008 R2 Data-Tier Application Framework
"{0F842B77-56EA-4AAF-8295-81A022350B5E}" = Microsoft Security Client
"{112C23F2-C036-4D40-BED4-0CB47BF5555C}" = Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU
"{14DD7530-CCD2-3798-B37D-3839ED6A441C}" = Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
"{170DE2A7-4768-370C-9671-D8D17826EFBF}" = Microsoft Visual Studio 2010 Performance Collection Tools - ENU
"{1B4D07A6-E599-4D52-886F-57529B267459}" = Logger Pro 3
"{1EAC1D02-C6AC-4FA6-9A44-96258C37C812}_is1" = World of Tanks v.0.6.7
"{1F61E0B1-1AB8-F15E-07C4-46D100A1D3F7}" = Borderlands
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
"{2A2F3AE8-246A-4252-BB26-1BEB45627074}" = Microsoft SQL Server System CLR Types
"{2CE5A2E7-3437-4CE7-BCF4-85ED6EEFF9E4}" = iTunes
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3A9FC03D-C685-4831-94CF-4EDFD3749497}" = Microsoft SQL Server Compact 3.5 SP2 ENU
"{3BB19A2B-B9C5-3872-8FDF-3047CC9F9841}" = Microsoft Visual Studio 2010 Tools for Office Runtime (x86)
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = eReg
"{412B69AF-C352-4F6F-A318-B92B3CB9ACC6}" = Titan Quest
"{419CF344-3D94-4DAD-99C8-EA7B00E5EA8B}" = Acronis*True*Image*Home
"{41B31ABE-5A6E-498A-8F28-3BA3B8779A41}" = Dotfuscator Software Services - Community Edition
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{47C39E4A-28F2-33B1-B9B7-97F24E52D917}" = Microsoft Help Viewer 1.0
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4E968D9C-21A7-4915-B698-F7AEB913541D}" = Microsoft SQL Server 2008 R2 Management Objects
"{59772D11-9D88-4020-838C-6F4864D0DE8A}" = Many Faces of Go 12
"{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth
"{6A86554B-8928-30E4-A53C-D7337689134D}" = Microsoft Visual C++ 2010 x86 Runtime - 10.0.30319
"{6CDEAD7E-F8D8-37F7-AB6F-1E22716E30F3}" = Microsoft Visual Studio Macro Tools
"{6ED37A91-7710-3183-BE50-AB043FF6689E}" = Microsoft Team Foundation Server 2010 Object Model - ENU
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{78C3657E-742C-40B1-9F53-E5A921D40F17}" = Microsoft SQL Server 2008 R2 Transact-SQL Language Service
"{8A809006-C25A-4A3A-9DAB-94659BCDB107}" = NVIDIA PhysX
"{90140000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 14
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0015-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}_Office14.SingleImage_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-040C-0000-0000000FF1CE}_Office14.SingleImage_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.SingleImage_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-002C-0409-0000-0000000FF1CE}_Office14.SingleImage_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-003D-0000-0000-0000000FF1CE}" = Microsoft Office Single Image 2010
"{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}_Office14.SingleImage_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}_Office14.SingleImage_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{943A8D28-80D6-41DC-AE94-81FEB42041BF}" = System Requirements Lab CYRI
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{97CE8B73-AA5A-4987-A1BE-50DD1A187478}" = Microsoft Sync Framework SDK v1.0 SP1
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9F53C38E-32CB-4914-9A98-5141D8DBD58D}" = TortoiseSVN 1.7.6.22632 (32 bit)
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A53A11EA-0095-493F-86FA-A15E8A86A405}" = VMware Player
"{A8B94669-8654-4126-BD28-D0D2412CDED6}" = TI Connect 1.6
"{A99968BE-C155-474C-0089-33239DEE1CE2}" = Need For Speed Underground
"{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5
"{AC41D924-8C68-4BD5-A7A1-0AE4176C31A6}" = Crystal Reports for Visual Studio
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.4
"{ACE28263-76A4-4BF5-B6F4-8BD719595969}" = Microsoft SQL Server Database Publishing Wizard 1.4
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4E343DD-BAAB-4D59-AD9C-DEA0AFE09DF1}" = Mumble 1.2.3
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{B5C5C17E-FEF6-4062-8151-A427AE8AF9D7}" = Titan Quest Immortal Throne
"{B7E38540-E355-3503-AFD7-635B2F2F76E1}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
"{BC0464FA-A0BA-3E38-85BF-DC5B3A401F48}" = Microsoft Visual Studio 2010 Ultimate - ENU
"{BE3A3BDB-93B0-4F19-ABB1-D63575210C6C}_is1" = Dig-N-Rig version 1.0
"{BEFBEDDF-1417-4C8A-92FB-F003C0D41199}" = OpenOffice.org 3.2
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C260343B-6282-42A2-939F-1FF7E503F608}" = Wolfram Notebook Indexer 2.0
"{C3592426-531E-4110-911D-BFECE2CE284C}" = osu!
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C6DD625F-4B61-4561-8286-87CA0275CEA1}" = Microsoft Sync Framework Runtime v1.0 SP1 (x86)
"{CCA1EEA3-555E-4D05-AC46-4B49C6C5D887}" = Apple Mobile Device Support
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CFEF48A8-BFB8-3EAC-8BA5-DE4F8AA267CE}" = Microsoft .NET Framework 4 Multi-Targeting Pack
"{D0A42145-3A8A-45C1-BF07-7855A6E91020}" = Oracle VM VirtualBox 4.0.8
"{D9D22492-C0B2-49F5-AD1E-BB38E81E7DB5}" = FusekiLibrary
"{DAEAFD68-BB4A-4507-A241-C8804D2EA66D}" = Apple Application Support
"{DC3D6AFB-78B4-489F-81D7-30B66E0C2417}" = Microsoft Sync Services for ADO.NET v2.0 SP1 (x86)
"{E2494AD8-314D-44F8-B39C-4358A60DC184}" = LogMeIn Hamachi
"{E5AE9031-79A5-4627-9641-BEFA82819B08}" = Microsoft SQL Server 2008 R2 Data-Tier Application Project
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.1
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F0E2B312-D7FD-4349-A9B6-E90B36DB1BD0}" = Paint.NET v3.5.5
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F3856E7C-AD71-48E1-9A95-6D7E7FCB164A}" = Midnight Club II
"{F990B526-8F7C-46E0-B1F1-6C893A8B478F}" = Microsoft Sync Framework Services v1.0 SP1 (x86)
"{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}" = Bonjour
"53F13DB4D9611FD63BE580F06F0729BF236ABE68" = Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
"7-Zip" = 7-Zip 9.20
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Akamai" = Akamai NetSession Interface Service
"Asterix Gallic War_is1" = Asterix Gallic War
"Audacity_is1" = Audacity 1.2.6
"Bugs Bunny Lost In Time" = Bugs Bunny Lost In Time
"C-Free 5.0_is1" = C-Free 5.0 Professional
"Croc" = Croc
"Dethkarz" = Dethkarz
"Dia" = Dia (remove only)
"Disciples: Sacred Lands Gold Edition" = Disciples: Sacred Lands Gold Edition
"ERUNT_is1" = ERUNT 1.1j
"ESET Online Scanner" = ESET Online Scanner v3
"FaJo XP File Security Extension_is1" = FaJo XP File Security Extension v1.2
"Filzip 3.0.6.93_is1" = Filzip 3.06
"foobar2000" = foobar2000 v1.1
"Fraps" = Fraps (remove only)
"Gruntz" = Gruntz
"GTK 2.0" = GTK+ Runtime 2.14.7 rev a (remove only)
"HDD Health_is1" = HDD Health v3.3 Beta
"HyperCam 2" = HyperCam 2
"ie8" = Windows Internet Explorer 8
"InstallShield_{1B4D07A6-E599-4D52-886F-57529B267459}" = Logger Pro 3.8.3 Demo
"IrfanView" = IrfanView (remove only)
"KLiteCodecPack_is1" = K-Lite Codec Pack 6.4.0 (Standard)
"LogMeIn Hamachi" = LogMeIn Hamachi
"Magic ISO Maker v5.5 (build 0281)" = Magic ISO Maker v5.5 (build 0281)
"MagicDisc 2.7.106" = MagicDisc 2.7.106
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
"Matlab R2011b" = MATLAB R2011b
"Metal Assault" = Metal Assault
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft Help Viewer 1.0" = Microsoft Help Viewer 1.0
"Microsoft Security Client" = Microsoft Security Essentials
"Microsoft Team Foundation Server 2010 Object Model - ENU" = Microsoft Team Foundation Server 2010 Object Model - ENU
"Microsoft Visual Studio 2010 Tools for Office Runtime (x86)" = Microsoft Visual Studio 2010 Tools for Office Runtime (x86)
"Microsoft Visual Studio 2010 Ultimate - ENU" = Microsoft Visual Studio 2010 Ultimate - ENU
"Microsoft Visual Studio Macro Tools" = Microsoft Visual Studio Macro Tools
"MiKTeX 2.9" = MiKTeX 2.9
"Mozilla Firefox (3.6.10)" = Mozilla Firefox (3.6.10)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"M-WIN-G 7.0.0 1148361_is1" = Wolfram Mathematica 7 for Students (M-WIN-G 7.0.0 1148361)
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"Office14.SingleImage" = Microsoft Office Home and Business 2010
"Postal 2_is1" = Portal 2
"PSPad editor_is1" = PSPad editor
"PuTTY_is1" = PuTTY version 0.60
"QuicktimeAlt_is1" = QuickTime Alternative 3.2.2
"RealAlt_is1" = Real Alternative 2.0.2
"RivaTuner" = RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
"Sniper Ghost Warrior_is1" = Sniper Ghost Warrior
"SP6" = Logitech SetPoint 6.15
"SpeedFan" = SpeedFan (remove only)
"Starscape_is1" = Starscape V1.5c
"SystemRequirementsLab" = System Requirements Lab
"TeamViewer 6" = TeamViewer 6
"The Core Media Player" = The Core Media Player 4.0
"The Many Faces of Go 11.0" = The Many Faces of Go 11.0
"TheGame" = You Have to Win the Game
"Tyrian 2000_is1" = Tyrian 2000
"VMware_Player" = VMware Player
"Warkeepers_is1" = Warkeepers
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 07/06/2012 07:16:24 | Computer Name = PRIVAT-D79A2942 | Source = .NET Runtime Optimization Service | ID = 1103
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Tried to start a service that wasn't the latest version of CLR Optimization service.
Will shutdown

Error - 14/06/2012 09:07:02 | Computer Name = PRIVAT-D79A2942 | Source = MsiInstaller | ID = 11925
Description =

Error - 14/06/2012 09:09:50 | Computer Name = PRIVAT-D79A2942 | Source = MsiInstaller | ID = 11925
Description =

Error - 21/06/2012 07:51:46 | Computer Name = PRIVAT-D79A2942 | Source = VsJITDebugger | ID = 4096
Description = An unhandled win32 exception occurred in mfgo.exe [1008]. Just-In-Time
debugging this exception failed with the following error: The logged in user did
not have access to debug the crashing application. Check the documentation index
for 'Just-in-time debugging, errors' for more information.

Error - 21/06/2012 20:49:20 | Computer Name = PRIVAT-D79A2942 | Source = ESENT | ID = 485
Description = wuauclt (1788) An attempt to delete the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edbtmp.log"
failed with system error 32 (0x00000020): "The process cannot access the file because
it is being used by another process. ". The delete file operation will fail with
error -1032 (0xfffffbf8).

Error - 21/06/2012 20:49:20 | Computer Name = PRIVAT-D79A2942 | Source = ESENT | ID = 485
Description = wuauclt (1788) An attempt to delete the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edbtmp.log"
failed with system error 32 (0x00000020): "The process cannot access the file because
it is being used by another process. ". The delete file operation will fail with
error -1032 (0xfffffbf8).

Error - 25/06/2012 22:56:34 | Computer Name = PRIVAT-D79A2942 | Source = .NET Runtime Optimization Service | ID = 1103
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Tried to start a service that wasn't the latest version of CLR Optimization service.
Will shutdown

Error - 12/07/2012 15:59:19 | Computer Name = PRIVAT-D79A2942 | Source = Acronis Test Program | ID = 2
Description =

Error - 12/07/2012 15:59:19 | Computer Name = PRIVAT-D79A2942 | Source = Acronis Test Program | ID = 1
Description =

Error - 13/07/2012 14:54:51 | Computer Name = PRIVAT-D79A2942 | Source = VsJITDebugger | ID = 4096
Description = An unhandled win32 exception occurred in process #2076. Just-In-Time
debugging this exception failed with the following error: The process ID is invalid.

Check
the documentation index for 'Just-in-time debugging, errors' for more information.

[ System Events ]
Error - 19/07/2012 13:17:12 | Computer Name = PRIVAT-D79A2942 | Source = Service Control Manager | ID = 7000
Description = The Logitech Beep Suppression Driver service failed to start due to
the following error: %%31

Error - 19/07/2012 13:21:16 | Computer Name = PRIVAT-D79A2942 | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 19/07/2012 13:21:16 | Computer Name = PRIVAT-D79A2942 | Source = Service Control Manager | ID = 7031
Description = The Microsoft Antimalware Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
15000 milliseconds: Restart the service.

Error - 19/07/2012 13:21:17 | Computer Name = PRIVAT-D79A2942 | Source = Service Control Manager | ID = 7034
Description = The Acronis Scheduler2 Service service terminated unexpectedly. It
has done this 1 time(s).

Error - 19/07/2012 13:21:17 | Computer Name = PRIVAT-D79A2942 | Source = Service Control Manager | ID = 7031
Description = The Apple Mobile Device service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 19/07/2012 13:21:17 | Computer Name = PRIVAT-D79A2942 | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 19/07/2012 13:21:17 | Computer Name = PRIVAT-D79A2942 | Source = Service Control Manager | ID = 7034
Description = The MBAMService service terminated unexpectedly. It has done this
1 time(s).

Error - 19/07/2012 13:21:17 | Computer Name = PRIVAT-D79A2942 | Source = Service Control Manager | ID = 7034
Description = The Dienst "Bonjour" service terminated unexpectedly. It has done
this 1 time(s).

Error - 19/07/2012 13:21:17 | Computer Name = PRIVAT-D79A2942 | Source = Service Control Manager | ID = 7034
Description = The LogMeIn Hamachi Tunneling Engine service terminated unexpectedly.
It has done this 1 time(s).

Error - 19/07/2012 13:39:00 | Computer Name = PRIVAT-D79A2942 | Source = Service Control Manager | ID = 7000
Description = The Logitech Beep Suppression Driver service failed to start due to
the following error: %%31


< End of report >

Hey,

Your log looks pretty healthy.

Open OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL




:processes
killallprocesses

:OTL


:Services

:Reg

:Files
ipconfig /flushdns /c


:Commands
[purity]
[resethosts]
[CLEARALLRESTOREPOINTS]
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces



Let me also know how you feel things are running now ???

OTL freezed in exactly the same way as TFC while killing the processes.

OK, lets do this, run a different cleaner, but do not select all, just check each one one at a time until you get them all

Please download ATF Cleaner (http://majorgeeks.com/ATF_Cleaner_d4949.html) by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility. If you want to keep your log on info, just click on Select All and then uncheck cookies

http://i24.photobucket.com/albums/c30/ken545/Atribune.jpg
Thank You Atribune

ATF ran without problems, but it said it didn't remove any files from the java cache. The cache still contains 16MB of stuff, including both infected files. I then tried deleting files from the cache manually to see if it's possible, and it works fine (and I restored the deleted files).

I am not following you, you restored the files from the Java Cache that where removed ? Those can be removed permanently


How is your system behaving now ?

No: I ran ATF as you told me and used it to clean one by one element. However, when I used it to clean the java cache, it said that it didn't delete any files. So, I opened the java cache folder to see if it is empty, but it isn't, there are plenty of files in it.

So, I wanted to find out whether something was preventing ATF from emptying the cache. In order to check that, I tried deleting some files from the cache folder manually, and they could be deleted just fine. But since you don't want me to do things myself, I undid that deletion.

Thats fine, no harm in deleting the cache, go ahead and empty it and then run a new scan with ESET and lets see where we stand

Ok, I deleted the cache. ESET scanned and found nothing.

I wasn't noticing anything suspicious even before cleaning, so I can't tell whether anything is still left.

Great, looks like your good to go unless you feel your having any other issues

Thanks very much for the help, I'll post if I notice anything.

Your very welcome, I will leave this thread open until tomorrow, after that it will be closed so if you need to post back after tomorrow just start a new topic



How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/index.php?showtopic=57817)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Safe Surfn
Ken

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.