Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: help with Backdoor Trojan

  1. #1
    Junior Member
    Join Date
    May 2010
    Posts
    12

    Default help with Backdoor Trojan

    Hi can anyone help me with advise on how to remove a virus my PC seemed to get 2 days ago, its called `Backdoor:Win32.Nuwar.A` and seems to be in at least one folder `AppData/local.asam. and possibly in AppData/local.syssvc too (according to Microsft Security Essentials, as it asks me to send info on those files everytime it has to clean Backdoor/Win32.Nuwar.A from system)

    My Microsoft Security Essentials, has detected, deleted this virus over and over in the past 48hrs since it showed up, but it just keeps repeated popping back and having to repeat scans and deletes time after time.

    Im stumped on what to do, i rarely ever get any viruses or any cause for Microsoft Security Essentials to be called into action, however past rare problems have been dealt with and deleted 1st time no probs, but this virus just keeps coming back for more, and ive no idea what to do since Microsoft Security Essentials doesnt seem to be able to deal with it this time.

    Many Thanks.

    Allison.

    Im really sorry, I should have read more carefully what info i needed to include with my description, im a noob, i apologise, after re-reading more carefully the "before you post" topic before my 1st post above, Ionly hope i now get it right and put the bits in right in this second post, or my secret identity as a Blonde air-head will be blown. lol.... here goes...

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Allison at 1:17:22.41 on 14/05/2010
    Internet Explorer: 8.0.6001.18882
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1534.867 [GMT 1:00]

    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Windows\System32\wpcumi.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\rundll32.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Allison\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QP0OFCO2\dds[1].scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.facebook.com/
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride = <local>
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [dwdttuvn] c:\users\allison\appdata\local\xxaimewmp\lrijxgmtssd.exe
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
    mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
    LSP: c:\windows\system32\wpclsp.dll
    DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\allison\appdata\roaming\mozilla\firefox\profiles\v1soe1id.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://facebook.com/
    FF - prefs.js: keyword.URL - hxxp://search.bearshare.com//web?src=ffb&q=
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\users\allison\appdata\roaming\mozilla\plugins\np-mswmp.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows

    presentation foundation\dotnetassistantextension\

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

    ============= SERVICES / DRIVERS ===============

    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 42368]
    S2 IK;IKE and AuthIP IPsec Keying Modules;c:\windows\system32\svchost.exe -k netsvcs [2008-1-21 21504]

    =============== Created Last 30 ================

    2010-05-13 07:28:45 4838 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2010-05-12 02:37:40 157634354 ----a-w- c:\windows\MEMORY.DMP
    2010-05-01 02:58:20 0 d-----w- c:\programdata\1468
    2010-04-27 23:09:52 0 d-----w- c:\program files\common files\DivX Shared
    2010-04-27 23:09:06 0 d-----w- c:\program files\DivX
    2010-04-27 23:08:36 0 d-----w- c:\programdata\DivX
    2010-04-27 16:55:30 2560 ----a-w- c:\windows\_MSRSTRT.EXE
    2010-04-20 09:46:04 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
    2010-04-20 09:46:03 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
    2010-04-20 09:46:00 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
    2010-04-20 09:45:58 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
    2010-04-20 09:35:41 0 d--h--w- c:\windows\msdownld.tmp
    2010-04-20 09:35:35 0 d-----w- c:\windows\system32\directx
    2010-04-19 17:18:27 0 d-----w- c:\program files\Microsoft Security Essentials

    ==================== Find3M ====================

    2010-04-20 15:35:46 51200 ----a-w- c:\windows\inf\infpub.dat
    2010-04-20 15:25:39 86016 ----a-w- c:\windows\inf\infstor.dat
    2010-04-20 15:25:39 143360 ----a-w- c:\windows\inf\infstrng.dat
    2010-04-17 17:24:40 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
    2010-02-24 10:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
    2010-01-10 17:26:11 665600 ----a-w- c:\windows\inf\drvindex.dat
    2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2010-02-05 12:27:47 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
    2009-12-18 17:00:45 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

    ============= FINISH: 1:18:24.26 ===============
    Last edited by tashi; 2010-05-17 at 03:52. Reason: Merged two posts :-)

  2. #2
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hello and to Safer Networking

    My name is peku006 and I will be helping you to remove any infection(s) that you may have.
    I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

    Please observe these rules while we work:

    • If you don't know or understand something please don't hesitate to ask
    • Please DO NOT run any other tools or scans whilst I am helping you.
    • It is important that you reply to this thread. Do not start a new topic.
    • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
    • Absence of symptoms does not mean that everything is clear.


    We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
    This tool is not a toy and not for everyday use.
    ComboFix SHOULD NOT be used unless requested by a forum helper


    http://www.bleepingcomputer.com/comb...o-use-combofix

    Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    If you need help to disable your protection programs see here.

    When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  3. #3
    Junior Member
    Join Date
    May 2010
    Posts
    12

    Default ComboFix Log 17/05/10

    ComboFix 10-05-16.02 - Allison 17/05/2010 19:36:33.1.1 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1534.886 [GMT 1:00]
    Running from: c:\users\Allison\Desktop\ComboFix.exe
    SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((( Files Created from 2010-04-17 to 2010-05-17 )))))))))))))))))))))))))))))))
    .

    2010-05-15 17:28 . 2010-05-15 17:28 -------- d-----w- c:\users\Allison\AppData\Roaming\Safer Networking
    2010-05-15 17:26 . 2010-05-15 17:28 -------- d-----w- c:\program files\Safer Networking
    2010-05-14 13:39 . 2010-05-14 13:39 2855 ----a-w- c:\users\Allison\AppData\Local\syssvc.PIF
    2010-05-14 01:19 . 2010-05-14 01:24 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2010-05-14 01:19 . 2010-05-14 01:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-05-14 01:10 . 2010-05-14 01:12 -------- d-----w- c:\program files\ERUNT
    2010-05-13 07:21 . 2010-05-13 07:21 61184 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{EAB66D24-8614-3E15-A4B7-BE2D7054983A}-asam.exe
    2010-05-12 03:24 . 2010-05-12 03:24 61184 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{0D7CE56F-74E6-6B51-C4F9-A8D568E6C3D3}-asam.exe
    2010-05-12 03:17 . 2010-05-12 03:17 2855 ----a-w- c:\users\Allison\AppData\Local\asam.PIF
    2010-05-12 01:12 . 2010-05-12 01:12 61184 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{20C19514-C1F7-28B5-4721-19085FA3684C}-syssvc.exe
    2010-05-01 02:58 . 2010-05-01 02:58 -------- d-----w- c:\programdata\1468
    2010-04-27 23:11 . 2010-04-27 23:11 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
    2010-04-27 23:11 . 2010-04-27 23:08 754984 ----a-w- c:\programdata\DivX\Setup\Resource.dll
    2010-04-27 23:11 . 2010-04-06 11:04 1180952 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
    2010-04-27 23:10 . 2010-04-27 23:10 56766 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
    2010-04-27 23:10 . 2010-04-27 23:10 56978 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
    2010-04-27 23:10 . 2010-04-27 23:10 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
    2010-04-27 23:10 . 2010-04-27 23:10 57409 ----a-w- c:\programdata\DivX\ControlPanel\Uninstaller.exe
    2010-04-27 23:10 . 2010-04-27 23:10 52963 ----a-w- c:\programdata\DivX\MSVC80CRTRedist\Uninstaller.exe
    2010-04-27 23:09 . 2010-04-27 23:09 54073 ----a-w- c:\programdata\DivX\Qt4.5\Uninstaller.exe
    2010-04-27 23:09 . 2010-04-27 23:09 -------- d-----w- c:\program files\Common Files\DivX Shared
    2010-04-27 23:09 . 2010-04-27 23:10 -------- d-----w- c:\program files\DivX
    2010-04-27 23:08 . 2010-04-27 23:10 -------- d-----w- c:\programdata\DivX
    2010-04-27 16:55 . 2010-04-27 16:55 2560 ----a-w- c:\windows\_MSRSTRT.EXE
    2010-04-20 09:46 . 2010-02-04 09:01 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
    2010-04-20 09:46 . 2010-02-04 09:01 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
    2010-04-20 09:46 . 2010-02-04 09:01 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
    2010-04-20 09:45 . 2010-02-04 09:01 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
    2010-04-20 09:35 . 2010-04-20 09:42 -------- d--h--w- c:\windows\msdownld.tmp
    2010-04-19 17:18 . 2010-04-19 17:18 -------- d-----w- c:\program files\Microsoft Security Essentials

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-05-13 22:11 . 2010-05-13 07:28 4838 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2010-05-06 14:04 . 2009-12-08 11:55 1356 ----a-r- c:\users\Allison\AppData\Local\d3d9caps.dat
    2010-05-01 04:09 . 2009-12-22 22:29 -------- d-----w- c:\program files\Google
    2010-04-20 15:25 . 2010-03-21 02:38 -------- d-----w- c:\program files\Common Files\LogiShrd
    2010-04-18 16:37 . 2009-11-28 13:45 99864 ----a-w- c:\users\Allison\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-04-17 17:24 . 2010-03-20 16:31 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
    2010-04-14 15:19 . 2009-12-15 04:52 -------- d-----w- c:\programdata\NOS
    2010-04-13 21:16 . 2010-04-13 21:16 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb34AA.tmp.exe
    2010-04-12 18:05 . 2009-11-28 14:02 -------- d-----w- c:\program files\World of Warcraft
    2010-04-06 18:30 . 2010-04-06 18:30 -------- d-----w- c:\programdata\WindowsSearch
    2010-03-26 19:57 . 2010-03-26 19:57 -------- d-----w- c:\users\Kids\AppData\Roaming\Logitech
    2010-03-26 05:55 . 2009-12-17 15:45 -------- d-----w- c:\program files\Steam
    2010-03-26 05:35 . 2009-11-30 17:05 -------- d-----w- c:\programdata\Apple Computer
    2010-03-24 21:06 . 2010-03-24 21:06 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-03-24 18:17 . 2010-03-24 08:04 952768 ----a-w- c:\programdata\Adobe\Reader\9.2\ARM\ARM Update\AdobeARM.exe
    2010-03-24 18:17 . 2010-03-24 08:04 70584 ----a-w- c:\programdata\Adobe\Reader\9.2\ARM\ARM Update\AdobeExtractFiles.dll
    2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\programdata\Adobe\Reader\9.2\ARM\ARM Update\ReaderUpdater.exe
    2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\programdata\Adobe\Reader\9.2\ARM\ARM Update\AcrobatUpdater.exe
    2010-03-21 02:40 . 2010-03-21 02:40 53248 ----a-r- c:\users\Allison\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
    2010-03-21 02:40 . 2010-01-19 18:07 -------- d-----w- c:\programdata\LogiShrd
    2010-03-21 02:39 . 2010-03-21 02:39 -------- d-----w- c:\program files\Common Files\SetPointG
    2010-03-21 02:39 . 2010-03-21 02:39 -------- d-----w- c:\program files\Common Files\SetPointP
    2010-03-20 16:25 . 2010-03-20 16:22 -------- d-----w- c:\users\Allison\AppData\Roaming\Logitech
    2010-03-20 16:23 . 2010-03-20 16:22 -------- d-----w- c:\users\Allison\AppData\Roaming\Logishrd
    2010-03-20 12:59 . 2010-01-27 17:32 -------- d-----w- c:\programdata\Microsoft Help
    2010-03-20 09:52 . 2010-03-12 11:10 -------- d-----w- c:\program files\Canon
    2010-03-20 09:50 . 2010-03-12 07:12 -------- d-----w- c:\users\Allison\AppData\Roaming\Canon
    2010-03-20 09:28 . 2009-12-17 15:46 -------- d-----w- c:\program files\Common Files\Steam
    2010-02-24 10:16 . 2009-11-29 10:47 181632 ------w- c:\windows\system32\MpSigStub.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-28 149280]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-09-29 61440]
    "WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
    "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

    c:\users\Kids\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Microsoft Office Groove.lnk - c:\program files\Microsoft Office\Office12\GROOVE.EXE [2007-8-29 340856]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

    c:\users\Allison\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    taskmgr shortcut.lnk - c:\windows\System32\taskmgr.exe [2008-1-21 163840]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EvtMgr6]
    2010-01-27 11:30 1312848 ----a-w- c:\program files\Common Files\SetPointP\SetPoint.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "VistaSp2"=hex(b):36,7a,29,09,1b,92,ca,01

    R2 IK;IKE and AuthIP IPsec Keying Modules;c:\windows\system32\svchost.exe [2008-01-21 21504]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WindowsMobile REG_MULTI_SZ wcescomm rapimgr
    LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
    .
    Contents of the 'Scheduled Tasks' folder

    2010-05-14 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
    - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2010-05-14 14:31]

    2010-05-14 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
    - c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2010-05-14 14:31]

    2010-05-17 c:\windows\Tasks\User_Feed_Synchronization-{3BA4D43F-A437-4B6A-A315-69B39969253D}.job
    - c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]

    2010-05-17 c:\windows\Tasks\User_Feed_Synchronization-{850964FB-6DB5-4D9A-9069-350105764764}.job
    - c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]

    2010-05-17 c:\windows\Tasks\User_Feed_Synchronization-{D58A8518-80BB-4064-9FA8-053C5566BE4A}.job
    - c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.facebook.com/
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
    LSP: c:\windows\system32\wpclsp.dll
    FF - ProfilePath - c:\users\Allison\AppData\Roaming\Mozilla\Firefox\Profiles\v1soe1id.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://facebook.com/
    FF - prefs.js: keyword.URL - hxxp://search.bearshare.com//web?src=ffb&q=
    FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: c:\users\Allison\AppData\Roaming\Mozilla\plugins\np-mswmp.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-dwdttuvn - c:\users\Allison\AppData\Local\xxaimewmp\lrijxgmtssd.exe
    MSConfigStartUp-DriverUpdaterPro - c:\program files\CleverTune Software\Driver Updater Pro\DriverUpdaterPro.exe
    MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-05-17 19:43
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2010-05-17 19:47:10
    ComboFix-quarantined-files.txt 2010-05-17 18:47

    Pre-Run: 79,005,655,040 bytes free
    Post-Run: 87,193,210,880 bytes free

    Current=3 Default=3 Failed=4 LastKnownGood=5 Sets=1,3,4,5
    - - End Of File - - 830DF9DADC585540C9C2F85F93AF2443

  4. #4
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi lilcrooky

    1 - Download and Run Malwarebytes' Anti-Malware

    Please save any items you were working on... close any open programs. You may be asked to reboot your machine.
    Please download Malwarebytes Anti-Malware and save it to your desktop. If needed...Tutorial w/screenshots
    Alternate download sites available here or here.
    1. Make sure you are connected to the Internet.
    2. Double-click on mbam-setup.exe to install the application.
    3. When the installation begins, follow the prompts and do not make any changes to default settings.
    4. When installation has finished, make sure you leave both of these checked:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
      • Then click Finish.
      MBAM will automatically start and you will be asked to update the program before performing a scan.
      • If an update is found, the program will automatically update itself.
      • Press the OK button to close that box and continue.
      • Problems downloading the updates? Manually download them from here and double-click on "mbam-rules.exe" to install.

    On the Scanner tab:
    1. Make sure the "Perform full scan" option is selected.
    2. Then click on the Scan button.
    3. If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    4. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    5. When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    6. Click OK to close the message box and continue with the removal process.

    Back at the main Scanner screen:
    1. Click on the Show Results button to see a list of any malware that was found.
    2. Check all items except items in the C:\System Volume Information folder... then click on Remove Selected.
      We will take care of the System Volume Information items later.
    3. When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
    4. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
      The log can also be found here:
      C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    5. Copy and paste the contents of that report in your next reply and exit MBAM.


    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
    Click OK to either and let MBAM proceed with the disinfection process.
    If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


    2 - Status Check
    Please reply with

    the Malwarebytes' Anti-Malware Log

    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  5. #5
    Junior Member
    Join Date
    May 2010
    Posts
    12

    Default

    I also forgot to mention that i have been un-able to perform any Windows Updates at all since 16/02/2010, when i try to access the Windows Update via control panel it crashes the control panel (>control panel >system and maintenence >windows update) screen the second i click on Windows Update, and the crashed control panel screen can then only be removed again via the task manager (selecting the crashed control window in the application tab on taskmanager and clicking end task, which opens a small window saying it is not rsponding giving me the option to `end now` which i do) and when i do that it pops up with a window saying `Windows Explorer is not responding` >check for a solution and close the program (it checks but never offers a solution/no solutions found) & >close the program & view problem details (Description:
    A problem caused this program to stop interacting with Windows.

    Problem signature:
    Problem Event Name: AppHangXProcB1
    Application Name: Explorer.EXE
    Application Version: 6.0.6002.18005
    Application Timestamp: 49e01da5
    Hang Signature: 82aa
    Hang Type: 6208
    Waiting on Application Name: svchost.exe:{9b1f122c-2982-4e91-aa8b-e071d54f2a4d}
    Waiting on Application Version: 0.0.0.0
    OS Version: 6.0.6002.2.2.0.768.3
    Locale ID: 2057
    Additional Hang Signature 1: cc926d7385ddf3e3f97224a44dccc56f
    Additional Hang Signature 2: 49ca
    Additional Hang Signature 3: 3fb2b40050b6728d372f689f24329bc1
    Additional Hang Signature 4: 82aa
    Additional Hang Signature 5: cc926d7385ddf3e3f97224a44dccc56f
    Additional Hang Signature 6: 49ca
    Additional Hang Signature 7: 3fb2b40050b6728d372f689f24329bc1

    Read our privacy statement:
    http://go.microsoft.com/fwlink/?link...3&clcid=0x0409)

    Ive also noticed for a couple of months whenever task manager is open the CPU usage (bar/graph) is always at 100% when i check this via >task manager >performance >resource monitor >CPU, it shows `svchost.exe` always at top of that list, using `average CPU` amount of 72%-81%(changes constantly while looking at it but is normal between those figures) and old `generate health reports` through the resource monitor has pointed somewthing out to do with `svchost.exe` files that ofc i couldnt understand. Seems incredibly high even to a tech novice like myself, noting else comes close on the `average CPU` list (any thing listed under svchost.exe, of many there) in %, so wondered if that was usual too?

    Sorry im pc illiterate, but i can just about find my way around, esp if helped/pointed in right direction, and would love to get to the bottom of the:

    Windows Update issue
    CPU usage issue
    Backdoor:Win32/Nuwar.A
    Trojan:Win32/FakeSpypro

    and any other issues my pc may have that hasnt been spotted (those four issues/problems/viruses are merely the issues ive managed to see/detect so far, but there may be ones that were not as obvious as those to spot, and therefore gone easily unspotted by my very untrained eye) and listed above, and restore some normality back to my system, and ofc learn how to prevent such occurances happing again, once these ones are resolved to prevent things getting to this state again, im hoping to deal with em then happy to learn from past mistakes to prevent it happening again.

    Thanks for the time and help on this so far...

    Allison.


    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4111

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18882

    18/05/2010 14:47:56
    mbam-log-2010-05-18 (14-47-56).txt

    Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|)
    Objects scanned: 255960
    Time elapsed: 1 hour(s), 37 minute(s), 56 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

  6. #6
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi Allison

    Lets take a "deeper look"

    Download OTL by Old Timer and save it to your Desktop.
    • Double click on OTL.exe to run it.
    • Under Output, ensure that Minimal Output is selected.
    • Under Extra Registry section, select Use SafeList.
    • Click the Scan All Users checkbox.
    • Click on Run Scan at the top left hand corner.
    • When done, two Notepad files will open.
      • OTListIt.txt <-- Will be opened
      • Extra.txt <-- Will be minimized
    • Please post the contents of these 2 Notepad files in your next reply.


    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  7. #7
    Junior Member
    Join Date
    May 2010
    Posts
    12

    Default

    OTL logfile created on: 18/05/2010 16:05:53 - Run 1
    OTL by OldTimer - Version 3.2.4.1 Folder = C:\Users\Allison\Desktop
    Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18882)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 49.00% Memory free
    10.00 Gb Paging File | 9.00 Gb Available in Paging File | 88.00% Paging File free
    Paging file location(s): c:\pagefile.sys 8500 9500 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 149.05 Gb Total Space | 81.25 Gb Free Space | 54.51% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: ALLISON-PC
    Current User Name: Allison
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: All users
    Company Name Whitelist: Off
    Skip Microsoft Files: Off
    File Age = 30 Days
    Output = Minimal

    ========== Processes (SafeList) ==========

    PRC - C:\Users\Allison\Desktop\OTL.exe (OldTimer Tools)
    PRC - C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
    PRC - C:\Windows\System32\Macromed\Flash\FlashUtil10e.exe (Adobe Systems, Inc.)
    PRC - c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
    PRC - C:\Program Files\Windows Live\Contacts\wlcomm.exe (Microsoft Corporation)
    PRC - C:\Windows\explorer.exe (Microsoft Corporation)
    PRC - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
    PRC - C:\Windows\System32\wpcumi.exe (Microsoft Corporation)


    ========== Modules (SafeList) ==========

    MOD - C:\Users\Allison\Desktop\OTL.exe (OldTimer Tools)
    MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll (Microsoft Corporation)
    MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation)


    ========== Win32 Services (SafeList) ==========

    SRV - (Steam Client Service) -- C:\Program Files\Common Files\Steam\SteamService.exe (Valve Corporation)
    SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
    SRV - (SBSDWSCService) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
    SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)


    ========== Driver Services (SafeList) ==========

    DRV - (MpFilter) -- C:\Windows\System32\drivers\MpFilter.sys (Microsoft Corporation)
    DRV - (MpNWMon) -- C:\Windows\System32\drivers\MpNWMon.sys (Microsoft Corporation)
    DRV - (LUsbFilt) -- C:\Windows\System32\drivers\LUsbFilt.sys (Logitech, Inc.)
    DRV - (LMouKE) -- C:\Windows\System32\drivers\LMouKE.Sys (Logitech, Inc.)
    DRV - (LMouFilt) -- C:\Windows\System32\drivers\LMouFilt.Sys (Logitech, Inc.)
    DRV - (LHidFilt) -- C:\Windows\System32\drivers\LHidFilt.Sys (Logitech, Inc.)
    DRV - (L8042mou) -- C:\Windows\System32\drivers\L8042mou.Sys (Logitech, Inc.)
    DRV - (L8042Kbd) -- C:\Windows\System32\drivers\L8042Kbd.sys (Logitech, Inc.)
    DRV - (R300) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
    DRV - (atikmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
    DRV - (UMPass) -- C:\Windows\System32\drivers\umpass.sys (Microsoft Corporation)
    DRV - (MegaSR) -- C:\Windows\system32\drivers\megasr.sys (LSI Corporation, Inc.)
    DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
    DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Corporation)
    DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
    DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
    DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
    DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
    DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
    DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
    DRV - (E1G60) Intel(R) -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)
    DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
    DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
    DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
    DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
    DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
    DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
    DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
    DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
    DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
    DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
    DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
    DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
    DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
    DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
    DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
    DRV - (yukonwlh) -- C:\Windows\System32\drivers\yk60x86.sys (Marvell)
    DRV - (nvstor32) -- C:\Windows\system32\DRIVERS\nvstor32.sys (NVIDIA Corporation)
    DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
    DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
    DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
    DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
    DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
    DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
    DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
    DRV - (Symc8xx) -- C:\Windows\system32\DRIVERS\symc8xx.sys (LSI Logic)
    DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
    DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
    DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
    DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
    DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
    DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
    DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
    DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
    DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
    DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-1577944746-1904882149-615149784-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
    IE - HKU\S-1-5-21-1577944746-1904882149-615149784-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
    IE - HKU\S-1-5-21-1577944746-1904882149-615149784-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-1577944746-1904882149-615149784-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
    IE - HKU\S-1-5-21-1577944746-1904882149-615149784-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

    ========== FireFox ==========

    FF - prefs.js..browser.search.defaultenginename: "BearShare Web Search"
    FF - prefs.js..browser.search.order.1: "BearShare Web Search"
    FF - prefs.js..browser.search.selectedEngine: "Google"
    FF - prefs.js..browser.search.useDBForOrder: true
    FF - prefs.js..browser.startup.homepage: "http://facebook.com/"
    FF - prefs.js..keyword.URL: "http://search.bearshare.com//web?src=ffb&q="
    FF - prefs.js..network.proxy.no_proxies_on: "*.local"

    FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/28 00:08:12 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/28 00:08:12 | 000,000,000 | ---D | M]

    [2009/12/11 23:21:22 | 000,000,000 | ---D | M] -- C:\Users\Allison\AppData\Roaming\Mozilla\Extensions
    [2010/05/17 16:14:06 | 000,000,000 | ---D | M] -- C:\Users\Allison\AppData\Roaming\Mozilla\Firefox\Profiles\v1soe1id.default\extensions
    [2009/12/15 08:20:58 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Allison\AppData\Roaming\Mozilla\Firefox\Profiles\v1soe1id.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2010/03/05 08:55:12 | 000,002,277 | ---- | M] () -- C:\Users\Allison\AppData\Roaming\Mozilla\Firefox\Profiles\v1soe1id.default\searchplugins\BearShareWebSearch.xml
    [2009/12/11 15:38:56 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
    [2010/04/28 00:08:08 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
    [2010/02/22 17:45:04 | 000,000,973 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\BearShareWebSearch.xml
    [2010/04/28 00:08:08 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
    [2010/04/28 00:08:08 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
    [2010/04/28 00:08:08 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

    O1 HOSTS File: ([2010/05/14 07:11:32 | 000,395,221 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O1 - Hosts: 127.0.0.1 www.007guard.com
    O1 - Hosts: 127.0.0.1 007guard.com
    O1 - Hosts: 127.0.0.1 008i.com
    O1 - Hosts: 127.0.0.1 www.008k.com
    O1 - Hosts: 127.0.0.1 008k.com
    O1 - Hosts: 127.0.0.1 www.00hq.com
    O1 - Hosts: 127.0.0.1 00hq.com
    O1 - Hosts: 127.0.0.1 010402.com
    O1 - Hosts: 127.0.0.1 www.032439.com
    O1 - Hosts: 127.0.0.1 032439.com
    O1 - Hosts: 127.0.0.1 www.0scan.com
    O1 - Hosts: 127.0.0.1 0scan.com
    O1 - Hosts: 127.0.0.1 1000gratisproben.com
    O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
    O1 - Hosts: 127.0.0.1 1001namen.com
    O1 - Hosts: 127.0.0.1 www.1001namen.com
    O1 - Hosts: 127.0.0.1 100888290cs.com
    O1 - Hosts: 127.0.0.1 www.100888290cs.com
    O1 - Hosts: 127.0.0.1 www.100sexlinks.com
    O1 - Hosts: 127.0.0.1 100sexlinks.com
    O1 - Hosts: 127.0.0.1 10sek.com
    O1 - Hosts: 127.0.0.1 www.10sek.com
    O1 - Hosts: 127.0.0.1 www.1-2005-search.com
    O1 - Hosts: 13649 more lines...
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
    O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
    O4 - HKLM..\Run: [WPCUMI] C:\Windows\System32\wpcumi.exe (Microsoft Corporation)
    O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
    O4 - Startup: C:\Users\Allison\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
    O4 - Startup: C:\Users\Kids\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office Groove.lnk = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE (Microsoft Corporation)
    O4 - Startup: C:\Users\Kids\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1577944746-1904882149-615149784-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1577944746-1904882149-615149784-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-1577944746-1904882149-615149784-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\S-1-5-21-1577944746-1904882149-615149784-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
    O7 - HKU\S-1-5-21-1577944746-1904882149-615149784-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
    O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
    O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
    O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
    O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
    O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
    O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img18.jpg
    O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img18.jpg
    O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
    O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2010/05/18 16:03:55 | 000,571,392 | ---- | C] (OldTimer Tools) -- C:\Users\Allison\Desktop\OTL.exe
    [2010/05/18 12:55:07 | 000,000,000 | ---D | C] -- C:\Users\Allison\AppData\Roaming\Malwarebytes
    [2010/05/18 12:54:58 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
    [2010/05/18 12:54:57 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2010/05/18 12:54:57 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2010/05/18 12:54:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2010/05/18 12:48:37 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Allison\Desktop\mbam-setup-1.46.exe
    [2010/05/17 19:47:12 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2010/05/17 19:47:12 | 000,000,000 | ---D | C] -- C:\Users\Allison\AppData\Local\temp
    [2010/05/17 19:46:21 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2010/05/17 19:34:22 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2010/05/17 19:34:22 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2010/05/17 19:34:22 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2010/05/17 19:34:00 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
    [2010/05/17 19:30:14 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2010/05/15 18:28:53 | 000,000,000 | ---D | C] -- C:\Users\Allison\AppData\Roaming\Safer Networking
    [2010/05/15 18:26:12 | 000,000,000 | ---D | C] -- C:\Program Files\Safer Networking
    [2010/05/14 02:19:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
    [2010/05/14 02:19:37 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
    [2010/05/14 02:13:27 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
    [2010/05/14 02:10:46 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
    [2010/05/01 03:58:20 | 000,000,000 | ---D | C] -- C:\ProgramData\1468
    [2010/04/28 00:13:12 | 000,000,000 | ---D | C] -- C:\Users\Allison\Documents\Downloads
    [2010/04/28 00:09:52 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DivX Shared
    [2010/04/28 00:09:06 | 000,000,000 | ---D | C] -- C:\Program Files\DivX
    [2010/04/28 00:08:36 | 000,000,000 | ---D | C] -- C:\ProgramData\DivX
    [2010/04/20 10:46:04 | 000,074,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_4.dll
    [2010/04/20 10:46:03 | 000,528,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_6.dll
    [2010/04/20 10:46:00 | 000,238,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_6.dll
    [2010/04/20 10:45:58 | 000,022,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\X3DAudio1_7.dll
    [2010/04/20 10:35:41 | 000,000,000 | -H-D | C] -- C:\Windows\msdownld.tmp
    [2010/04/20 10:35:35 | 000,000,000 | ---D | C] -- C:\Windows\System32\directx
    [2010/04/19 18:18:27 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
    [1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2010/05/18 16:06:59 | 000,000,426 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{850964FB-6DB5-4D9A-9069-350105764764}.job
    [2010/05/18 16:06:59 | 000,000,426 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{3BA4D43F-A437-4B6A-A315-69B39969253D}.job
    [2010/05/18 16:04:26 | 007,077,888 | -HS- | M] () -- C:\Users\Allison\ntuser.dat
    [2010/05/18 16:04:14 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Users\Allison\Desktop\OTL.exe
    [2010/05/18 16:03:00 | 000,000,416 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{D58A8518-80BB-4064-9FA8-053C5566BE4A}.job
    [2010/05/18 14:35:26 | 000,004,240 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    [2010/05/18 14:35:26 | 000,004,240 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    [2010/05/18 13:37:48 | 000,005,632 | ---- | M] () -- C:\Users\Allison\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2010/05/18 12:54:16 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Allison\Desktop\mbam-setup-1.46.exe
    [2010/05/18 08:35:22 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
    [2010/05/18 08:35:16 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2010/05/18 08:34:41 | 096,423,952 | ---- | M] () -- C:\Windows\MEMORY.DMP
    [2010/05/17 23:16:26 | 000,524,288 | -HS- | M] () -- C:\Users\Allison\ntuser.dat{61c355a3-ebe9-11de-a675-001bb959aa6c}.TMContainer00000000000000000001.regtrans-ms
    [2010/05/17 23:16:26 | 000,065,536 | -HS- | M] () -- C:\Users\Allison\ntuser.dat{61c355a3-ebe9-11de-a675-001bb959aa6c}.TM.blf
    [2010/05/17 23:16:00 | 002,689,597 | -H-- | M] () -- C:\Users\Allison\AppData\Local\IconCache.db
    [2010/05/17 20:42:33 | 000,000,873 | ---- | M] () -- C:\Users\Allison\Desktop\World of Warcraft.lnk
    [2010/05/17 20:38:32 | 000,000,732 | ---- | M] () -- C:\Users\Allison\Desktop\ERUNT.lnk
    [2010/05/17 20:38:23 | 000,001,073 | ---- | M] () -- C:\Users\Allison\Desktop\Spybot - Search & Destroy.lnk
    [2010/05/17 20:38:16 | 000,001,031 | ---- | M] () -- C:\Users\Allison\Desktop\RunAlyzer.lnk
    [2010/05/17 20:38:11 | 000,001,013 | ---- | M] () -- C:\Users\Allison\Desktop\RegAlyzer.lnk
    [2010/05/17 20:38:07 | 000,001,007 | ---- | M] () -- C:\Users\Allison\Desktop\FileAlyzer.lnk
    [2010/05/17 19:43:38 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
    [2010/05/17 19:33:57 | 003,690,041 | R--- | M] () -- C:\Users\Allison\Desktop\ComboFix.exe
    [2010/05/17 19:08:12 | 001,494,626 | ---- | M] () -- C:\Users\Allison\Documents\gays.pptx
    [2010/05/17 18:34:03 | 002,318,266 | ---- | M] () -- C:\Users\Allison\Documents\ya.pptx
    [2010/05/17 03:26:15 | 000,000,749 | ---- | M] () -- C:\Users\Allison\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskmgr shortcut.lnk
    [2010/05/14 14:39:59 | 000,002,855 | ---- | M] () -- C:\Users\Allison\AppData\Local\syssvc.PIF
    [2010/05/14 14:15:50 | 000,000,334 | ---- | M] () -- C:\Windows\tasks\Spybot - Search & Destroy - Scheduled Task.job
    [2010/05/14 07:11:32 | 000,395,221 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2010/05/14 07:00:55 | 000,000,120 | ---- | M] () -- C:\Windows\wininit.ini
    [2010/05/14 05:57:44 | 000,000,270 | ---- | M] () -- C:\Windows\tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
    [2010/05/14 03:19:55 | 000,001,985 | ---- | M] () -- C:\Users\Allison\Desktop\Windows Live Messenger .lnk
    [2010/05/14 03:18:44 | 000,000,770 | ---- | M] () -- C:\Users\Allison\Desktop\Ventrilo.lnk
    [2010/05/14 02:24:23 | 000,000,761 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20100514-071132.backup
    [2010/05/14 02:12:17 | 000,000,913 | ---- | M] () -- C:\Users\Allison\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
    [2010/05/12 04:17:00 | 000,002,855 | ---- | M] () -- C:\Users\Allison\AppData\Local\asam.PIF
    [2010/05/12 03:46:13 | 000,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
    [2010/05/12 03:46:13 | 000,599,942 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2010/05/12 03:46:13 | 000,105,448 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2010/05/06 15:04:26 | 000,001,356 | R--- | M] () -- C:\Users\Allison\AppData\Local\d3d9caps.dat
    [2010/05/01 12:27:07 | 001,103,051 | ---- | M] () -- C:\Users\Allison\Documents\agiienst.pptx
    [2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
    [2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2010/04/27 17:55:32 | 000,002,560 | ---- | M] () -- C:\Windows\_MSRSTRT.EXE
    [2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\Windows\PEV.exe
    [2010/04/18 17:37:38 | 000,099,864 | ---- | M] () -- C:\Users\Allison\AppData\Local\GDIPFONTCACHEV1.DAT
    [2010/04/18 17:31:19 | 000,370,960 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
    [1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2010/05/17 20:38:32 | 000,000,732 | ---- | C] () -- C:\Users\Allison\Desktop\ERUNT.lnk
    [2010/05/17 20:38:23 | 000,001,073 | ---- | C] () -- C:\Users\Allison\Desktop\Spybot - Search & Destroy.lnk
    [2010/05/17 20:38:16 | 000,001,031 | ---- | C] () -- C:\Users\Allison\Desktop\RunAlyzer.lnk
    [2010/05/17 20:38:11 | 000,001,013 | ---- | C] () -- C:\Users\Allison\Desktop\RegAlyzer.lnk
    [2010/05/17 20:38:07 | 000,001,007 | ---- | C] () -- C:\Users\Allison\Desktop\FileAlyzer.lnk
    [2010/05/17 19:34:22 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
    [2010/05/17 19:34:22 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2010/05/17 19:34:22 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2010/05/17 19:34:22 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
    [2010/05/17 19:34:22 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2010/05/17 19:31:31 | 003,690,041 | R--- | C] () -- C:\Users\Allison\Desktop\ComboFix.exe
    [2010/05/17 19:07:31 | 001,494,626 | ---- | C] () -- C:\Users\Allison\Documents\gays.pptx
    [2010/05/17 18:34:03 | 002,318,266 | ---- | C] () -- C:\Users\Allison\Documents\ya.pptx
    [2010/05/17 03:25:37 | 000,000,749 | ---- | C] () -- C:\Users\Allison\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskmgr shortcut.lnk
    [2010/05/14 14:39:59 | 000,002,855 | ---- | C] () -- C:\Users\Allison\AppData\Local\syssvc.PIF
    [2010/05/14 07:00:55 | 000,000,120 | ---- | C] () -- C:\Windows\wininit.ini
    [2010/05/14 05:54:18 | 000,000,270 | ---- | C] () -- C:\Windows\tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
    [2010/05/14 05:53:54 | 000,000,334 | ---- | C] () -- C:\Windows\tasks\Spybot - Search & Destroy - Scheduled Task.job
    [2010/05/14 03:19:55 | 000,001,985 | ---- | C] () -- C:\Users\Allison\Desktop\Windows Live Messenger .lnk
    [2010/05/14 03:19:31 | 000,000,873 | ---- | C] () -- C:\Users\Allison\Desktop\World of Warcraft.lnk
    [2010/05/14 03:18:44 | 000,000,770 | ---- | C] () -- C:\Users\Allison\Desktop\Ventrilo.lnk
    [2010/05/14 02:12:17 | 000,000,913 | ---- | C] () -- C:\Users\Allison\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
    [2010/05/12 04:17:00 | 000,002,855 | ---- | C] () -- C:\Users\Allison\AppData\Local\asam.PIF
    [2010/05/12 03:37:40 | 096,423,952 | ---- | C] () -- C:\Windows\MEMORY.DMP
    [2010/05/01 12:27:06 | 001,103,051 | ---- | C] () -- C:\Users\Allison\Documents\agiienst.pptx
    [2010/04/27 17:55:30 | 000,002,560 | ---- | C] () -- C:\Windows\_MSRSTRT.EXE
    [2009/12/15 14:09:06 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
    [2009/11/29 15:29:39 | 000,000,262 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
    [2009/11/28 23:31:38 | 000,010,240 | ---- | C] () -- C:\Windows\System32\vidx16.dll
    [2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
    [2009/08/03 01:21:54 | 000,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
    [2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
    [2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
    [2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
    [2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
    [2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
    [2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
    [2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
    [2009/08/03 01:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
    [2009/08/03 01:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
    [2006/11/02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
    [2006/11/02 11:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
    [2006/11/02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 136 bytes -> C:\ProgramData\TEMP:100E92DA
    @Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:BAC2F271
    @Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:77D98D08
    @Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:B093E177
    < End of report >



    OTL Extras logfile created on: 18/05/2010 16:05:54 - Run 1
    OTL by OldTimer - Version 3.2.4.1 Folder = C:\Users\Allison\Desktop
    Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18882)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 49.00% Memory free
    10.00 Gb Paging File | 9.00 Gb Available in Paging File | 88.00% Paging File free
    Paging file location(s): c:\pagefile.sys 8500 9500 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 149.05 Gb Total Space | 81.25 Gb Free Space | 54.51% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: ALLISON-PC
    Current User Name: Allison
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: All users
    Company Name Whitelist: Off
    Skip Microsoft Files: Off
    File Age = 30 Days
    Output = Minimal

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
    .html [@ = ChromeHTML] -- Reg Error: Key error. File not found

    [HKEY_USERS\S-1-5-21-1577944746-1904882149-615149784-1000\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
    htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
    https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" File not found
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [OneNote.Open] -- C:\PROGRA~1\MI1933~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0
    "VistaSp1" = Reg Error: Unknown registry data type -- File not found
    "VistaSp2" = Reg Error: Unknown registry data type -- File not found

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{146DF0C9-9195-4080-B547-2E6AA8944FB8}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
    "{1A8BFD1E-A244-48F5-B9ED-0F03CA874242}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
    "{1C853454-42AF-4CD0-B70E-BDD702E4D306}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{1D13D37C-38E0-46AB-8335-CC6269D800C1}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{2297220E-25C1-488D-B3FA-6D5001D60CF0}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
    "{33D47F18-CD0C-4E0E-9766-B3C9A941EC5B}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{35826F6A-2A84-463D-9143-508E87F2FDC1}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{50E8D92E-59DD-4B85-A7B3-8D82F877DBEB}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{53FF91EE-5AAA-4D27-838B-251EDD7C86C9}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{5EF17781-625F-49D7-B586-8E6FDBAF3C8C}" = lport=3390 | protocol=6 | dir=in | app=system |
    "{75FC8DC4-4022-4C54-8EAD-6A7901CEC8E7}" = lport=10244 | protocol=6 | dir=in | app=system |
    "{780421CB-8AED-49D0-AB41-F1D8D7C98DFF}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{904AD1F1-61D4-46C9-A9CF-E864512F50DD}" = lport=7777 | protocol=17 | dir=in | app=%systemroot%\ehome\ehshell.exe |
    "{95A01F69-9DF4-4078-B81B-DE7666D57DEF}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
    "{A08B8472-8B75-434A-814D-9F90FF5EC858}" = lport=2869 | protocol=6 | dir=in | app=system |
    "{B5903B8C-B32B-48BC-A0C1-7135E11F8490}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{B763336F-8DE6-429C-823B-A55B92601471}" = lport=2869 | protocol=6 | dir=in | app=system |
    "{C063D61C-EF35-4374-AEE6-DC716031D7B2}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{C1237C9A-F2EE-4557-9299-F8BDFF86CF7A}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
    "{C50062E6-ECEF-4EBA-91CC-5457EC7C7AE6}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
    "{DCA63967-113A-4FE8-AF9C-1627F6B1A61E}" = rport=10244 | protocol=6 | dir=out | app=system |
    "{E4FAE537-A357-4BE2-ABE6-8FC1D80ED620}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{E65C1B2C-ADDB-43E1-9F3B-B2534DDAFE7E}" = lport=554 | protocol=6 | dir=in | app=%systemroot%\ehome\ehshell.exe |
    "{F27CD737-C849-4834-AB6E-FFCD1806A70F}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{01B07D78-6FC4-4CA2-8D54-EBDE5B7EB3AF}" = protocol=17 | dir=in | app=c:\program files\windows media player\wmplayer.exe |
    "{0CD5D398-BDD0-4DA7-B88D-89BEDDF58BBC}" = protocol=6 | dir=in | app=c:\program files\world of warcraft\wow-3.2.0.10192-to-3.2.0.10314-engb-downloader.exe |
    "{1E3124E9-BF86-48DE-A4FD-F5B98339BB29}" = protocol=17 | dir=in | app=c:\program files\world of warcraft\wow-3.2.0-engb-downloader.exe |
    "{23B52355-EFE6-437C-AA95-5E66485DF905}" = protocol=6 | dir=out | svc=mcx2svc | app=%systemroot%\system32\svchost.exe |
    "{25C72C16-3B46-4F4F-87C2-4AEE4820551E}" = protocol=6 | dir=out | svc=upnphost | app=c:\windows\system32\svchost.exe |
    "{266CE7DC-EFB5-442C-97D8-81BC71742E44}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe |
    "{2E255E53-AD59-4842-8094-6CF051109C0D}" = protocol=6 | dir=in | app=c:\program files\world of warcraft\wow-3.2.0-engb-downloader.exe |
    "{366C4C89-DDEB-49D5-B980-3B76CFFBB075}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\bob came in pieces demo\bob.exe |
    "{3820859A-5838-4844-B029-544ED9774EA5}" = protocol=17 | dir=out | app=c:\program files\windows media player\wmplayer.exe |
    "{54CEBCB6-494D-40BF-95F3-B21A99D3EDE2}" = protocol=6 | dir=in | app=c:\users\allison\appdata\local\asam.exe |
    "{68C6BEF2-6D94-4664-8ADF-47E7A7438552}" = protocol=17 | dir=in | app=c:\program files\world of warcraft\wow-3.2.2.10482-to-3.2.2.10505-engb-downloader.exe |
    "{8CB4B2CC-4B92-491C-A506-D7FFCF80D33E}" = protocol=6 | dir=out | app=%systemroot%\ehome\mcx2prov.exe |
    "{9090ABFA-3C76-496A-8A57-05C3C4CB2D6B}" = protocol=6 | dir=out | app=%systemroot%\ehome\ehshell.exe |
    "{9D842554-D7E3-44B8-B262-D85027432B59}" = protocol=17 | dir=in | app=c:\program files\world of warcraft\wow-3.2.0.10314-to-3.2.2.10482-engb-downloader.exe |
    "{A61E9F06-A83B-42EE-97B7-7B6EC41B2F6F}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\left 4 dead\left4dead.exe |
    "{A6674C22-CFEF-4A75-AE86-133F72A921A0}" = protocol=17 | dir=in | app=c:\users\allison\appdata\local\asam.exe |
    "{A68FF2C4-2478-4DA1-A0D8-8AC2B23D1C91}" = protocol=6 | dir=in | app=c:\program files\ventrilo\ventrilo.exe |
    "{A702CAFE-5CFB-4FC3-B1F2-941134CF7AC0}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
    "{AC7197F9-F09B-4A71-909B-54590725602E}" = protocol=6 | dir=in | app=c:\program files\world of warcraft\wow-3.2.0.10314-to-3.2.2.10482-engb-downloader.exe |
    "{B1788882-8F31-46B3-B7BF-ABA110F82BCE}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\left 4 dead\left4dead.exe |
    "{BEDD029B-1CE3-432E-9211-5ECD75E1B1EB}" = protocol=17 | dir=in | app=c:\program files\ventrilo\ventrilo.exe |
    "{C36710D6-6573-422F-A578-90536103D1E5}" = protocol=6 | dir=in | app=c:\program files\world of warcraft\wow-3.2.2.10482-to-3.2.2.10505-engb-downloader.exe |
    "{C53569BA-260C-4352-A684-A1DF5D8E01C7}" = protocol=17 | dir=in | app=c:\program files\world of warcraft\wow-3.2.0.10192-to-3.2.0.10314-engb-downloader.exe |
    "{C779A813-C0D0-4A34-9257-6492C61EE749}" = protocol=6 | dir=out | app=c:\program files\windows media player\wmplayer.exe |
    "{D1F66F6D-A747-44F2-9294-C4A686BB989B}" = protocol=6 | dir=out | app=system |
    "{F63F77F9-9B00-4FBB-962D-B6745C6F968D}" = protocol=17 | dir=out | app=%systemroot%\ehome\ehshell.exe |
    "{F88B1B92-A78C-4440-851C-C448C803F9FD}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\bob came in pieces demo\bob.exe |
    "{FA85EC5E-8777-4CEE-A787-6B600892F01A}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
    "TCP Query User{03C2F780-F7C7-4883-A8B9-FD6EB746F93D}C:\program files\bearshare applications\bearshare\bearshare.exe" = protocol=6 | dir=in | app=c:\program files\bearshare applications\bearshare\bearshare.exe |
    "TCP Query User{230D753B-817A-4036-92A4-1C0F7B04758E}C:\users\public\downloads\world of warcraft trial\wow-3.2.2.10482-to-3.3.0.10958-engb-trial-downloader.exe" = protocol=6 | dir=in | app=c:\users\public\downloads\world of warcraft trial\wow-3.2.2.10482-to-3.3.0.10958-engb-trial-downloader.exe |
    "TCP Query User{2AEF198B-0D85-48B4-9484-8D084D55C8C5}C:\program files\world of warcraft\wow-3.2.2.10505-to-3.3.0.10958-engb-downloader.exe" = protocol=6 | dir=in | app=c:\program files\world of warcraft\wow-3.2.2.10505-to-3.3.0.10958-engb-downloader.exe |
    "TCP Query User{35B494A4-2F45-468A-B000-C401081B2A0B}C:\program files\world of warcraft\repair.exe" = protocol=6 | dir=in | app=c:\program files\world of warcraft\repair.exe |
    "TCP Query User{5455D629-8CC6-4B18-B63A-8D6BBA7820A7}C:\users\public\documents\blizzard entertainment\world of warcraft trial\launcher.exe" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft trial\launcher.exe |
    "TCP Query User{586784A3-3F76-4F42-AA2E-1F05C846CDE4}C:\program files\microsoft office\office12\groove.exe" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
    "TCP Query User{6346D800-AE53-494C-ACF6-F6BA0D635E4B}C:\users\public\downloads\world of warcraft trial\wow-3.3.0.10958-to-3.3.0.11159-engb-trial-downloader.exe" = protocol=6 | dir=in | app=c:\users\public\downloads\world of warcraft trial\wow-3.3.0.10958-to-3.3.0.11159-engb-trial-downloader.exe |
    "TCP Query User{82FFB057-B3E6-48E2-8959-EE667630E298}C:\users\public\downloads\world of warcraft trial\launcher.exe" = protocol=6 | dir=in | app=c:\users\public\downloads\world of warcraft trial\launcher.exe |
    "TCP Query User{96EB13C5-BCA5-4D83-BC1E-AF4461AC4B30}C:\program files\world of warcraft\wow-3.3.3.11685-to-3.3.3.11723-engb-downloader.exe" = protocol=6 | dir=in | app=c:\program files\world of warcraft\wow-3.3.3.11685-to-3.3.3.11723-engb-downloader.exe |
    "TCP Query User{A03806D4-621B-4533-A80E-B4FDBE883F5C}C:\program files\world of warcraft\launcher.exe" = protocol=6 | dir=in | app=c:\program files\world of warcraft\launcher.exe |
    "TCP Query User{A88B80C7-E1A1-481D-B997-F50F9F2F6D2F}C:\program files\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-engb-downloader.exe" = protocol=6 | dir=in | app=c:\program files\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-engb-downloader.exe |
    "TCP Query User{B4F2B4A8-07D9-4990-A325-20D0BDC8954A}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
    "TCP Query User{D5D83ED5-AC1E-442A-914D-20DBA5B070D8}C:\program files\java\jre6\bin\java.exe" = protocol=6 | dir=in | app=c:\program files\java\jre6\bin\java.exe |
    "TCP Query User{D6962141-4D4B-4D2C-8554-E94F0A669B20}C:\users\public\documents\blizzard entertainment\world of warcraft trial\wow-3.2.2.10482-to-3.3.0.10958-engb-trial-downloader.exe" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft trial\wow-3.2.2.10482-to-3.3.0.10958-engb-trial-downloader.exe |
    "TCP Query User{E4A677E7-5004-4873-9BF4-49F2D270E7BC}C:\users\public\documents\blizzard entertainment\world of warcraft trial\wow-3.3.0.10958-to-3.3.0.11159-engb-trial-downloader.exe" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft trial\wow-3.3.0.10958-to-3.3.0.11159-engb-trial-downloader.exe |
    "TCP Query User{F1324CE4-5A44-4223-8851-DAD798A37CD1}C:\program files\world of warcraft\backgrounddownloader.exe" = protocol=6 | dir=in | app=c:\program files\world of warcraft\backgrounddownloader.exe |
    "TCP Query User{F930905B-C9B7-4C9C-A46C-3F36B946C005}C:\program files\world of warcraft\wow-3.3.0.10958-to-3.3.0.11159-engb-downloader.exe" = protocol=6 | dir=in | app=c:\program files\world of warcraft\wow-3.3.0.10958-to-3.3.0.11159-engb-downloader.exe |
    "UDP Query User{02457AA1-01E1-438C-9833-C1A7CE5E5177}C:\program files\world of warcraft\wow-3.3.3.11685-to-3.3.3.11723-engb-downloader.exe" = protocol=17 | dir=in | app=c:\program files\world of warcraft\wow-3.3.3.11685-to-3.3.3.11723-engb-downloader.exe |
    "UDP Query User{05C5871C-4762-4132-A674-B568DEC0B690}C:\program files\world of warcraft\launcher.exe" = protocol=17 | dir=in | app=c:\program files\world of warcraft\launcher.exe |
    "UDP Query User{0DA8A480-EB48-4B2D-9B0A-9D7E39807624}C:\users\public\documents\blizzard entertainment\world of warcraft trial\wow-3.2.2.10482-to-3.3.0.10958-engb-trial-downloader.exe" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft trial\wow-3.2.2.10482-to-3.3.0.10958-engb-trial-downloader.exe |
    "UDP Query User{1793EB3B-82D1-4CE6-BA36-15553D050AD0}C:\program files\world of warcraft\backgrounddownloader.exe" = protocol=17 | dir=in | app=c:\program files\world of warcraft\backgrounddownloader.exe |
    "UDP Query User{46D96741-A3C7-4F58-93F5-5159C9423D34}C:\program files\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-engb-downloader.exe" = protocol=17 | dir=in | app=c:\program files\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-engb-downloader.exe |
    "UDP Query User{476C461F-DB90-4091-8387-850EA8623FD2}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
    "UDP Query User{5C233055-3D88-4580-A160-36F8FA840C69}C:\program files\world of warcraft\repair.exe" = protocol=17 | dir=in | app=c:\program files\world of warcraft\repair.exe |
    "UDP Query User{5CE160E7-6EAE-4EE2-ACA4-9B3A9580AEAA}C:\program files\world of warcraft\wow-3.3.0.10958-to-3.3.0.11159-engb-downloader.exe" = protocol=17 | dir=in | app=c:\program files\world of warcraft\wow-3.3.0.10958-to-3.3.0.11159-engb-downloader.exe |
    "UDP Query User{76F8E300-0FE5-4C55-87EE-E4B016B05478}C:\users\public\documents\blizzard entertainment\world of warcraft trial\wow-3.3.0.10958-to-3.3.0.11159-engb-trial-downloader.exe" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft trial\wow-3.3.0.10958-to-3.3.0.11159-engb-trial-downloader.exe |
    "UDP Query User{8AB9079E-4FE3-44E7-89DD-8FE16E9EC5C7}C:\program files\bearshare applications\bearshare\bearshare.exe" = protocol=17 | dir=in | app=c:\program files\bearshare applications\bearshare\bearshare.exe |
    "UDP Query User{8D805498-2BC3-4123-9793-97D27B3BD7A1}C:\users\public\downloads\world of warcraft trial\launcher.exe" = protocol=17 | dir=in | app=c:\users\public\downloads\world of warcraft trial\launcher.exe |
    "UDP Query User{B3A7CF72-94D9-40C6-A17A-A1CFE0DDBC97}C:\program files\java\jre6\bin\java.exe" = protocol=17 | dir=in | app=c:\program files\java\jre6\bin\java.exe |
    "UDP Query User{B80FDDEE-48C0-40A9-B779-78CAF352942E}C:\users\public\documents\blizzard entertainment\world of warcraft trial\launcher.exe" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft trial\launcher.exe |
    "UDP Query User{D8905423-8060-4F9E-81C1-A2C5C7C85321}C:\users\public\downloads\world of warcraft trial\wow-3.2.2.10482-to-3.3.0.10958-engb-trial-downloader.exe" = protocol=17 | dir=in | app=c:\users\public\downloads\world of warcraft trial\wow-3.2.2.10482-to-3.3.0.10958-engb-trial-downloader.exe |
    "UDP Query User{DA551212-5BA3-4CD7-9452-2A1E4C07C809}C:\program files\world of warcraft\wow-3.2.2.10505-to-3.3.0.10958-engb-downloader.exe" = protocol=17 | dir=in | app=c:\program files\world of warcraft\wow-3.2.2.10505-to-3.3.0.10958-engb-downloader.exe |
    "UDP Query User{E6BC2DCB-1641-4F6C-B6ED-39F9D2C9EBAC}C:\users\public\downloads\world of warcraft trial\wow-3.3.0.10958-to-3.3.0.11159-engb-trial-downloader.exe" = protocol=17 | dir=in | app=c:\users\public\downloads\world of warcraft trial\wow-3.3.0.10958-to-3.3.0.11159-engb-trial-downloader.exe |
    "UDP Query User{E96B2CAE-EF3E-479C-850A-0E9E1AC111D4}C:\program files\microsoft office\office12\groove.exe" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    "{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
    "{08E264F0-E675-8E6D-0042-8741FD41E654}" = ATI Catalyst Install Manager
    "{093C982A-E1CB-6D32-5FAD-DCE8EA8F86FA}" = ccc-core-static
    "{15AE34F8-75D2-3820-825B-C9369549540C}" = CCC Help Japanese
    "{1C13AA79-3D17-3A4C-21E7-E28AE817F5CA}" = Catalyst Control Center Graphics Full Existing
    "{1FB6ACCC-93CA-7E6F-FD4C-414BD705BD0D}" = CCC Help Greek
    "{1FF713E1-FE5E-4AD0-9C8C-B2E877846B45}" = Catalyst Control Center - Branding
    "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
    "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
    "{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 17
    "{2716545E-47C8-6D1C-5182-A882BE07D2B4}" = CCC Help Russian
    "{296B2D8E-CE82-92AF-B2E8-A646E7CB78A2}_is1" = RegAlyzer
    "{29D3773E-54F4-23C2-D523-236A4453B844}_is1" = FileAlyzer
    "{2A2B2DC2-BF12-D4C3-386D-5FBF8805B129}" = CCC Help Thai
    "{2D4D2CB9-77D4-92B7-B6CA-1594FA4FBE31}" = CCC Help Swedish
    "{2D61AC21-C1AA-1AE9-0B1C-B9B4AEDCBDA1}" = CCC Help Danish
    "{35639F85-BC62-499A-5E3A-48E3F770131A}" = Catalyst Control Center Graphics Previews Vista
    "{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = eReg
    "{41C55712-EC7E-DCD4-4E4E-52BA481B4FFC}" = Catalyst Control Center HydraVision Full
    "{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
    "{470E48DD-CC64-848E-FE2A-321741ED3D63}" = Catalyst Control Center Localization All
    "{53AE0DC7-C66C-06C7-4C02-2D7ED00B6376}" = CCC Help French
    "{5815C3A7-F712-8112-DB89-720AF9270808}" = CCC Help Spanish
    "{5E8B2EC6-9B3B-D4D3-2DD0-1F0F6F07E193}" = Catalyst Control Center Graphics Light
    "{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
    "{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
    "{6CCD966D-096B-92CE-BDC3-C0324818CA3B}" = ccc-utility
    "{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
    "{7AF6E3E3-F22C-E45A-4506-2EFCE136B7A1}" = CCC Help Czech
    "{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
    "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8E4F58E4-2F7F-E8E3-47B0-54966E9F6A2B}" = CCC Help Polish
    "{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
    "{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
    "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
    "{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
    "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
    "{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
    "{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
    "{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
    "{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
    "{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
    "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
    "{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
    "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
    "{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
    "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
    "{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
    "{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
    "{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
    "{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
    "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
    "{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
    "{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
    "{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
    "{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
    "{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
    "{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
    "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
    "{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
    "{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
    "{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
    "{92A188E7-5658-0DD8-97FB-CD1B53A3642A}" = Skins
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{958163CC-B654-BE07-152A-00F1275C0C8C}" = Catalyst Control Center Graphics Full New
    "{97A0D4C6-0C5E-1DA0-F44D-FC849DF7BE7B}" = CCC Help Chinese Standard
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9E3A95C9-F46B-A65C-A9FC-0E91C8FEC472}" = Catalyst Control Center Core Implementation
    "{9FA264A1-65E0-1D70-1AE7-0D58D57DC2CF}" = CCC Help German
    "{9FC4BEF6-C475-95F0-B9A2-9FC378B0104B}" = CCC Help Italian
    "{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
    "{A498D9EB-927B-459B-85D6-DD6EF8C2C564}" = erLT
    "{A5181519-9F3D-4372-ABC6-C333C2F3A816}_is1" = RunAlyzer
    "{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
    "{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
    "{AC9BAC65-97AC-4F3F-23A0-706169424F59}" = Catalyst Control Center InstallProxy
    "{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
    "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
    "{BE32AA46-9A6B-6879-F12A-AD1D7A01EBB8}" = CCC Help Finnish
    "{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX
    "{C88A014F-9E12-CE28-BF50-961B9236A9AC}" = Catalyst Control Center Graphics Previews Common
    "{C99EB033-C7F4-28DB-49CB-5BCEA12CE903}" = CCC Help Turkish
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{CF4FA95B-209B-DA12-F43D-3B825CC1A440}" = CCC Help Korean
    "{D1FE5F0C-B041-8BFC-01B4-43F3583B5C64}" = CCC Help Norwegian
    "{E590FD1C-E8C6-4D2E-8CA9-77B403F7EE01}" = Microsoft Antimalware
    "{E7044E25-3038-4A76-9064-344AC038043E}" = Windows Mobile Device Center Driver Update
    "{EBECDE89-4375-8303-F18F-001FE3FD1761}" = CCC Help Hungarian
    "{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
    "{EF98A02A-1748-4762-9B7D-5ED1600520D5}" = Microsoft Security Essentials
    "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
    "{F39FA8E1-0200-0ABB-26A8-6B5022EED38B}" = CCC Help Dutch
    "{F5EEFCDD-79A7-0C50-9281-8AAEC00F97EB}" = CCC Help Chinese Traditional
    "{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
    "{F754BE19-D1F4-335F-A388-FE23EFD6A543}" = CCC Help Portuguese
    "{F96780B8-C287-73B6-4020-297DE0837385}" = CCC Help English
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "Adobe Shockwave Player" = Adobe Shockwave Player 11.5
    "BearShare" = BearShare
    "com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
    "DivX Setup.divx.com" = DivX Setup
    "ENTERPRISE" = Microsoft Office Enterprise 2007
    "ERUNT_is1" = ERUNT 1.1j
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft Security Essentials" = Microsoft Security Essentials
    "Mozilla Firefox (3.5.9)" = Mozilla Firefox (3.5.9)
    "SP6" = Logitech SetPoint 6.0
    "Steam App 46010" = Bob Came In Pieces Demo
    "Steam App 500" = Left 4 Dead
    "WinLiveSuite_Wave3" = Windows Live Essentials
    "World of Warcraft" = World of Warcraft

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-1577944746-1904882149-615149784-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "090215de958f1060" = Curse Client

    ========== Last 10 Event Log Errors ==========

    Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

    < End of report >

  8. #8
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi Allison

    do not see anything "suspicious"....only this
    "Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!"
    and it is not due to malware

    1 - Clean temp files

    • Please download TFC to your desktop
    • Save any unsaved work. TFC will close all open application windows.
    • Double-click TFC.exe to run the program.
    • If prompted, click Yes to reboot.


    NOTE: Save your work.TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

    2 - Eset online scannner

    You can use either Internet Explorer or Mozilla FireFox for this scan.

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

    • Please go here then click on:
    • Select the option YES, I accept the Terms of Use then click on:
    • When prompted allow the Add-On/Active X to install.
    • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
    • Now click on Advanced Settings and select the following:

      • Scan for potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth Technology
    • Now click on:
    • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
    • When completed the Online Scan will begin automatically.
    • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
    • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
    • Now click on:
    • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
    • Copy and paste that log as a reply to this topic.


    3 - Status Check
    Please reply with

    1. the Eset online scannner report

    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  9. #9
    Junior Member
    Join Date
    May 2010
    Posts
    12

    Default

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK

  10. #10
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi Allison

    That log is not complete. Please post a complete log.

    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •