Page 1 of 9 12345 ... LastLast
Results 1 to 10 of 88

Thread: PWS:win32/zbot.gen!AC after downloading Free File Opener

  1. #1
    Member
    Join Date
    Oct 2008
    Posts
    94

    Default PWS:win32/zbot.gen!AC after downloading Free File Opener

    Hello, at beginning March, I received a .docx which I cannot open as only have .doc, the microsoft website suggested I download Free File Opener. Soon after (minutes?) my firewall picked up malware and removed/blocked. Later, a microsoft program told me I had PWS:win32/zbot.gen!AC

    Cannot run DDS, as takes ages and then computer crashes. Could be cos my computer already has something strange going on, because I can not account for about 15gig on the hard drive and it is almost full (32gig)

    I have run Ccleaner, HJT, downloaded spybot and tried to run it (found 2 hotkeys) but computer crashed just before end of it, so will try again, have run malwarebit anti-malware, ERUNT, and downloaded Microsoft Security Essentials and am going to run that when spybot finishes.



    Do I need to do anything else: I would be very grateful if you could advise.

    thanks a lot

  2. #2
    Senior Member
    Join Date
    Apr 2010
    Posts
    463

    Default

    Hello ecosarah and

    My name is JonTom

    • Malware Logs can sometimes take a lot of time to research and interpret.
    • Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
    • Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
    • Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
    • PLEASE NOTE: If you do not reply after 3 days your thread will be closed.


    Please let me know what operating system you are running (XP, Win7, Vista, 32 or 64 bit).

    Download the following tool and try to run it:


    1. aswMBR


      • Download aswMBR.exe to your desktop.
      • Double click the aswMBR.exe to run it.
      • When asked if you want to download Avast's virus definitions please select Yes.
      • Click the "Scan" button to start scan.




      • On completion of the scan click save log, save it to your desktop and post in your next reply.





      If it does not run from Normal Mode boot into Safe Mode and try it (and DDS) from there.

    2. Reboot Your System in Safe Mode


      • Restart your computer.
      • As soon as BIOS is loaded begin tapping the F8 key until the "Advanced Options" menu appears.
      • Use the arrow keys to select the Safe mode menu item.
      • Press Enter.



      Once in Safe Mode, give aswMBR and DDS another try. If they fail to complete their scans let me know.

      have run malwarebit
      Please post the most recent MBAM log for me to review (you can find it by opening MBAM and clicking on the logs tab).
    Proud Graduate of the WTT Classroom

  3. #3
    Member
    Join Date
    Oct 2008
    Posts
    94

    Smile

    Hello JonTom,

    I cannot tell you how happy I am to hear from you!!! So so happy!

    Please could you tell me how to set it up so I get an email when you reply? thanks.

    operating system is XP, dont know if 32 or 64 bit.

    MBAM log:

    Malwarebytes' Anti-Malware 1.45
    www.malwarebytes.org

    Database version: 3982

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    17/03/2012 10:08:17
    mbam-log-2012-03-17 (10-08-17).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 185758
    Time elapsed: 1 hour(s), 37 minute(s), 17 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    aswMBR (was set to "quick scan" I noticed) log:

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-03-23 22:35:52
    -----------------------------
    22:35:52.935 OS Version: Windows 5.1.2600 Service Pack 3
    22:35:52.935 Number of processors: 1 586 0xD08
    22:35:52.935 ComputerName: MAXIMILLION UserName: 1 Sarah
    22:36:16.559 Initialize success
    22:39:11.693 AVAST engine defs: 12032302
    22:39:41.113 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    22:39:41.113 Disk 0 Vendor: HTS541040G9AT00 MB2IA60A Size: 38154MB BusType: 3
    22:39:41.160 Disk 0 MBR read successfully
    22:39:41.160 Disk 0 MBR scan
    22:39:41.520 Disk 0 unknown MBR code
    22:39:41.520 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 34086 MB offset 63
    22:39:41.848 Disk 0 Partition 2 00 12 Compaq diag MSWIN4.1 4067 MB offset 69809040
    22:39:42.910 Disk 0 scanning sectors +78140160
    22:39:43.598 Disk 0 scanning C:\WINDOWS\system32\drivers
    22:41:48.718 Service scanning
    22:42:56.559 Service MpKsl6bbbadd1 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{679B0FC7-69F0-49F8-B47B-630253CE429D}\MpKsl6bbbadd1.sys **LOCKED** 32
    22:44:39.555 Modules scanning
    22:45:13.851 Disk 0 trace - called modules:
    22:45:13.866 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
    22:45:13.866 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a52dab8]
    22:45:13.866 3 CLASSPNP.SYS[ba0f8fd7] -> nt!IofCallDriver -> \Device\0000009b[0x8a5772a0]
    22:45:13.866 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a556940]
    22:45:14.960 AVAST engine scan C:\WINDOWS
    22:46:04.208 AVAST engine scan C:\WINDOWS\system32
    23:16:05.198 AVAST engine scan C:\WINDOWS\system32\drivers
    23:17:35.039 AVAST engine scan C:\Documents and Settings\1 Sarah
    23:39:03.803 AVAST engine scan C:\Documents and Settings\All Users
    23:44:43.326 Scan finished successfully
    23:49:34.805 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\1 Sarah\Desktop\MBR.dat"
    23:49:34.836 The log file has been saved successfully to "C:\Documents and Settings\1 Sarah\Desktop\aswMBR 23.3.12.txt"


    I will post this then re-start laptop in safe mode to try dds

    big thanks!! sarah

  4. #4
    Member
    Join Date
    Oct 2008
    Posts
    94

    Default

    cannot run in safe mode or safe mode with networking: gets stuck as list of pathways (?) comes up...

    think have found out how to subscribe to thread, so dont worry about answering that question.

    thanks, look forward to hearing from you,

    sarah

  5. #5
    Senior Member
    Join Date
    Apr 2010
    Posts
    463

    Default

    Hello ecosarah

    Thank you for the aswMBR log.

    Lets see if we can get the following scan to run:

    1. Download and run OTL by Oldtimer


      • Please download OTL by Oldtimer by clicking here and save the file (called OTL.com) to your desktop.
      • Close all open windows on your computer then Double click on the OTL.com icon to run the program.
      • Check the boxes beside "LOP Check" and "Purity Check".
      • Under Custom Scan paste this in:



      netsvcs
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      symmpi.sys
      adp3132.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %systemroot%\System32\config\*.sav
      %systemroot%\system32\drivers\*.sys /90
      CREATERESTOREPOINT


      • Click the "Run Scan" button. Do not change any settings unless specifically told to do so. The scan will not take long.


      • When the scan completes, it will open two notepad windows: OTL.Txt and Extras.Txt.
      • Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
      • Please Copy and Paste the contents of both files in your next reply. You may need two posts to fit them both in.


      If OTL is able to run please post both logs in your next reply.

      If the machine crashes (as it did with DDS) please scan with HJT and post the log for me to review.

    Proud Graduate of the WTT Classroom

  6. #6
    Member
    Join Date
    Oct 2008
    Posts
    94

    Default

    It was touch and go but we got there:

    OTL logfile created on: 24/03/2012 17:36:52 - Run 1
    OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\1 Sarah\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    1.49 Gb Total Physical Memory | 0.97 Gb Available Physical Memory | 65.37% Memory free
    2.83 Gb Paging File | 2.31 Gb Available in Paging File | 81.64% Paging File free
    Paging file location(s): C:\pagefile.sys 0 0 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 33.29 Gb Total Space | 1.09 Gb Free Space | 3.27% Space Free | Partition Type: NTFS

    Computer Name: MAXIMILLION | User Name: 1 Sarah | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/03/24 17:34:51 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\1 Sarah\Desktop\OTL.com
    PRC - [2011/12/18 21:08:42 | 002,420,616 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
    PRC - [2011/12/18 21:04:24 | 000,073,360 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
    PRC - [2011/11/03 14:44:28 | 000,497,280 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
    PRC - [2011/11/03 14:44:24 | 000,738,944 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
    PRC - [2011/08/12 17:13:26 | 000,087,040 | ---- | M] () -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
    PRC - [2011/07/01 19:10:23 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    PRC - [2011/04/30 08:52:26 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
    PRC - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    PRC - [2010/12/24 12:02:23 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    PRC - [2010/01/14 20:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2005/03/18 10:07:00 | 000,086,016 | ---- | M] (IBM Corp.) -- C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    PRC - [2005/03/18 10:07:00 | 000,077,824 | ---- | M] (IBM Corp.) -- C:\WINDOWS\system32\QCONSVC.EXE
    PRC - [2005/03/04 00:10:32 | 000,094,208 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    PRC - [2004/12/16 11:49:44 | 000,385,024 | ---- | M] () -- C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    PRC - [2004/11/04 16:47:04 | 000,040,547 | ---- | M] (UPEK Inc.) -- C:\Program Files\Common Files\Virtual Token\vtserver.exe
    PRC - [2004/09/06 23:03:52 | 000,077,824 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    PRC - [2003/07/12 01:19:22 | 000,032,768 | ---- | M] () -- C:\WINDOWS\system32\TpKmpSvc.exe
    PRC - [2002/01/10 22:01:34 | 000,065,536 | ---- | M] (IBM Corporation) -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe


    ========== Modules (No Company Name) ==========

    MOD - [2011/08/12 17:13:26 | 000,087,040 | ---- | M] () -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
    MOD - [2010/01/28 11:57:58 | 000,355,688 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll
    MOD - [2005/03/19 06:10:38 | 000,028,672 | ---- | M] () -- C:\Program Files\ThinkPad\ConnectUtilities\Res\US\IconRes.dll
    MOD - [2005/03/04 00:10:32 | 000,094,208 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    MOD - [2005/01/21 08:00:00 | 000,065,536 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\PWRMGRIF.DLL
    MOD - [2005/01/21 08:00:00 | 000,032,768 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\US\PWRMGRRT.DLL
    MOD - [2004/12/16 11:49:44 | 000,385,024 | ---- | M] () -- C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    MOD - [2004/12/16 10:41:58 | 000,045,056 | ---- | M] () -- C:\WINDOWS\system32\pwdmon.dll
    MOD - [2004/11/24 09:10:00 | 000,036,864 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\US\EZMAPRES.DLL
    MOD - [2004/09/06 23:03:52 | 000,077,824 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    MOD - [2004/08/17 19:28:12 | 000,225,280 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\tpfnf7.dll
    MOD - [2004/08/13 03:11:26 | 000,024,576 | ---- | M] () -- C:\WINDOWS\system32\tphklock.dll
    MOD - [2003/07/12 01:19:22 | 000,032,768 | ---- | M] () -- C:\WINDOWS\system32\TpKmpSvc.exe
    MOD - [2003/07/04 06:49:30 | 000,024,576 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY_2\tphk_2k.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\system32\PsaSrv.exe -- (PsaSrv)
    SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
    SRV - [2012/02/15 13:30:18 | 000,158,856 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
    SRV - [2011/12/18 21:08:42 | 002,420,616 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe -- (vsmon)
    SRV - [2011/11/03 14:44:28 | 000,497,280 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe -- (IswSvc)
    SRV - [2011/08/12 17:13:26 | 000,087,040 | ---- | M] () [Auto | Running] -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe -- (PassThru Service)
    SRV - [2011/07/01 19:10:23 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
    SRV - [2011/06/29 14:59:18 | 000,155,344 | ---- | M] (Avanquest Software) [On_Demand | Stopped] -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe -- (Sony Ericsson PCCompanion)
    SRV - [2011/04/30 08:52:26 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
    SRV - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
    SRV - [2009/04/02 15:52:56 | 000,543,744 | ---- | M] (OptionNV) [Disabled | Stopped] -- C:\Program Files\Option\GlobeTrotter Connect\GtDetectSc.exe -- (GtDetectSc)
    SRV - [2008/08/29 10:01:22 | 000,033,752 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus(R) Helper) getPlus(R)
    SRV - [2005/03/18 10:07:00 | 000,077,824 | ---- | M] (IBM Corp.) [Auto | Running] -- C:\WINDOWS\system32\QCONSVC.EXE -- (QCONSVC)
    SRV - [2004/12/16 11:49:44 | 000,385,024 | ---- | M] () [Auto | Running] -- C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe -- (IBM Rapid Restore Ultra Service)
    SRV - [2004/11/04 16:47:04 | 000,040,547 | ---- | M] (UPEK Inc.) [Auto | Running] -- C:\Program Files\Common Files\Virtual Token\vtserver.exe -- (vtserver)
    SRV - [2004/10/01 22:06:34 | 000,163,840 | ---- | M] (Broadcom Corporation) [On_Demand | Stopped] -- C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe -- (btwdins)
    SRV - [2003/07/12 01:19:22 | 000,032,768 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\TpKmpSvc.exe -- (TpKmpSVC)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
    DRV - File not found [Kernel | Boot | Stopped] -- system32\ZoneLabs\srescan.sys -- (srescan)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\LVCD.sys -- (QCDonner) Logitech QuickCam Express(PID_0840)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
    DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
    DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\glauiad.sys -- (iadusb)
    DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\adiusbaw.sys -- (adiusbaw)
    DRV - File not found [Kernel | Auto | Stopped] -- System32\Drivers\adildr.sys -- (ADILOADER) General Purpose USB Driver (adildr.sys)
    DRV - [2011/12/18 21:04:24 | 000,525,840 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (Vsdatant)
    DRV - [2011/11/03 14:44:20 | 000,027,016 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL)
    DRV - [2011/07/01 19:10:25 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
    DRV - [2011/07/01 19:10:25 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
    DRV - [2010/06/22 18:01:50 | 000,021,248 | ---- | M] (Windows (R) Win 7 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\htcnprot.sys -- (htcnprot)
    DRV - [2009/12/24 20:57:13 | 000,025,512 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ggsemc.sys -- (ggsemc)
    DRV - [2009/12/24 20:57:13 | 000,013,224 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ggflt.sys -- (ggflt)
    DRV - [2009/06/10 00:49:32 | 000,024,576 | ---- | M] (HTC, Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ANDROIDUSB.sys -- (HTCAND32)
    DRV - [2009/05/11 10:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
    DRV - [2009/05/11 08:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
    DRV - [2008/10/21 08:22:48 | 000,114,600 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017mdm.sys -- (s0017mdm)
    DRV - [2008/10/21 08:22:48 | 000,109,736 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017unic.sys -- (s0017unic) Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM)
    DRV - [2008/10/21 08:22:48 | 000,108,328 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017mgmt.sys -- (s0017mgmt) Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM)
    DRV - [2008/10/21 08:22:48 | 000,104,616 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017obex.sys -- (s0017obex)
    DRV - [2008/10/21 08:22:48 | 000,086,824 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017bus.sys -- (s0017bus) Sony Ericsson Device 0017 driver (WDM)
    DRV - [2008/10/21 08:22:48 | 000,026,024 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017nd5.sys -- (s0017nd5) Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS)
    DRV - [2008/10/21 08:22:48 | 000,015,016 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017mdfl.sys -- (s0017mdfl)
    DRV - [2008/04/13 18:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
    DRV - [2008/02/18 16:14:38 | 000,106,624 | ---- | M] (Option N.V.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Gt51Ip.sys -- (GT72NDISIPXP)
    DRV - [2008/02/08 12:00:22 | 000,059,648 | ---- | M] (Option N.V.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gt72ubus.sys -- (GT72UBUS)
    DRV - [2008/02/01 15:43:22 | 000,103,720 | ---- | M] (Guillemot Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\camfilt2.sys -- (camfilt2)
    DRV - [2008/01/09 12:28:34 | 000,027,632 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\seehcri.sys -- (seehcri)
    DRV - [2007/12/10 13:22:22 | 000,110,120 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3017unic.sys -- (s3017unic) Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM)
    DRV - [2007/12/10 13:22:22 | 000,100,648 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3017obex.sys -- (s3017obex)
    DRV - [2007/12/10 13:22:20 | 000,104,616 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3017mgmt.sys -- (s3017mgmt) Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM)
    DRV - [2007/12/10 13:22:20 | 000,025,512 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3017nd5.sys -- (s3017nd5) Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS)
    DRV - [2007/12/10 13:22:18 | 000,110,632 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3017mdm.sys -- (s3017mdm)
    DRV - [2007/12/10 13:22:18 | 000,015,016 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3017mdfl.sys -- (s3017mdfl)
    DRV - [2007/12/10 13:22:14 | 000,083,880 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3017bus.sys -- (s3017bus) Sony Ericsson Device 3017 driver (WDM)
    DRV - [2007/07/13 09:45:08 | 000,285,952 | ---- | M] (Akkord Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HDvidv.sys -- (APL531)
    DRV - [2007/06/14 17:34:00 | 000,457,856 | ---- | M] (PixArt Imaging Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PAC7302.SYS -- (PAC7302)
    DRV - [2007/05/21 07:29:26 | 000,235,648 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8187.sys -- (RTLWUSB)
    DRV - [2007/04/23 15:54:50 | 000,100,488 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s115mgmt.sys -- (s115mgmt) Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM)
    DRV - [2007/04/23 15:54:46 | 000,083,208 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s115bus.sys -- (s115bus) Sony Ericsson Device 115 driver (WDM)
    DRV - [2007/04/23 13:54:50 | 000,098,568 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s115obex.sys -- (s115obex)
    DRV - [2007/04/23 13:54:48 | 000,108,680 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s115mdm.sys -- (s115mdm)
    DRV - [2007/04/23 13:54:48 | 000,015,112 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s115mdfl.sys -- (s115mdfl)
    DRV - [2007/04/03 13:57:54 | 000,099,080 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116unic.sys -- (s116unic) Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (WDM)
    DRV - [2007/04/03 13:57:52 | 000,098,696 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116obex.sys -- (s116obex)
    DRV - [2007/04/03 13:57:52 | 000,023,176 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116nd5.sys -- (s116nd5) Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (NDIS)
    DRV - [2007/04/03 13:57:50 | 000,100,488 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116mgmt.sys -- (s116mgmt) Sony Ericsson Device 116 USB WMC Device Management Drivers (WDM)
    DRV - [2007/04/03 13:57:48 | 000,108,680 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116mdm.sys -- (s116mdm)
    DRV - [2007/04/03 13:57:48 | 000,015,112 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116mdfl.sys -- (s116mdfl)
    DRV - [2007/04/03 13:57:42 | 000,083,336 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116bus.sys -- (s116bus) Sony Ericsson Device 116 driver (WDM)
    DRV - [2007/03/30 12:38:14 | 000,008,064 | ---- | M] (Option N.V.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gtptser.sys -- (GTPTSER)
    DRV - [2005/08/15 19:25:50 | 000,013,184 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)
    DRV - [2005/03/18 10:07:00 | 000,012,288 | ---- | M] (IBM Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\qcndisif.sys -- (QCNDISIF)
    DRV - [2005/03/18 10:07:00 | 000,011,520 | ---- | M] (IBM Corp.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ANC.sys -- (ANC)
    DRV - [2005/03/18 10:07:00 | 000,002,432 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\IBMBLDID.SYS -- (IBMTPCHK)
    DRV - [2005/02/14 15:00:10 | 003,255,168 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel(R)
    DRV - [2005/02/11 09:22:48 | 000,081,728 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\k750mgmt.sys -- (k750mgmt)
    DRV - [2005/02/11 09:19:20 | 000,055,216 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\k750bus.sys -- (k750bus) Sony Ericsson 750 driver (WDM)
    DRV - [2005/01/21 08:40:00 | 000,014,848 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SMAPINT.SYS -- (Smapint)
    DRV - [2005/01/21 08:40:00 | 000,009,340 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TDSMAPI.SYS -- (TDSMAPI)
    DRV - [2005/01/21 08:00:00 | 000,004,442 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TPPWRIF.SYS -- (TPPWRIF)
    DRV - [2004/12/16 11:12:20 | 000,063,616 | ---- | M] (IBM) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ibmfilter.sys -- (ibmfilter)
    DRV - [2004/12/07 00:55:20 | 000,126,720 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
    DRV - [2004/12/02 23:14:44 | 000,014,208 | ---- | M] (IBM Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\TPDiskPM.sys -- (TPDiskPM)
    DRV - [2004/12/02 22:54:12 | 000,006,016 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\TPInput.sys -- (TPInput)
    DRV - [2004/12/01 09:33:00 | 000,007,168 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TSMAPIP.SYS -- (TSMAPIP)
    DRV - [2004/11/10 23:47:30 | 000,200,448 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
    DRV - [2004/11/10 23:46:24 | 000,685,184 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
    DRV - [2004/11/10 23:45:50 | 001,041,664 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
    DRV - [2004/10/15 17:20:04 | 000,011,354 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
    DRV - [2004/10/01 21:51:46 | 000,017,024 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
    DRV - [2004/10/01 21:48:30 | 001,241,482 | ---- | M] (Broadcom Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
    DRV - [2004/10/01 21:47:06 | 000,147,896 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
    DRV - [2004/10/01 21:44:22 | 000,030,299 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
    DRV - [2004/10/01 21:43:44 | 000,054,488 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
    DRV - [2004/08/04 12:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
    DRV - [2004/08/04 12:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
    DRV - [2004/05/19 20:41:26 | 000,013,757 | ---- | M] (National Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NscTpmDD.sys -- (portio)
    DRV - [2003/12/08 10:53:48 | 000,053,600 | ---- | M] (THOMSON) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\alcan5wn.sys -- (alcan5wn) SpeedTouch USB ADSL PPP Networking Driver (NDISWAN)
    DRV - [2003/12/08 10:53:46 | 000,070,688 | ---- | M] (THOMSON) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\alcaudsl.sys -- (alcaudsl)
    DRV - [2002/02/19 12:06:28 | 000,021,019 | ---- | M] (Magic Control Technology Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\u2s2kxp.sys -- (U2SP) USB to Serial Converter Driver(Philips)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
    IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.saynoto0870.com/
    IE - HKCU\..\SearchScopes,DefaultScope = {78F909E2-E4DC-4AF1-8FD7-B411278EEC6D}
    IE - HKCU\..\SearchScopes\{04E563C9-734C-41AE-A368-E84AB98DF7A7}: "URL" = http://www.bing.com/search?q={searchTerms}&form=IE0006
    IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
    IE - HKCU\..\SearchScopes\{78F909E2-E4DC-4AF1-8FD7-B411278EEC6D}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

    ========== FireFox ==========

    FF - prefs.js..browser.search.defaultthis.engineName: "Messenger Plus Live UK Customized Web Search"
    FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2516768&SearchSource=3&q={searchTerms}"
    FF - prefs.js..browser.search.useDBForOrder: true
    FF - prefs.js..browser.startup.homepage: "http://www.saynoto0870.com/numbersearch.php"
    FF - prefs.js..extensions.enabledItems: {53c4d698-0a74-873e-7946-7d19bb035667}:2.6
    FF - prefs.js..extensions.enabledItems: en-GB@dictionaries.addons.mozilla.org:1.19.1
    FF - prefs.js..extensions.enabledItems: feedbar@efinke.com:5.0
    FF - prefs.js..extensions.enabledItems: {81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}:7.0.3.0
    FF - prefs.js..extensions.enabledItems: {c33c5b47-69c8-45a4-a5e0-af85bbe628dd}:1.6.1.3
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
    FF - prefs.js..extensions.enabledItems: CompactMenuCE@Merci.chao:4.2.1
    FF - prefs.js..extensions.enabledItems: isreaditlater@ideashower.com:2.1.1
    FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.1.5
    FF - prefs.js..extensions.enabledItems: reliby@gemal.dk:1.5.0
    FF - prefs.js..extensions.enabledItems: {1f91cde0-c040-11da-a94d-0800200c9a66}:4.1
    FF - prefs.js..extensions.enabledItems: savesession@noasobi.net:1.3.1.6
    FF - prefs.js..extensions.enabledItems: {53A03D43-5363-4669-8190-99061B2DEBA5}:1.3.7
    FF - prefs.js..extensions.enabledItems: firefox-extension@shareaholic.com:2.2.0
    FF - prefs.js..extensions.enabledItems: {BEDED222-EAEC-11DA-9B41-B622A1EF5492}:1.0.12
    FF - prefs.js..extensions.enabledItems: smartbookmarksbar@remy.juteau:1.4.3
    FF - prefs.js..extensions.enabledItems: {64161300-e22b-11db-8314-0800200c9a66}:0.9.5.8
    FF - prefs.js..extensions.enabledItems: taboo@runningfrombears.com:0.6.1
    FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.2.20100119091315
    FF - prefs.js..extensions.enabledItems: zotero@chnm.gmu.edu:2.0.9
    FF - prefs.js..network.proxy.type: 4


    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
    FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll ()
    FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.652: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.652: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF - HKCU\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/07/01 19:48:19 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2012/03/17 22:42:55 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/10 14:18:14 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/12 15:17:11 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 9.0.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012/01/11 12:59:02 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2012/01/12 15:17:14 | 000,000,000 | ---D | M]

    [2008/07/01 19:15:03 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Extensions
    [2012/03/23 22:37:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\extensions
    [2011/12/09 10:41:53 | 000,000,000 | ---D | M] (iMacros for Firefox) -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}
    [2010/12/23 22:31:05 | 000,000,000 | ---D | M] (British English Dictionary) -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\extensions\en-GB@dictionaries.addons.mozilla.org
    [2011/11/07 17:47:35 | 000,000,000 | ---D | M] ("MemberPlugin") -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\extensions\MemberPlugin@edward.hibbert
    [2010/02/09 20:50:18 | 000,000,000 | ---D | M] (Reliby) -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\extensions\reliby@gemal.dk
    [2009/07/22 10:32:24 | 000,000,000 | ---D | M] (Save Session) -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\extensions\savesession@noasobi.net
    [2012/03/03 05:46:54 | 000,000,000 | ---D | M] (Zotero) -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\extensions\zotero@chnm.gmu.edu
    [2011/09/25 18:28:32 | 000,002,220 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\searchplugins\amabay-uk.xml
    [2012/03/16 22:22:21 | 000,002,570 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\searchplugins\amazon-decouk.xml
    [2010/02/06 22:17:22 | 000,000,947 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\searchplugins\conduit.xml
    [2011/09/25 18:29:34 | 000,011,430 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\searchplugins\ebaycouk-search.xml
    [2008/06/25 12:48:35 | 000,001,108 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\searchplugins\wikipedia-en.xml
    [2011/07/09 20:01:05 | 000,002,323 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\searchplugins\youtube-ssl.xml
    [2012/01/10 14:19:02 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2012/03/02 20:33:30 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
    [2012/01/10 14:18:11 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2011/02/02 21:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
    [2008/04/11 17:38:19 | 000,024,673 | ---- | M] (Check Point Software Technologies Ltd.) -- C:\Program Files\mozilla firefox\plugins\NPZoneSB.dll
    [2012/01/10 14:17:49 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2012/01/10 14:17:49 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

    ========== Chrome ==========

    CHR - default_search_provider: Google ()
    CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
    CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}

    O1 HOSTS File: ([2008/11/05 22:12:18 | 000,286,531 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: 127.0.0.1 www.007guard.com
    O1 - Hosts: 127.0.0.1 007guard.com
    O1 - Hosts: 127.0.0.1 008i.com
    O1 - Hosts: 127.0.0.1 www.008k.com
    O1 - Hosts: 127.0.0.1 008k.com
    O1 - Hosts: 127.0.0.1 www.00hq.com
    O1 - Hosts: 127.0.0.1 00hq.com
    O1 - Hosts: 127.0.0.1 010402.com
    O1 - Hosts: 127.0.0.1 www.032439.com
    O1 - Hosts: 127.0.0.1 032439.com
    O1 - Hosts: 127.0.0.1 www.0scan.com
    O1 - Hosts: 127.0.0.1 0scan.com
    O1 - Hosts: 127.0.0.1 1000gratisproben.com
    O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
    O1 - Hosts: 127.0.0.1 www.1001namen.com
    O1 - Hosts: 127.0.0.1 1001namen.com
    O1 - Hosts: 127.0.0.1 100888290cs.com
    O1 - Hosts: 127.0.0.1 www.100888290cs.com
    O1 - Hosts: 127.0.0.1 100sexlinks.com
    O1 - Hosts: 127.0.0.1 www.100sexlinks.com
    O1 - Hosts: 127.0.0.1 10sek.com
    O1 - Hosts: 127.0.0.1 www.10sek.com
    O1 - Hosts: 127.0.0.1 www.123haustiereundmehr.com
    O1 - Hosts: 127.0.0.1 123haustiereundmehr.com
    O1 - Hosts: 9901 more lines...
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
    O2 - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
    O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
    O3 - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
    O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
    O4 - HKLM..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies)
    O4 - HKLM..\Run: [PWRMGRTR] C:\Program Files\ThinkPad\Utilities\PWRMGRTR.DLL (IBM Corp.)
    O4 - HKLM..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE (IBM Corp.)
    O4 - HKLM..\Run: [TP4EX] C:\WINDOWS\System32\TP4EX.exe (IBM Corporation)
    O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe ()
    O4 - HKLM..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe (IBM Corp.)
    O4 - HKLM..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe ()
    O4 - HKLM..\Run: [ZoneAlarm] C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe (Check Point Software Technologies LTD)
    O4 - Startup: C:\Documents and Settings\1 Sarah\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 227
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
    O8 - Extra context menu item: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
    O8 - Extra context menu item: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm ()
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} Reg Error: Value error. (Windows Genuine Advantage Validation Tool)
    O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} http://www.eset.eu/buxus/docs/OnlineScanner.cab (Reg Error: Key error.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_24)
    O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/...ll-142-win.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_24)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_24)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BDC00D27-CAA4-4564-8568-4160324D1BAF}: DhcpNameServer = 192.168.1.254
    O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
    O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O18 - Protocol\Handler\widimg {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\BTXPPanel.dll (Broadcom Corporation)
    O20 - AppInit_DLLs: (avgrsstx.dll) - File not found
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
    O20 - Winlogon\Notify\psfus: DllName - (C:\Program Files\IBM fingerprint software\psfus.dll) - C:\Program Files\IBM fingerprint software\psfus.dll (UPEK Inc.)
    O20 - Winlogon\Notify\QConGina: DllName - (QConGina.dll) - C:\WINDOWS\System32\QConGina.dll (IBM Corp.)
    O20 - Winlogon\Notify\tphotkey: DllName - (tphklock.dll) - C:\WINDOWS\System32\tphklock.dll ()
    O24 - Desktop WallPaper: C:\Documents and Settings\1 Sarah\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\1 Sarah\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2005/10/06 06:35:52 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O33 - MountPoints2\{27e883a2-1d58-11df-9d61-001125d3afa3}\Shell - "" = AutoRun
    O33 - MountPoints2\{27e883a2-1d58-11df-9d61-001125d3afa3}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{27e883a2-1d58-11df-9d61-001125d3afa3}\Shell\AutoRun\command - "" = E:\AutoRun.exe
    O33 - MountPoints2\{b7cead68-1c05-11df-9d60-001125d3afa3}\Shell - "" = AutoRun
    O33 - MountPoints2\{b7cead68-1c05-11df-9d60-001125d3afa3}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{b7cead68-1c05-11df-9d60-001125d3afa3}\Shell\AutoRun\command - "" = E:\AutoRun.exe
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: HidServ - %SystemRoot%\System32\hidserv.dll File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/03/24 17:34:21 | 000,593,920 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\1 Sarah\Desktop\OTL.com
    [2012/03/23 22:35:11 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\1 Sarah\Desktop\aswMBR.exe
    [2012/03/18 02:28:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
    [2012/03/17 22:44:56 | 000,237,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
    [2012/03/17 22:41:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\PCHealth
    [2012/03/17 22:40:19 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
    [2012/03/17 18:39:30 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\1 Sarah\Desktop\dds.scr
    [2012/03/17 18:34:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
    [2012/03/17 18:34:09 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
    [2012/03/17 18:33:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
    [2012/03/17 08:58:44 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\1 Sarah\Recent
    [2012/03/17 08:39:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Trusteer
    [2012/03/03 06:25:19 | 006,600,192 | ---- | C] (Mirage Systems) -- C:\WINDOWS\System32\LicProtector310.exe
    [2012/03/03 06:25:19 | 002,323,520 | ---- | C] (gdpicture.com) -- C:\WINDOWS\System32\gdpicturepro5.ocx
    [2012/03/02 20:32:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Skype
    [2012/03/02 20:32:54 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
    [9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/03/24 17:43:13 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\PMTask.job
    [2012/03/24 17:34:51 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\1 Sarah\Desktop\OTL.com
    [2012/03/24 00:28:09 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
    [2012/03/24 00:22:11 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2012/03/24 00:22:09 | 1600,638,976 | -HS- | M] () -- C:\hiberfil.sys
    [2012/03/23 23:49:34 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Desktop\MBR.dat
    [2012/03/23 22:36:11 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\1 Sarah\Desktop\aswMBR.exe
    [2012/03/17 22:41:22 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
    [2012/03/17 22:40:05 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2012/03/17 21:21:13 | 000,262,232 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2012/03/17 21:11:28 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2012/03/17 18:39:38 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\1 Sarah\Desktop\dds.scr
    [2012/03/17 18:34:46 | 000,000,778 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
    [2012/03/17 18:34:11 | 000,000,603 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Desktop\ERUNT.lnk
    [2012/03/17 18:33:01 | 000,000,962 | ---- | M] () -- C:\Documents and Settings\1 Sarah\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
    [2012/03/17 09:01:40 | 000,582,406 | ---- | M] () -- C:\Documents and Settings\1 Sarah\My Documents\cc_backup changes 17.3.12.reg
    [2012/03/06 09:31:11 | 000,435,154 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2012/03/06 09:31:11 | 000,068,892 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2012/03/06 09:21:41 | 000,000,127 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
    [9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/03/23 23:49:34 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\1 Sarah\Desktop\MBR.dat
    [2012/03/17 22:46:08 | 000,000,424 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
    [2012/03/17 22:41:22 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
    [2012/03/17 22:40:40 | 000,001,691 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
    [2012/03/17 21:11:06 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
    [2012/03/17 18:34:46 | 000,000,778 | ---- | C] () -- C:\Documents and Settings\1 Sarah\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
    [2012/03/17 18:34:11 | 000,000,603 | ---- | C] () -- C:\Documents and Settings\1 Sarah\Desktop\ERUNT.lnk
    [2012/03/17 18:33:01 | 000,000,962 | ---- | C] () -- C:\Documents and Settings\1 Sarah\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
    [2012/03/17 09:00:57 | 000,582,406 | ---- | C] () -- C:\Documents and Settings\1 Sarah\My Documents\cc_backup changes 17.3.12.reg
    [2012/03/06 09:21:41 | 000,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
    [2012/02/20 18:26:17 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
    [2011/10/10 10:28:05 | 000,000,302 | ---- | C] () -- C:\WINDOWS\System32\Remover.ini
    [2011/09/24 20:22:09 | 003,600,384 | ---- | C] () -- C:\WINDOWS\ffmpeg.exe
    [2010/05/05 20:26:20 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
    [2010/04/11 19:50:23 | 000,000,272 | ---- | C] () -- C:\WINDOWS\_delis32.ini

    ========== LOP Check ==========

    [2012/01/25 16:34:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Amorh
    [2010/04/10 21:32:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\AVGTOOLBAR
    [2010/07/24 09:37:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\CheckPoint
    [2009/05/01 19:09:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
    [2010/01/18 20:28:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Desktopicon
    [2012/01/18 18:24:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\HTC
    [2011/12/30 13:29:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\HTC.388BC06ACDAB6261375BCE37FBA2E023C0D7EE34.1
    [2009/07/25 23:29:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\HTML Executable
    [2005/10/07 15:43:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\IBM
    [2005/10/30 10:41:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\InterVideo
    [2008/04/03 19:10:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\iolo
    [2009/05/22 07:25:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\MSNInstaller
    [2010/01/19 19:38:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\MyPhoneExplorer
    [2007/05/14 10:26:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Nikon
    [2009/05/31 17:50:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Nokia Multimedia Player
    [2007/04/12 14:36:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\OpenOffice.org1.9.79
    [2011/12/30 13:33:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Outlook
    [2012/03/03 07:25:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Suyguvl
    [2010/02/19 12:04:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Tatara Systems
    [2011/06/14 08:59:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\TeamViewer
    [2009/12/31 13:26:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Teleca
    [2012/01/11 12:59:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Thunderbird
    [2011/05/09 20:14:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\Uniblue
    [2009/05/29 14:15:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\uTorrent
    [2008/11/01 20:50:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1 Sarah\Application Data\WinPatrol
    [2010/09/23 11:09:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
    [2012/01/11 11:53:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CheckPoint
    [2005/10/11 11:32:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ibm
    [2008/04/03 19:10:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iolo
    [2008/02/18 09:49:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MailFrontier
    [2010/02/19 12:00:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\O2CM-CE
    [2011/03/04 18:58:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sage
    [2005/11/26 11:00:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBT
    [2009/12/28 11:05:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Teleca
    [2010/01/19 19:40:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2012/03/17 08:39:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Trusteer
    [2011/10/24 11:32:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    [2012/03/24 00:28:09 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
    [2012/03/24 17:43:13 | 000,000,316 | ---- | M] () -- C:\WINDOWS\Tasks\PMTask.job

    ========== Purity Check ==========



    ========== Custom Scans ==========

    < %SYSTEMDRIVE%\*.exe >
    [2008/09/29 13:07:31 | 000,000,184 | ---- | M] () -- C:\setuplog.exe

    < MD5 for: AGP440.SYS >
    [2004/08/04 12:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:AGP440.sys
    [2004/08/04 12:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
    [2008/10/14 13:06:53 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
    [2008/10/14 13:06:53 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
    [2008/04/13 18:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
    [2008/04/13 18:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
    [2004/08/04 06:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

    < MD5 for: ATAPI.SYS >
    [2004/08/04 12:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:atapi.sys
    [2004/08/04 12:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
    [2008/10/14 13:06:53 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
    [2008/10/14 13:06:53 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
    [2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
    [2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
    [2004/08/04 05:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

    < MD5 for: EVENTLOG.DLL >
    [2008/04/14 00:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
    [2008/04/14 00:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
    [2004/08/04 12:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

    < MD5 for: NETLOGON.DLL >
    [2008/04/14 00:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
    [2008/04/14 00:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
    [2004/08/04 12:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

    < MD5 for: SCECLI.DLL >
    [2004/08/04 12:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
    [2008/04/14 00:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
    [2008/04/14 00:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

    < %systemroot%\*. /mp /s >

    < %systemroot%\system32\*.dll /lockedfiles >
    [9 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

    < %systemroot%\Tasks\*.job /lockedfiles >

    < %systemroot%\system32\drivers\*.sys /lockedfiles >

    < %systemroot%\System32\config\*.sav >
    [2004/08/09 17:45:10 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
    [2004/08/09 17:45:10 | 000,659,456 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
    [2004/08/09 17:45:10 | 000,876,544 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

    < %systemroot%\system32\drivers\*.sys /90 >
    [2012/01/09 16:20:25 | 000,139,784 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\rdpwd.sys

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 229 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8FF81EB0

    < End of report >

  7. #7
    Member
    Join Date
    Oct 2008
    Posts
    94

    Default

    EXTRAS:

    OTL Extras logfile created on: 24/03/2012 17:36:52 - Run 1
    OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\1 Sarah\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    1.49 Gb Total Physical Memory | 0.97 Gb Available Physical Memory | 65.37% Memory free
    2.83 Gb Paging File | 2.31 Gb Available in Paging File | 81.64% Paging File free
    Paging file location(s): C:\pagefile.sys 0 0 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 33.29 Gb Total Space | 1.09 Gb Free Space | 3.27% Space Free | Partition Type: NTFS

    Computer Name: MAXIMILLION | User Name: 1 Sarah | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
    http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
    https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring" = 1

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
    "139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
    "10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 0
    "DoNotAllowExceptions" = 1
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
    "139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002
    "10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "C:\Program Files\IBM\Updater\jre\bin\java.exe" = C:\Program Files\IBM\Updater\jre\bin\java.exe:*:Enabled:IBM Update Connector -- (IBM)
    "C:\Program Files\IBM\Updater\jre\bin\javaw.exe" = C:\Program Files\IBM\Updater\jre\bin\javaw.exe:*:Enabled:IBM Update Connector -- (IBM)
    "C:\Program Files\IBM\Updater\ucsmb.exe" = C:\Program Files\IBM\Updater\ucsmb.exe:*:Enabled:IBM Update Connector -- (IBM Corporation, Inc.)
    "%windir%\explorer.exe" = %windir%\explorer.exe -- (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\IBM\Updater\jre\bin\java.exe" = C:\Program Files\IBM\Updater\jre\bin\java.exe:*:Enabled:IBM Update Connector -- (IBM)
    "C:\Program Files\IBM\Updater\jre\bin\javaw.exe" = C:\Program Files\IBM\Updater\jre\bin\javaw.exe:*:Enabled:IBM Update Connector -- (IBM)
    "C:\Program Files\IBM\Updater\ucsmb.exe" = C:\Program Files\IBM\Updater\ucsmb.exe:*:Enabled:IBM Update Connector -- (IBM Corporation, Inc.)
    "C:\Program Files\ViaVoice\BIN\audmig.exe" = C:\Program Files\ViaVoice\BIN\audmig.exe:*:Enabled:audmig
    "C:\Program Files\ViaVoice\BIN\macroeditor.exe" = C:\Program Files\ViaVoice\BIN\macroeditor.exe:*:Enabled:macroeditor
    "C:\Program Files\ViaVoice\BIN\msaadmn.exe" = C:\Program Files\ViaVoice\BIN\msaadmn.exe:*:Enabled:msaadmn
    "C:\Program Files\ViaVoice\BIN\navcentral.exe" = C:\Program Files\ViaVoice\BIN\navcentral.exe:*:Enabled:navcentral
    "C:\Program Files\ViaVoice\BIN\smart.exe" = C:\Program Files\ViaVoice\BIN\smart.exe:*:Enabled:smart
    "C:\Program Files\ViaVoice\BIN\speechbar.exe" = C:\Program Files\ViaVoice\BIN\speechbar.exe:*:Enabled:speechbar
    "C:\Program Files\Microsoft Office\Office\WINWORD.EXE" = C:\Program Files\Microsoft Office\Office\WINWORD.EXE:*:Enabled:Microsoft Word for Windows -- (Microsoft Corporation)
    "C:\Program Files\ViaVoice\BIN\engine.exe" = C:\Program Files\ViaVoice\BIN\engine.exe:*:Enabled:IBM ViaVoice ® Speech Recognition
    "C:\WINDOWS\system32\fxsclnt.exe" = C:\WINDOWS\system32\fxsclnt.exe:*:Enabled:Microsoft Fax Console -- (Microsoft Corporation)
    "C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
    "C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe
    "C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe
    "C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
    "C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager
    "C:\WINDOWS\system32\ZoneLabs\vsmon.exe" = C:\WINDOWS\system32\ZoneLabs\vsmon.exe:*:Enabled:vsmon
    "C:\Program Files\Sony Ericsson\Update Engine\Sony Ericsson Update Engine.exe" = C:\Program Files\Sony Ericsson\Update Engine\Sony Ericsson Update Engine.exe:*:Enabled:Update Engine -- ()
    "C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
    "%windir%\explorer.exe" = %windir%\explorer.exe -- (Microsoft Corporation)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{00030409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Small Business
    "{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Disc 2
    "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    "{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
    "{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
    "{0873B1A3-00A9-40D6-BACE-3DB4BC5DA840}" = IBM SATA Power Management Driver
    "{0D09E359-0C98-4D93-B6F9-1FF68ED4B27C}" = Nokia Multimedia Player
    "{1007F41F-7D69-468E-8017-3849A5A973C2}" = IBM ThinkVantage Technologies Welcome Message
    "{11783F13-C3A9-44A8-929B-21A476F65272}" = IBM Rescue and Recovery with Rapid Restore
    "{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = IBM DLA
    "{1297C681-92D7-40EF-93BF-03F66EC5105C}" = IBM ThinkPad EasyEject Utility
    "{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{1F7CCFA3-D926-4882-B2A5-A0217ED25597}" = PC-Doctor for Windows
    "{2111B23F-7FDA-4A41-8309-E5A1663CA296}" = IBM ThinkPad Keyboard Customizer Utility
    "{22B71A00-4DED-11D4-A5E5-0004AC564F43}" = IBM Access Connections
    "{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
    "{245F5D2D-6F34-4970-B8D7-D6F3C3C07575}" = ZoneAlarm Firewall
    "{25BEC3AB-5CD4-481D-9143-215C1BBB189E}" = Sony Ericsson PC Suite
    "{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 24
    "{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
    "{28DA872A-0848-48CF-B749-19A198157A2A}" = mDriver
    "{31A559C1-9E4D-423B-9DD3-34A6C5398752}" = HTC BMP USB Driver
    "{343666E2-A059-48AC-AD67-230BF74E2DB2}" = Apple Application Support
    "{34BFBF2A-06B9-4B5E-BB33-E78B67450ED7}" = IBM fingerprint software 4.5.3
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{4AE3A0CB-87B0-4F51-BECD-3D1F8DFDD62F}" = SAGEM F@st 800-840
    "{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
    "{526B2AE8-73DF-4CE0-B140-9968677A7C93}" = HTC Sync
    "{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client
    "{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth
    "{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
    "{6CE96A14-61E2-48CC-837E-22710A953ADE}" = IBM Themes
    "{6D6664A9-3342-4948-9B7E-034EFE366F0F}" = HTC Driver Installer
    "{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}" = mCore
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{72806716-7088-41B2-8FA6-717A2A164DAB}" = IBM Active Protection System
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
    "{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
    "{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support
    "{82512BC9-BD5D-4C50-BE4D-B98E7DF78687}" = IBM ThinkPad UltraNav Wizard
    "{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    "{884BB5CC-108E-41a9-936D-955C999C06A1}_x" = GlobeTrotter Connect
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver for Mobile
    "{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
    "{8D815BF3-2399-459C-B121-49373FEFB9E8}" = IBM Update Connector
    "{90535871-81B9-4D99-8A13-A7EE97F2D7FE}" = IBM Integrated Bluetooth IV Software
    "{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = IBM RecordNow!
    "{96ACE4A4-C769-47D2-9FCE-4F46754857E7}" = ZoneAlarm Security
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
    "{A0E64EBA-8BF0-49FB-90C0-BB3D781A2016}" = IBM ThinkPad Power Manager
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
    "{ACEB2BAF-96DF-48FD-ADD5-43842D4C443D}" = Adobe AIR
    "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
    "{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
    "{B7DBF6E8-0D17-4BE4-853B-ACD6EFBD4A1F}" = iTunes
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C60BA916-9E44-4DA4-B11A-9E27B7624EF5}" = Sony Ericsson Drivers
    "{C6579A65-9CAE-4B31-8B6B-3306E0630A66}" = Apple Software Update
    "{C92E7DF1-624A-4D95-A4C4-18CB491B44A4}" = Sony Ericsson Device Data
    "{CB995BB2-4D75-4D6A-A164-E986CCD6C682}" = Targus USB Adapter
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{D6BF6477-8369-489F-8DE6-3731F4B88560}" = Sony Ericsson PC Suite
    "{D8B883E4-DF64-4A91-B785-08FC9B78923D}" = i-Look 317
    "{E64A463C-ABE6-4649-AFD5-F481E18F8E1F}" = GlobeTrotter Connect
    "{E922961C-6DB6-41DE-9FEA-426DF3E9F81C}" = IBM 32-bit Runtime Environment for Java 2, v1.4.2
    "{EA664480-3844-11D5-8C25-444553540000}" = IBM TrackPoint Accessibility Features
    "{EC6AF20D-4376-4070-BEE4-D3A0DFF7E140}" = Access IBM
    "{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.8
    "{F09EF8F2-0976-42C1-8D9D-8DF78337C6E3}" = Sony Ericsson PC Companion 2.02.002
    "{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
    "{F0CFDC72-63D2-4086-A54F-1514494394A0}" = Hercules DualPix HD Webcam
    "{F386C340-DF4B-4BBA-9503-420FB7EDB395}" = Wallpapers
    "{F413B3A4-EE5D-457C-BAE5-6E58D9589ED5}" = Access IBM Message Center
    "{F45298E5-0083-426F-A668-1A2C5F04B8A0}" = FaxTools
    "{FC081D4D-DF1B-4CF1-B530-027E4118D846}" = IBM ThinkPad Configuration
    "{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
    "Adobe Photoshop 7.0" = Adobe Photoshop 7.0
    "Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
    "CCleaner" = CCleaner
    "CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_05591014" = IBM Integrated 56K Modem
    "com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
    "Easy-WebPrint" = Easy-WebPrint
    "eBay Icon" = eBay Icon
    "ERUNT_is1" = ERUNT 1.1j
    "HijackThis" = HijackThis 2.0.2
    "ie8" = Windows Internet Explorer 8
    "InstallShield_{0D09E359-0C98-4D93-B6F9-1FF68ED4B27C}" = Nokia Multimedia Player
    "InstallShield_{E922961C-6DB6-41DE-9FEA-426DF3E9F81C}" = IBM 32-bit Runtime Environment for Java 2, v1.4.2
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Micrografx Picture Publisher 7" = Micrografx Picture Publisher 7
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft Security Client" = Microsoft Security Essentials
    "Mozilla Firefox 9.0.1 (x86 en-US)" = Mozilla Firefox 9.0.1 (x86 en-US)
    "Mozilla Thunderbird 9.0.1 (x86 en-US)" = Mozilla Thunderbird 9.0.1 (x86 en-US)
    "MPE" = MyPhoneExplorer
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "Power Management Driver" = IBM ThinkPad Power Management Driver
    "Presentation Director" = IBM ThinkPad Presentation Director
    "ProInst" = Intel(R) PROSet/Wireless Software
    "RealPlayer 12.0" = RealPlayer
    "Sunny Data" = Sunny Data
    "SynTPDeinstKey" = IBM ThinkPad UltraNav Driver
    "ThinkPad FullScreen Magnifier" = ThinkPad FullScreen Magnifier
    "ThinkPadSoftwareInstaller" = ThinkPad Software Installer
    "Update Engine" = Sony Ericsson Update Engine
    "Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "WindowsScriptHost" = Microsoft Windows Script Host
    "WinPatrol" = WinPatrol 2008
    "WinZip" = WinZip
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
    "ZoneAlarm Free" = ZoneAlarm Free
    "ZoneAlarm Toolbar" = ZoneAlarm Toolbar
    "ZoneAlarmSB Uninstall" = ZoneAlarm Spy Blocker

    ========== HKEY_CURRENT_USER Uninstall List ==========

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "uTorrent" = µTorrent

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 16/03/2012 14:15:49 | Computer Name = MAXIMILLION | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: A connection with the server could not be established

    Error - 17/03/2012 17:21:35 | Computer Name = MAXIMILLION | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: The server name or address could not be resolved

    Error - 17/03/2012 18:41:05 | Computer Name = MAXIMILLION | Source = MPSampleSubmission | ID = 5000
    Description = EventType mptelemetry, P1 0x80070003, P2 moac, P3 cachereset, P4 3.0.8402.0,
    P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

    Error - 17/03/2012 18:41:39 | Computer Name = MAXIMILLION | Source = MPSampleSubmission | ID = 5000
    Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0,
    P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
    P8 NIL, P9 NIL, P10 NIL.

    Error - 17/03/2012 18:42:09 | Computer Name = MAXIMILLION | Source = MPSampleSubmission | ID = 5000
    Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0,
    P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
    P8 NIL, P9 NIL, P10 NIL.

    Error - 17/03/2012 18:42:17 | Computer Name = MAXIMILLION | Source = MPSampleSubmission | ID = 5000
    Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0,
    P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
    P8 NIL, P9 NIL, P10 NIL.

    Error - 17/03/2012 22:28:16 | Computer Name = MAXIMILLION | Source = MPSampleSubmission | ID = 5000
    Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0,
    P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
    P8 NIL, P9 NIL, P10 NIL.

    Error - 17/03/2012 23:59:24 | Computer Name = MAXIMILLION | Source = MPSampleSubmission | ID = 5000
    Description = EventType mptelemetry, P1 0, P2 moaccapability, P3 3.0.8402.0, P4
    0, P5 0, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

    Error - 23/03/2012 18:58:41 | Computer Name = MAXIMILLION | Source = MPSampleSubmission | ID = 5000
    Description = EventType mptelemetry, P1 0xffffffef, P2 patchapplication, P3 am bde,
    P4 11.1.3927.0, P5 mpsigstub.exe, P6 3.0.8402.0, P7 microsoft security essentials,
    P8 NIL, P9 NIL, P10 NIL.

    Error - 23/03/2012 19:09:12 | Computer Name = MAXIMILLION | Source = Application Hang | ID = 1002
    Description = Hanging application WINWORD.EXE, version 9.0.0.2717, hang module hungapp,
    version 0.0.0.0, hang address 0x00000000.

    [ System Events ]
    Error - 18/01/2012 12:48:48 | Computer Name = MAXIMILLION | Source = Service Control Manager | ID = 7011
    Description = Timeout (30000 milliseconds) waiting for a transaction response from
    the stisvc service.

    Error - 18/01/2012 13:14:16 | Computer Name = MAXIMILLION | Source = Service Control Manager | ID = 7000
    Description = The General Purpose USB Driver (adildr.sys) service failed to start
    due to the following error: %%2

    Error - 18/01/2012 13:14:17 | Computer Name = MAXIMILLION | Source = Service Control Manager | ID = 7001
    Description = The Print Spooler service depends on the LexBce Server service which
    failed to start because of the following error: %%1058

    Error - 18/01/2012 13:14:17 | Computer Name = MAXIMILLION | Source = Service Control Manager | ID = 7001
    Description = The Fax service depends on the Print Spooler service which failed
    to start because of the following error: %%1068

    Error - 22/01/2012 16:21:43 | Computer Name = MAXIMILLION | Source = Dhcp | ID = 1000
    Description = Your computer has lost the lease to its IP address 192.168.1.65 on
    the Network Card with network address 0013CE3779C3.

    Error - 24/01/2012 06:14:00 | Computer Name = MAXIMILLION | Source = Dhcp | ID = 1000
    Description = Your computer has lost the lease to its IP address 192.168.1.64 on
    the Network Card with network address 0013CE3779C3.

    Error - 24/01/2012 08:11:39 | Computer Name = MAXIMILLION | Source = Service Control Manager | ID = 7011
    Description = Timeout (30000 milliseconds) waiting for a transaction response from
    the Dnscache service.

    Error - 25/01/2012 05:57:45 | Computer Name = MAXIMILLION | Source = Dhcp | ID = 1002
    Description = The IP address lease 192.168.1.64 for the Network Card with network
    address 0013CE3779C3 has been denied by the DHCP server 192.168.1.254 (The DHCP
    Server sent a DHCPNACK message).

    Error - 26/01/2012 08:18:26 | Computer Name = MAXIMILLION | Source = Service Control Manager | ID = 7001
    Description = The Print Spooler service depends on the LexBce Server service which
    failed to start because of the following error: %%1058

    Error - 30/01/2012 06:00:26 | Computer Name = MAXIMILLION | Source = Dhcp | ID = 1002
    Description = The IP address lease 192.168.1.64 for the Network Card with network
    address 0013CE3779C3 has been denied by the DHCP server 192.168.1.254 (The DHCP
    Server sent a DHCPNACK message).


    < End of report >

  8. #8
    Senior Member
    Join Date
    Apr 2010
    Posts
    463

    Default

    Hello ecosarah

    It was touch and go but we got there
    You did a good job getting that scan to run


    1. Security Programs


      • I can see from your log that you have a number of real-time security programs running, namely Microsoft Security Essentials and Avira AntiVir.
      • Whilst both of these programs provide good security, they may clash with each other which can leave your system vulnerable to infection.
      • You are advised to remove one of these programs.
      • Please make sure that you only have ONE Firewall and ONE real-time Antivirus running on your system.


    2. P2P Programs:


      • P2P programs are a major source of Malware infections.
      • From your log I see you have µTorrent. We do not pass judgment on file-sharing, however we must inform you that engaging in this activity and having this kind of software installed on your system will always make you more susceptible to Malware infections.
      • The use of P2P programs may be contributing to your current situation, and you would certainly be doing yourself a favour by removing them.
      • If you wish to keep the program(s), please do not use them until your computer is cleaned.

      • Information regarding the risk of using these programs can be found from here and here.

      • It is strongly recommend that you uninstall any P2P programs you have on your system.

      • To do this, Click on "Start" then on "Control Panel" and then on "Add or remove programs".
      • A list of currently installed programs will be displayed.
      • Find the "µTorrent" program, click on it once and then click on the "Remove" button.
      • If you are prompted to re-boot your computer to complete the uninstall please do so.


        PLEASE NOTE:
      • Even if you are using a P2P program that is deemed safe, it is only the program that is safe. Any files that you receive using a "safe" P2P program may be infected with Malware. The malware writers use P2P file-sharing as a major conduit to spread infected files.


    3. Please disable WinPatrol


      • Right click on the "Scotty Dog" icon in your system tray and select "Exit Program".


    4. Please open OTL


      • Copy and paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL.

        Code:
        :OTL
        PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
        O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
        O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
        O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - No CLSID value found.
        O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
        O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
        O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
        O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} Reg Error: Value error. (Windows Genuine Advantage Validation Tool)
        O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} http://www.eset.eu/buxus/docs/OnlineScanner.cab (Reg Error: Key error.)
        O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab (Reg Error: Key error.)
        O20 - AppInit_DLLs: (avgrsstx.dll) -  File not found
        O33 - MountPoints2\{27e883a2-1d58-11df-9d61-001125d3afa3}\Shell - "" = AutoRun
        O33 - MountPoints2\{27e883a2-1d58-11df-9d61-001125d3afa3}\Shell\AutoRun - "" = Auto&Play
        O33 - MountPoints2\{27e883a2-1d58-11df-9d61-001125d3afa3}\Shell\AutoRun\command - "" = E:\AutoRun.exe
        O33 - MountPoints2\{b7cead68-1c05-11df-9d60-001125d3afa3}\Shell - "" = AutoRun
        O33 - MountPoints2\{b7cead68-1c05-11df-9d60-001125d3afa3}\Shell\AutoRun - "" = Auto&Play
        O33 - MountPoints2\{b7cead68-1c05-11df-9d60-001125d3afa3}\Shell\AutoRun\command - "" = E:\AutoRun.exe
        [9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
        [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
        @Alternate Data Stream - 229 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8FF81EB0
        
        :Commands
        [purity]
        [emptytemp]
        [emptyflash]
        [start explorer]
        [Reboot]
      • Once you have pasted the information into the Custom Scans/Fixes box, click the "Run Fix" button at the top.
      • Allow the program to run unhindered.
      • Your machine will re-start itself. This is normal.
      • A log will be created after your machine reboots. Please post the contents of the log in your next reply.


      Please make sure that WinPatrol is disabled before running Combofix:

    5. Combofix




      • VERY IMPORTANT !!! Save ComboFix.exe to your Desktop


      • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here .
      • Double click on ComboFix.exe & follow the prompts.


      • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
      • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
      • Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




      • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




      • Click on Yes, to continue scanning for malware.
      • When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
      • Notes: Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      • Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
      • Should there be issues with internet afterward:

        In IE: Tools Menu -> Internet Options -> Connections Tab -> Lan Settings -> uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

        In Firefox: Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.


      Please post the OTL log and the Combofix log in your next reply.
    Proud Graduate of the WTT Classroom

  9. #9
    Member
    Join Date
    Oct 2008
    Posts
    94

    Default

    HI JonTom,
    big thanks for all this.

    "[*]Whilst both of these programs provide good security, they may clash with each other which can leave your system vulnerable to infection."

    just to say that the MS one was only put on AFTER I got the trojan, to run a scan, and have removed it!!

  10. #10
    Member
    Join Date
    Oct 2008
    Posts
    94

    Default

    OTL

    winpatrol isn't in the tray, so dont think it is activated at the moment, as is down there when it is.

    All processes killed
    ========== OTL ==========
    No active process named explorer.exe was found!
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}\ not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A057A204-BACC-4D26-9990-79A187E2698E} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}\ not found.
    Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
    Starting removal of ActiveX control {17492023-C23A-453E-A040-C7C580BBF700}
    Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{17492023-C23A-453E-A040-C7C580BBF700}\DownloadInformation\\INF .
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{17492023-C23A-453E-A040-C7C580BBF700}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{17492023-C23A-453E-A040-C7C580BBF700}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{17492023-C23A-453E-A040-C7C580BBF700}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{17492023-C23A-453E-A040-C7C580BBF700}\ not found.
    Starting removal of ActiveX control {56762DEC-6B0D-4AB4-A8AD-989993B5D08B}
    C:\WINDOWS\Downloaded Program Files\OnlineScanner.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{56762DEC-6B0D-4AB4-A8AD-989993B5D08B}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56762DEC-6B0D-4AB4-A8AD-989993B5D08B}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{56762DEC-6B0D-4AB4-A8AD-989993B5D08B}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56762DEC-6B0D-4AB4-A8AD-989993B5D08B}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\ not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:avgrsstx.dll deleted successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{27e883a2-1d58-11df-9d61-001125d3afa3}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{27e883a2-1d58-11df-9d61-001125d3afa3}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{27e883a2-1d58-11df-9d61-001125d3afa3}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{27e883a2-1d58-11df-9d61-001125d3afa3}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{27e883a2-1d58-11df-9d61-001125d3afa3}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{27e883a2-1d58-11df-9d61-001125d3afa3}\ not found.
    File E:\AutoRun.exe not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b7cead68-1c05-11df-9d60-001125d3afa3}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b7cead68-1c05-11df-9d60-001125d3afa3}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b7cead68-1c05-11df-9d60-001125d3afa3}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b7cead68-1c05-11df-9d60-001125d3afa3}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b7cead68-1c05-11df-9d60-001125d3afa3}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b7cead68-1c05-11df-9d60-001125d3afa3}\ not found.
    File E:\AutoRun.exe not found.
    C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
    C:\WINDOWS\System32\SET129.tmp deleted successfully.
    C:\WINDOWS\System32\SET12A.tmp deleted successfully.
    C:\WINDOWS\System32\SET12C.tmp deleted successfully.
    C:\WINDOWS\System32\SET12D.tmp deleted successfully.
    C:\WINDOWS\System32\SET12E.tmp deleted successfully.
    C:\WINDOWS\System32\SET12F.tmp deleted successfully.
    C:\WINDOWS\System32\SET131.tmp deleted successfully.
    C:\WINDOWS\System32\SET133.tmp deleted successfully.
    C:\WINDOWS\003010_.tmp deleted successfully.
    C:\WINDOWS\msdownld.tmp folder deleted successfully.
    C:\WINDOWS\~GLC0000.TMP deleted successfully.
    C:\WINDOWS\~GLH0000.TMP deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:8FF81EB0 deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: 1 Sarah
    ->Temp folder emptied: 136527245 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 53728286 bytes
    ->Google Chrome cache emptied: 557424 bytes
    ->Flash cache emptied: 60516 bytes

    User: Administrator
    ->Temp folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 56475 bytes

    User: IT Support

    User: LocalService
    ->Temp folder emptied: 3041192 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 2033990 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 3376689 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 221944851 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 14610194 bytes

    Total Files Cleaned = 416.00 mb


    [EMPTYFLASH]

    User: 1 Sarah
    ->Flash cache emptied: 0 bytes

    User: Administrator

    User: All Users

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: IT Support

    User: LocalService

    User: NetworkService

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.39.2 log created on 03252012_150703

    Files\Folders moved on Reboot...
    File\Folder C:\Documents and Settings\1 Sarah\Local Settings\Temp\Perflib_Perfdata_c88.dat not found!
    C:\Documents and Settings\1 Sarah\Local Settings\Temp\~DFE021.tmp moved successfully.
    C:\Documents and Settings\1 Sarah\Local Settings\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\startupCache\startupCache.4.little moved successfully.
    C:\Documents and Settings\1 Sarah\Local Settings\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\Cache\_CACHE_001_ moved successfully.
    C:\Documents and Settings\1 Sarah\Local Settings\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\Cache\_CACHE_002_ moved successfully.
    C:\Documents and Settings\1 Sarah\Local Settings\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\Cache\_CACHE_003_ moved successfully.
    C:\Documents and Settings\1 Sarah\Local Settings\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\Cache\_CACHE_MAP_ moved successfully.
    C:\Documents and Settings\1 Sarah\Local Settings\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\urlclassifier3.sqlite moved successfully.
    C:\WINDOWS\temp\vtclrg41.tmp moved successfully.
    File\Folder C:\WINDOWS\temp\ZLT04644.TMP not found!

    Registry entries deleted on Reboot...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •