Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Help with garda virus, please
Options
-
14-10-2012 1:00pm#1hello to the forum
i was wondering if i could get some help to remove the garda virus?
i have been trying to remove it from my brothers computer and failing.
i have been reading here and around re how to remove it but am pulling my hair out at this point as nothing seems to be working/ i am not doing it right, and his desktop is still locked down.
i downloaded otl (using another profile) and ran a quick scan in safe mode.
is there any chance of someone looking at the txt files and letting me know if it can be fixed this way ....?
any and all help is much appreciated
thanks a lot!
OTL logfile created on: 14/10/2012 11:52:26 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Elaine\Downloads
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.17037)
Locale: 00001809 | Country: Ireland | Language: ENI | Date Format: dd/MM/yyyy
2.00 Gb Total Physical Memory | 1.59 Gb Available Physical Memory | 79.44% Memory free
4.20 Gb Paging File | 3.96 Gb Available in Paging File | 94.17% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 100.21 Gb Total Space | 42.89 Gb Free Space | 42.80% Space Free | Partition Type: NTFS
Drive
| 11.57 Gb Total Space | 1.84 Gb Free Space | 15.89% Space Free | Partition Type: NTFS
Computer Name: ELAINE-PC | User Name: Elaine | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2012/10/14 10:47:43 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Elaine\Downloads\OTL.exe
PRC - [2008/10/29 07:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
========== Modules (No Company Name) ==========
========== Services (SafeList) ==========
SRV - [2012/07/13 13:28:36 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012/01/04 14:32:36 | 000,718,888 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2008/10/20 09:00:12 | 000,102,400 | ---- | M] (PacketVideo) [Auto | Stopped] --\Program Files\Nokia\Nokia Home Media Server\Media Server\twonkymedia.exe -- (TwonkyMedia)
SRV - [2008/10/17 16:52:10 | 000,149,352 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (LiveUpdate Notice)
SRV - [2008/10/17 16:52:10 | 000,149,352 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (CLTNetCnService)
SRV - [2008/10/17 16:52:10 | 000,149,352 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2008/10/17 16:52:10 | 000,149,352 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2008/05/06 18:41:19 | 001,251,720 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC)
SRV - [2007/10/24 16:47:36 | 000,265,912 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/08/31 11:49:50 | 000,243,064 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler)
SRV - [2007/08/23 19:35:00 | 003,192,184 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE -- (LiveUpdate)
SRV - [2007/08/22 06:21:00 | 000,055,640 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe -- (comHost)
SRV - [2007/03/05 18:30:06 | 000,110,592 | ---- | M] (Hewlett-Packard Development Company, L.P.) [On_Demand | Stopped] -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe -- (Com4Qlb)
========== Driver Services (SafeList) ==========
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\usbser_lowerflt.sys -- (upperdev)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\SymIM.sys -- (SymIMMP)
DRV - File not found [Kernel | System | Stopped] -- System32\Drivers\SRTSPX.SYS -- (SRTSPX)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\SRTSPL.SYS -- (SRTSPL)
DRV - File not found [File_System | On_Demand | Stopped] -- System32\Drivers\SRTSP.SYS -- (SRTSP)
DRV - File not found [Kernel | System | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20080629.020\NAVEX15.SYS -- (NAVEX15)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20080629.020\NAVENG.SYS -- (NAVENG)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - File not found [Kernel | System | Stopped] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\Drivers\COH_Mon.sys -- (COH_Mon)
DRV - File not found [Kernel | Auto | Stopped] -- C:\Windows\system32\drivers\CO_Mon.sys -- (CO_Mon)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
DRV - [2009/02/19 12:31:42 | 000,024,112 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\SymIMV.sys -- (SymIM)
DRV - [2009/02/19 12:31:18 | 000,041,008 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\symndisv.sys -- (SYMNDISV)
DRV - [2009/02/19 12:31:16 | 000,184,496 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\symtdi.sys -- (SYMTDI)
DRV - [2009/02/19 12:31:16 | 000,096,560 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\symfw.sys -- (SYMFW)
DRV - [2009/02/19 12:31:16 | 000,022,320 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\symredrv.sys -- (SYMREDRV)
DRV - [2009/02/19 12:31:16 | 000,013,616 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\symdns.sys -- (SYMDNS)
DRV - [2009/01/10 11:54:30 | 000,124,464 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2008/08/26 10:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2008/03/20 21:37:22 | 000,261,680 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\ProgramData\Symantec\Definitions\SymcData\ipsdefs\20080623.001\IDSvix86.sys -- (IDSvix86)
DRV - [2008/02/04 06:25:22 | 000,017,536 | ---- | M] (Anyka (Guangzhou) Software Technology Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usbanyka.sys -- (usbanyka)
DRV - [2007/09/19 21:05:00 | 007,626,400 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2007/09/09 23:12:28 | 000,176,640 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CHDART.sys -- (HdAudAddService)
DRV - [2007/07/11 18:30:22 | 000,007,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqRemHid.sys -- (HpqRemHid)
DRV - [2007/07/10 15:27:56 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/06/19 01:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2007/05/30 23:40:42 | 000,735,232 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2007/03/22 06:02:04 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/03/07 03:15:58 | 001,059,112 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2007/02/24 22:42:22 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/02/16 22:50:32 | 000,012,032 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2007/01/24 00:40:20 | 000,042,496 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=81&bd=Pavilion&pf=laptop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=81&bd=Pavilion&pf=laptop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://toolbar.inbox.com/help/sa_customize.aspx?tbid=80138
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://toolbar.inbox.com/search/ie.aspx?tbid=80138
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{06063312-6505-4343-8889-DB94FF28ED2C}: "URL" = http://uk.kelkoopartners.net/ctl/do/search?siteSearchQuery={searchTerms}&fromform=true&x=true&y=true&partner=hp&partnerId=96913936
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\..\SearchScopes\{B9BD1E86-7379-49E2-B12B-8301EC12770F}: "URL" = http://uk.kelkoopartners.net/ctl/do/search?siteSearchQuery={searchTerms}&fromform=true&x=true&y=true&partner=hp&partnerId=96913936
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-567430392-4232419820-570083117-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=81&bd=Pavilion&pf=laptop
IE - HKU\S-1-5-21-567430392-4232419820-570083117-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-567430392-4232419820-570083117-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://toolbar.inbox.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=%tb_id%language
IE - HKU\S-1-5-21-567430392-4232419820-570083117-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-567430392-4232419820-570083117-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-567430392-4232419820-570083117-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-567430392-4232419820-570083117-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-567430392-4232419820-570083117-1000\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-567430392-4232419820-570083117-1000\..\URLSearchHook: {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\Program Files\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
IE - HKU\S-1-5-21-567430392-4232419820-570083117-1000\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-567430392-4232419820-570083117-1000\..\SearchScopes\{06063312-6505-4343-8889-DB94FF28ED2C}: "URL" = http://uk.kelkoopartners.net/ctl/do/search?siteSearchQuery={searchTerms}&fromform=true&x=true&y=true&partner=hp&partnerId=96913936
IE - HKU\S-1-5-21-567430392-4232419820-570083117-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\S-1-5-21-567430392-4232419820-570083117-1000\..\SearchScopes\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7}: "URL" = http://search.alot.com/web?pr=prov&client_id=BDB0EFF001C8BC34000C6DCF&install_time=22-05-2008:18:55&src_id=11031&tb_version=1.2.1.200&q={searchTerms}
IE - HKU\S-1-5-21-567430392-4232419820-570083117-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GGIE_en
IE - HKU\S-1-5-21-567430392-4232419820-570083117-1000\..\SearchScopes\{B9BD1E86-7379-49E2-B12B-8301EC12770F}: "URL" = http://uk.kelkoopartners.net/ctl/do/search?siteSearchQuery={searchTerms}&fromform=true&x=true&y=true&partner=hp&partnerId=96913936
IE - HKU\S-1-5-21-567430392-4232419820-570083117-1000\..\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}: "URL" = http://toolbar.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=80138language
IE - HKU\S-1-5-21-567430392-4232419820-570083117-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
========== FireFox ==========
FF - prefs.js..browser.search.selectedEngine: "Inbox Search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.inbox.com/?tb_id=80138"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}:6.0.31
FF - prefs.js..keyword.URL: "http://toolbar.inbox.com/search/dispatcher.aspx?tp=sf&tbid=80138&language=en&qkw="
FF - prefs.js..keyword.defaultURL: "chrome://browser-region/locale/region.properties"
FF - user.js - File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}: C:\Program Files\Crawler\Toolbar\firefox\
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/09/09 16:29:45 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/09/09 16:29:45 | 000,000,000 | ---D | M]
[2009/02/20 23:18:54 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Elaine\AppData\Roaming\Mozilla\Extensions
[2012/10/02 20:45:52 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Elaine\AppData\Roaming\Mozilla\Firefox\Profiles\exv81dlu.default\extensions
[2009/09/29 22:49:05 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Elaine\AppData\Roaming\Mozilla\Firefox\Profiles\exv81dlu.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/07/28 08:54:19 | 000,000,000 | ---D | M] ("Inbox Toolbar") -- C:\Users\Elaine\AppData\Roaming\Mozilla\Firefox\Profiles\exv81dlu.default\extensions\inboxcomtoolbar@inbox.com
[2009/08/10 18:27:02 | 000,002,168 | ---- | M] () -- C:\Users\Elaine\AppData\Roaming\Mozilla\Firefox\Profiles\exv81dlu.default\searchplugins\inbox-search.xml
[2012/03/10 12:58:17 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/03/10 12:58:17 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
[2012/03/10 12:56:16 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012/09/09 16:29:32 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2012/09/09 16:29:32 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2007/07/26 12:05:16 | 000,001,329 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\crawlersrch.xml
[2012/09/09 16:29:32 | 000,000,759 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2012/09/09 16:29:33 | 000,000,831 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml
========== Chrome ==========
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\22.0.1229.94\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\22.0.1229.94\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\22.0.1229.94\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 8.0\Reader\Browser\nppdf32.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Updater (Enabled) = C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll
CHR - plugin: Picasa (Enabled) = C:\Program Files\Google\Picasa3\npPicasa3.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll
CHR - plugin: MetaStream 3 Plugin (Enabled) = C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
O1 HOSTS File: ([2006/09/18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll File not found
O2 - BHO: (ALOT Toolbar) - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll (Miva)
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Common Files\Symantec Shared\IDS\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7725.1624\swg.dll (Google Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O2 - BHO: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\Program Files\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
O3 - HKLM\..\Toolbar: (&Crawler Toolbar) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll File not found
O3 - HKLM\..\Toolbar: (ALOT Toolbar) - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll (Miva)
O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Inbox Toolbar) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\Program Files\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
O3 - HKU\S-1-5-21-567430392-4232419820-570083117-1000\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-567430392-4232419820-570083117-1000\..\Toolbar\WebBrowser: (&Inbox Toolbar) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\Program Files\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
O4 - HKLM..\Run: [CSmileys] C:\Program Files\Crawler\Smileys\CSmileysIM.exe (Crawler.com)
O4 - HKLM..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe File not found
O4 - HKLM..\Run: [Nokia FastStart]\Program Files\Nokia\Nokia Music\NokiaMusic.exe (Nokia)
O4 - HKLM..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe ()
O4 - HKLM..\Run: [NSU_agent] C:\Program Files\Nokia\Nokia Software Updater\nsu3ui_agent.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-567430392-4232419820-570083117-1000..\Run: [CSmileys] C:\Program Files\Crawler\Smileys\CSmileysIM.exe (Crawler.com)
O7 - HKU\S-1-5-21-567430392-4232419820-570083117-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 157
O8 - Extra context menu item: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx File not found
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (Intertrust Technologies, Inc.)
O13 - gopher Prefix: missing
O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-21-567430392-4232419820-570083117-1000\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6C1607AC-E191-46F3-B221-46FEE2ED072F}: DhcpNameServer = 85.134.254.69 85.134.254.70
O18 - Protocol\Handler\inbox {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\Program Files\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\tbr {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll File not found
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Elaine\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Elaine\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/10/24 17:50:39 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2005/09/11 16:18:54 | 000,000,340 | -HS- | M] () -\AUTOMODE -- [ NTFS ]
O33 - MountPoints2\{04260fa3-c8ca-11e0-b911-001e683fc198}\Shell\AutoRun\command - "" = F:\RunClubSanDisk.exe
O33 - MountPoints2\{62dc7069-a7d3-11e0-93de-001e683fc198}\Shell\AutoRun\command - "" = F:\RunClubSanDisk.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
========== Files/Folders - Created Within 30 Days ==========
[2012/10/13 18:39:33 | 000,000,000 | ---D | C] -- C:\perflogs
[2012/10/13 16:13:08 | 000,000,000 | -H-D | C] -- C:\Windows\PIF
[2012/10/03 15:44:12 | 000,000,000 | ---D | C] -- C:\ProgramData\utqhnutbmilxvtk
[2012/09/28 20:40:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
[2012/09/28 20:40:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2012/09/28 20:40:13 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
[1 C:\Users\Elaine\Desktop\*.tmp files -> C:\Users\Elaine\Desktop\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2012/10/14 11:48:39 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/10/14 11:48:17 | 000,365,712 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/10/14 11:01:05 | 000,000,164 | ---- | M] () -- C:\Users\Public\Documents\hpqp.ini
[2012/10/14 11:00:52 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/10/14 11:00:00 | 000,000,422 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{019E2840-A0CF-421D-89A2-BAB27839D0C2}.job
[2012/10/14 10:56:00 | 000,000,916 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-567430392-4232419820-570083117-1001UA.job
[2012/10/14 10:54:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/10/14 10:31:03 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/10/14 10:31:02 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/10/14 09:23:40 | 000,027,430 | ---- | M] () -- C:\Users\Elaine\AppData\Roaming\nvModes.001
[2012/10/13 17:57:28 | 000,008,268 | ---- | M] () -- C:\Users\Elaine\AppData\Local\d3d9caps.dat
[2012/10/13 16:49:31 | 000,000,362 | ---- | M] () -- C:\Users\Elaine\Documents\Music - Shortcut.lnk
[2012/10/13 16:30:58 | 000,001,971 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2012/10/13 16:22:43 | 000,000,420 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{58534783-2F7E-4DC7-BA9B-40940FA3ACE2}.job
[2012/10/03 15:44:11 | 000,073,402 | ---- | M] () -- C:\ProgramData\xxaycjloqrmcsmw
[2012/10/03 15:43:56 | 000,105,984 | ---- | M] () -- C:\ProgramData\peqfbjht.exe
[2012/10/02 20:34:20 | 000,067,856 | ---- | M] () -- C:\Users\Elaine\Documents\AGP2DUP3S16E.pdf
[2012/09/28 20:40:17 | 000,001,878 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk
[2012/09/16 13:56:27 | 000,000,864 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-567430392-4232419820-570083117-1001Core.job
[1 C:\Users\Elaine\Desktop\*.tmp files -> C:\Users\Elaine\Desktop\*.tmp -> ]
========== Files Created - No Company Name ==========
[2012/10/13 16:49:31 | 000,000,362 | ---- | C] () -- C:\Users\Elaine\Documents\Music - Shortcut.lnk
[2012/10/03 15:44:07 | 000,105,984 | ---- | C] () -- C:\ProgramData\peqfbjht.exe
[2012/10/03 15:43:56 | 000,073,402 | ---- | C] () -- C:\ProgramData\xxaycjloqrmcsmw
[2012/10/02 20:34:20 | 000,067,856 | ---- | C] () -- C:\Users\Elaine\Documents\AGP2DUP3S16E.pdf
[2012/09/28 20:40:17 | 000,001,878 | ---- | C] () -- C:\Users\Public\Desktop\Skype.lnk
[2009/10/23 19:59:04 | 000,008,268 | ---- | C] () -- C:\Users\Elaine\AppData\Local\d3d9caps.dat
[2008/11/09 19:46:01 | 000,119,361 | ---- | C] () -- C:\Users\Elaine\jpm.2006.9.1376.lowlink.pdf_v03[1].pdf
[2008/09/06 08:46:59 | 000,000,048 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2008/05/11 17:19:58 | 000,027,430 | ---- | C] () -- C:\Users\Elaine\AppData\Roaming\nvModes.001
[2008/04/29 22:43:03 | 000,027,430 | ---- | C] () -- C:\Users\Elaine\AppData\Roaming\nvModes.dat
[2008/04/29 19:09:09 | 000,029,184 | ---- | C] () -- C:\Users\Elaine\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
========== ZeroAccess Check ==========
[2006/11/02 13:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2008/11/06 13:57:06 | 011,315,712 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/03/03 05:16:12 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2006/11/02 10:46:13 | 000,348,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
========== LOP Check ==========
[2008/10/25 16:00:31 | 000,000,000 | ---D | M] -- C:\Users\Elaine\AppData\Roaming\FUJIFILM
[2008/08/17 11:31:49 | 000,000,000 | ---D | M] -- C:\Users\Elaine\AppData\Roaming\InterTrust
[2010/04/06 15:50:46 | 000,000,000 | ---D | M] -- C:\Users\Elaine\AppData\Roaming\muvee Technologies
[2011/04/17 09:29:47 | 000,000,000 | ---D | M] -- C:\Users\Elaine\AppData\Roaming\Nokia
[2011/11/26 18:31:52 | 000,000,000 | ---D | M] -- C:\Users\Elaine\AppData\Roaming\Nseries
[2011/04/17 10:53:14 | 000,000,000 | ---D | M] -- C:\Users\Elaine\AppData\Roaming\PC Suite
[2008/08/17 11:45:43 | 000,000,000 | ---D | M] -- C:\Users\Elaine\AppData\Roaming\Ulead Systems
[2009/09/23 15:31:19 | 000,000,000 | ---D | M] -- C:\Users\Garrett\AppData\Roaming\FUJIFILM
[2011/05/09 22:51:05 | 000,000,000 | ---D | M] -- C:\Users\Garrett\AppData\Roaming\PC Suite
[2010/10/08 16:58:19 | 000,000,000 | ---D | M] -- C:\Users\Garrett\AppData\Roaming\Template
[2008/05/11 16:04:57 | 000,000,000 | ---D | M] -- C:\Users\Garrett\AppData\Roaming\WildTangent
========== Purity Check ==========
< End of report >
OTL Extras logfile created on: 14/10/2012 11:52:26 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Elaine\Downloads
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.17037)
Locale: 00001809 | Country: Ireland | Language: ENI | Date Format: dd/MM/yyyy
2.00 Gb Total Physical Memory | 1.59 Gb Available Physical Memory | 79.44% Memory free
4.20 Gb Paging File | 3.96 Gb Available in Paging File | 94.17% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 100.21 Gb Total Space | 42.89 Gb Free Space | 42.80% Space Free | Partition Type: NTFS
Drive | 11.57 Gb Total Space | 1.84 Gb Free Space | 15.89% Space Free | Partition Type: NTFS
Computer Name: ELAINE-PC | User Name: Elaine | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
[HKEY_USERS\S-1-5-21-567430392-4232419820-570083117-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [FinePix] -- "C:\Program Files\FinePixViewer\FinePixViewer.exe" "%1" (FUJIFILM Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"UacDisableNotify" = 0
"InternetSettingsDisableNotify" = 0
"AutoUpdateDisableNotify" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
========== Authorized Applications List ==========
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{57219C04-15A5-4EA1-9FCF-CB4D992AC96C}" = lport=2869 | protocol=6 | dir=in | app=system |
"{727E85CF-D982-4897-AEF3-87FEBA32FBC2}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{098C775C-341B-4427-87C9-B7300B0D6E59}" = dir=in | app=c:\program files\hp\quickplay\qpservice.exe |
"{0ACA8C94-0858-4D66-A8B3-C6D050B167E4}" = dir=in | app=c:\program files\windows live\messenger\livecall.exe |
"{1A50D810-6F9D-4E01-B974-33DEDE9E1C1F}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{4CAAE971-0114-479F-B15E-3579ADF55B91}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{5191A9EB-D83B-46A2-A81C-07F66711C7C8}" = protocol=6 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{5DFAF0BD-504C-495F-8BBE-5C79D95BF853}" = dir=in | app=c:\program files\cyberlink\powerdirector\pdr.exe |
"{715D1CA7-C01C-479C-9F71-DB42EE39C5C8}" = protocol=17 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{7228DBC7-ABC4-4C72-8C27-461243087935}" = protocol=6 | dir=in | app=d:\program files\nokia\nokia home media server\media server\twonkymediaserver.exe |
"{88E6DF99-E159-4ABF-98B8-9B3A2E538CB9}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{8F698062-2E19-4A69-A8F2-57E9CBB045E3}" = protocol=17 | dir=in | app=d:\program files\nokia\nokia home media server\media server\twonkymediaserver.exe |
"{9FFC542B-5963-474A-ADCF-F4DA48492B5F}" = dir=in | app=c:\program files\hp\quickplay\qp.exe |
"{B26BF63C-133B-49A8-B369-457C03C5D116}" = protocol=17 | dir=in | app=d:\program files\nokia\nokia home media server\media server\twonkymedia.exe |
"{EAC8D7BE-E66B-4C4F-8FD3-FD7709225B96}" = protocol=6 | dir=in | app=d:\program files\nokia\nokia home media server\media server\twonkymedia.exe |
"{EC3FB409-B12D-439C-9419-4951502BFB59}" = dir=in | app=c:\program files\skype\phone\skype.exe |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"{03528A01-7E5E-4C5F-94DF-1D8012E969EF}" = Nokia Map Loader
"{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer
"{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}" = OpenOffice.org Installer 1.0
"{11BB336F-0E58-4977-B866-F24FA334616B}" = HP Active Support Library
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{1746EA69-DCB6-4408-B5A5-E75F55439CDF}" = Scan
"{179C56A4-F57F-4561-8BBF-F911D26EB435}" = WebReg
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{184E7118-0295-43C4-B72C-1D54AA75AAF7}" = Windows Live Mail
"{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR
"{1BDC9633-895B-4842-BCB6-8FA1EC2A3C5A}" = Adobe Shockwave Player
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Suite
"{2284D904-C138-4B58-93EC-5C362AB5130A}" = The Sims™ Life Stories
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{24ED4D80-8294-11D5-96CD-0040266301AD}" = FinePixViewer Ver.5.4
"{250E9609-E830-43EB-B379-DAB7546A2422}" = muvee autoProducer 6.1
"{254C37AA-6B72-4300-84F6-98A82419187E}" = Hewlett-Packard Active Check
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Driver Installation Program
"{2D4F6BE3-6FEF-4FE9-9D01-1406B220D08C}" = Windows Live Photo Gallery
"{31478BE1-CDE5-4753-A8B2-F6D4BC1FBE09}" = Component Framework
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java(TM) 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{341201D4-4F61-4ADB-987E-9CCE4D83A58D}" = Windows Live Toolbar Extension (Windows Live Toolbar)
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.30 E1
"{3C43EAE7-22C0-4b33-ABFB-3757ECA5FD7B}" = HP Officejet All-In-One Series
"{3CEA4CA8-CDD4-451C-B673-E8F17BE01B15}" = Ulead COOL 360 1.0
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{40724630-C95F-449d-B71D-777CFDE9EA21}" = J5700
"{40BA976E-38B8-4C63-990C-50999C8C3521}" = BPD_Scan
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"{41A96655-19FB-473c-AAB7-429E372527C8}" = ProductContext
"{4371DBFF-8F97-4A64-A18D-EF8F6EA06A69}" = Nokia Ovi Content Copier
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP QuickPlay 3.6
"{49F2B650-2D7B-4F59-B33D-346F63776BD3}" = DocProc
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{55BD183A-F721-457D-9B8F-15E937820B2E}" = SymNet
"{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
"{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth
"{5C2909FF-1E30-48B3-8820-6F40D3E4A0C7}" = Nokia Ovi Application Installer
"{5D0F0C1F-46B0-4AA2-B8DC-02E5FE777C19}" = 5700_Help
"{612AD33D-9824-4E87-8396-92374E91C4BB}_is1" = Inbox Toolbar
"{62120008-8E1E-4807-860D-A8B48F8552DB}" = Norton Protection Center
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = Hewlett-Packard Asset Agent for Health Check
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{67D3F1A0-A1F2-49b7-B9EE-011277B170CD}" = HPProductAssistant
"{68471BF2-F1F7-4C89-BBBA-400B94996596}" = ESU for Microsoft Vista
"{69FB1A6C-A82E-4E6E-A429-5AA1141E9CAF}" = Nokia Music
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7130468A-F53F-4698-8C09-A339EA3B05E6}" = Nokia Software Updater
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{757AD3D4-036B-42FA-B0A4-96BD6F4605A0}" = Ulead VideoStudio 7 SE Basic
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}" = Windows Live Favorites for Windows Live Toolbar
"{7A7DC702-DEDE-42A8-8722-B3BA724D546F}" = Fax
"{7DC4A410-9986-4329-9E5D-687B2C42CA39}" = HP QuickTouch 1.00 C4
"{8347A7A5-4AB8-433F-82AA-496B0D189A9B}" = HP User Guides 0088
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{8CF2565F-894C-4F11-8DCB-FBA97CADE10B}" = Nokia Ovi Suite
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95D08F4E-DFC2-4ce3-ACB7-8C8E206217E9}" = MarketResearch
"{978C25EE-5777-46e4-8988-732C297CBDBD}" = Status
"{9885A11E-60E4-417C-B58B-8B31B21C0B8A}" = HP Easy Setup - Frontend
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9B1FD9CE-0776-4f0b-A6F5-C6AB7B650CDF}" = Destinations
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A272197C-D2EE-4DF9-8AB0-B05F4CFFDEA0}" = Nokia Ovi System Utilities
"{A2AA4204-C05A-4013-888A-AD153139297F}" = PC Connectivity Solution
"{A2CC286B-BFE9-4D1F-9EDA-AA3E8289CA12}" = BPDSoftware_Ini
"{A36CD345-625C-4d6c-B3E2-76E1248CB451}" = SolutionCenter
"{A57025CC-5F2E-4D01-B387-06DB10500D43}" = Nokia Connectivity Cable Driver
"{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}" = Highlight Viewer (Windows Live Toolbar)
"{A64D224E-E06A-43D2-A919-8BE108F47305}_is1" = Crawler Smileys
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.0
"{AE977FE5-F014-4F1E-83F7-B4FD143B5EEF}" = Nokia Photos
"{b02df929-29a7-4fd2-9a70-81a644b635f7}" = HP Total Care Advisor
"{B24E05CC-46FF-4787-BBB8-5CD516AFB118}" = ccCommon
"{BBC0D330-C37B-4472-BFB9-AA217CF0C95F}" = Ulead Photo Express 4.0 SE
"{BD0E2B92-3814-46F0-893B-4612EA010C7E}" = HP Customer Experience Enhancements
"{BE77A81F-B315-4666-9BF3-AE70C0ADB057}" = BufferChm
"{C0A957EF-B8F2-449A-98E4-00F1872EC4BD}" = Nokia Ovi One Touch Access
"{C1C185CA-C531-49F5-A6FA-B838405A049D}" = Norton Internet Security
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"{C716522C-3731-4667-8579-40B098294500}" = Toolbox
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"{CBAE4F50-9FC9-4557-AB36-9826DF3C103C}" = HP Wireless Assistant
"{CC4A73BF-938E-4C19-A553-853C035C9BA1}" = LightScribe System Software 1.10.13.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEF5B15D-3B5A-46DC-A242-DC12629DDC10}" = DDV-660 Digital Video
"{D5A145FC-D00C-4F1A-9119-EB4D9D659750}" = Windows Live Toolbar
"{DFD30824-6BD0-34E1-ABE8-308AD3CBB9A0}" = Google Talk Plugin
"{E80F62FF-5D3C-4A19-8409-9721F2928206}" = LiveUpdate (Symantec Corporation)
"{EB21A812-671B-4D08-B974-2A347F0D8F70}" = HP Photosmart Essential
"{EB75DE50-5754-4F6F-875D-126EDF8E4CB3}" = HPSSupply
"{ECAD4F6A-0BF3-4028-9C81-E5D9F9606CBA}" = BPDSoftware
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10
"{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}" = AppCore
"{F084395C-40FB-4DB3-981C-B51E74E1E83D}" = Smart Menus (Windows Live Toolbar)
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F5577101-33CC-4711-8235-3A95BCD49DB0}" = EA Link
"{F5A3D2C9-22CF-489B-8B01-F7159D1A7412}" = Nokia Home Media Server
"{F7F3B252-E772-48AA-93EB-7964BC326067}" = MSCU for Microsoft Vista
"{FE57DE70-95DE-4B64-9266-84DA811053DB}" = HP Update
"{FF075778-6E50-47ed-991D-3B07FD4E3250}" = TrayApp
"504244733D18C8F63FF584AEB290E3904E791693" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AIM_6" = AIM 6
"Aircraft Performance1.0" = Aircraft Performance
"alotToolbar" = ALOT Toolbar
"CNXT_AUDIO_HDA" = Conexant HD Audio
"CNXT_MODEM_HDA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP
"EPSON Printer and Utilities" = EPSON Printer Software
"Google Chrome" = Google Chrome
"Google Updater" = Google Updater
"Hauppauge MCE2005 Software Encoder" = Hauppauge MCE XP/Vista Software Encoder (2.0.25149)
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"HP Imaging Device Functions" = HP Imaging Device Functions 8.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center 8.0
"HPExtendedCapabilities" = HP Customer Participation Program 8.0
"HPOCR" = HP OCR Software 8.0
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"InstallShield_{F5577101-33CC-4711-8235-3A95BCD49DB0}" = EA Link
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.19)" = Mozilla Firefox (3.0.19)
"Nokia Ovi Application Installer" = Nokia Ovi Application Installer 6.85.3010
"Nokia Ovi Content Copier" = Nokia Ovi Content Copier 6.85.3010
"Nokia Ovi One Touch Access" = Nokia Ovi One Touch Access 6.85.3010
"Nokia Ovi System Utilities" = Nokia Ovi System Utilities 6.85.3010
"NVIDIA Drivers" = NVIDIA Drivers
"Picasa 3" = Picasa 3
"PsuedoLiveUpdate" = LiveUpdate (Symantec Corporation)
"SlingMedia.QPSlingPlayer_is1" = QuickPlay SlingPlayer 0.4.4
"SymSetup.{C1C185CA-C531-49F5-A6FA-B838405A049D}" = Norton Internet Security (Symantec Corporation)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TwonkyvisionUPnPTwonkyMedia" = TwonkyMedia
"ViewpointMediaPlayer" = Viewpoint Media Player
"WildTangent hp Master Uninstall" = My HP Games
"Windows Live Toolbar" = Windows Live Toolbar
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 05/12/2009 10:49:57 | Computer Name = Elaine-PC | Source = WerSvc | ID = 5007
Description =
Error - 07/12/2009 04:56:24 | Computer Name = Elaine-PC | Source = WerSvc | ID = 5007
Description =
Error - 16/12/2009 21:37:31 | Computer Name = Elaine-PC | Source = WerSvc | ID = 5007
Description =
Error - 16/12/2009 23:01:07 | Computer Name = Elaine-PC | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 7.0.6000.16916 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: 1280 Start Time: 01ca7eb87c042890 Termination Time: 398
Error - 18/12/2009 11:34:37 | Computer Name = Elaine-PC | Source = WerSvc | ID = 5007
Description =
Error - 05/01/2010 16:40:28 | Computer Name = Elaine-PC | Source = WerSvc | ID = 5007
Description =
Error - 08/01/2010 14:28:27 | Computer Name = Elaine-PC | Source = WerSvc | ID = 5007
Description =
Error - 08/01/2010 15:09:50 | Computer Name = Elaine-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16945, time stamp
0x4ae6e731, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception
code 0xc0000005, fault offset 0x002f049b, process id 0x108, application start time
0x01ca908fc495c0ab.
Error - 09/01/2010 05:48:22 | Computer Name = Elaine-PC | Source = Application Error | ID = 1000
Description = Faulting application helppane.exe, version 6.0.6000.16386, time stamp
0x4549b63f, faulting module helppane.exe, version 6.0.6000.16386, time stamp 0x4549b63f,
exception code 0xc0000005, fault offset 0x000150e7, process id 0xe64, application
start time 0x01ca9110d6a367de.
Error - 09/01/2010 05:48:47 | Computer Name = Elaine-PC | Source = Application Error | ID = 1000
Description = Faulting application helppane.exe, version 6.0.6000.16386, time stamp
0x4549b63f, faulting module msvcrt.dll, version 7.0.6000.16386, time stamp 0x4549bd61,
exception code 0x40000015, fault offset 0x00055bff, process id 0xe64, application
start time 0x01ca9110d6a367de.
[ System Events ]
Error - 14/10/2012 06:55:21 | Computer Name = Elaine-PC | Source = disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.
Error - 14/10/2012 06:55:25 | Computer Name = Elaine-PC | Source = disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.
Error - 14/10/2012 06:55:29 | Computer Name = Elaine-PC | Source = disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.
Error - 14/10/2012 06:55:33 | Computer Name = Elaine-PC | Source = disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.
Error - 14/10/2012 06:55:37 | Computer Name = Elaine-PC | Source = disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.
Error - 14/10/2012 06:55:41 | Computer Name = Elaine-PC | Source = disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.
Error - 14/10/2012 06:55:45 | Computer Name = Elaine-PC | Source = disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.
Error - 14/10/2012 06:55:49 | Computer Name = Elaine-PC | Source = disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.
Error - 14/10/2012 06:55:53 | Computer Name = Elaine-PC | Source = disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.
Error - 14/10/2012 06:55:57 | Computer Name = Elaine-PC | Source = disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.
< End of report >0
Comments
-
C:\ProgramData\utqhnutbmilxvtk looks like a possible culprit.
Boot to safe mode, rename (but do not delete just yet) the utqhnutbmilxvtk folder to suspect i.e. C:\ProgramData\suspect. Do not change or rename anything else.
Boot back to windows normally, log in and the virus should no longer start up - make sure nothing else has broken program wise. If nothing broken then go ahead and delete the suspect folder in C:\ProgramData.
Run a full anti-virus system scan with an up-to-date scanner and then Windows Update next - your system looks to be badly out of date from those dump files which is not good. Make sure Windows automatic updates is enabled and your anti-virus is kept activated and up to date for the future.
Let me know if that doesn't solve it
0 -
-
It's not a file, it's a folder
You may need to enable display of hidden files and folders and protected operating system files to see it.
Go Start > Computer
Go Organise > Folder and search options on the window that opens
Select the View tab on the small window that opens
Look for Show hidden files, folders and drives and click the circle button to select it.
Look for Hide protected operating system files (Recommended) and untick the box - select Yes at the warning prompt.
Click Apply at the bottom of the Folder Options windows, then OK.
Be very careful what you do from here on in - you will now be able to see and accidentally change or delete system files which can render the system unbootable. You will need to reverse the above once the virus has been cleaned so as to hide these files again.
If you go Start > Computer > c: you should now see the ProgramData folder. Go into it and you should see the folder with the random letters and be able to rename it. Rename it and reboot. See does the virus no longer start at boot time.0 -
open OTL copy and paste this in the custom scan/fixes box
:OTL
O32 - AutoRun File - [2005/09/11 16:18:54 | 000,000,340 | -HS- | M] () -\AUTOMODE -- [ NTFS ]
O33 - MountPoints2\{04260fa3-c8ca-11e0-b911-001e683fc198}\Shell\AutoRun\command - "" = F:\RunClubSanDisk.exe
O33 - MountPoints2\{62dc7069-a7d3-11e0-93de-001e683fc198}\Shell\AutoRun\command - "" = F:\RunClubSanDisk.exe
[2012/10/03 15:44:12 | 000,000,000 | ---D | C] -- C:\ProgramData\utqhnutbmilxvtk
[1 C:\Users\Elaine\Desktop\*.tmp files -> C:\Users\Elaine\Desktop\*.tmp -> ]
[2012/10/03 15:44:11 | 000,073,402 | ---- | M] () -- C:\ProgramData\xxaycjloqrmcsmw
[2012/10/03 15:43:56 | 000,105,984 | ---- | M] () -- C:\ProgramData\peqfbjht.exe
[2012/10/03 15:44:07 | 000,105,984 | ---- | C] () -- C:\ProgramData\peqfbjht.exe
[2012/10/03 15:43:56 | 000,073,402 | ---- | C] () -- C:\ProgramData\xxaycjloqrmcsmw
:Commands
[PURITY]
[EMPTYTEMP]
[EMPTYFLASH]
[RESETHOSTS]
[EMPTYJAVA]
[CREATERESTOREPOINT]
[Reboot]
:Files
ipconfig /flushdns /c
click run fix post the log it gives you.
then can you do this step from the infected user account ? download and run combofix, post the log from it
http://www.bleepingcomputer.com/combofix/how-to-use-combofix0 -
-
Advertisement
-
-
sorry about delay i keep losing the internet on infected comp
thank you both for your time and help
All processes killed
========== OTL ==========\AUTOMODE moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{04260fa3-c8ca-11e0-b911-001e683fc198}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{04260fa3-c8ca-11e0-b911-001e683fc198}\ not found.
File F:\RunClubSanDisk.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{62dc7069-a7d3-11e0-93de-001e683fc198}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62dc7069-a7d3-11e0-93de-001e683fc198}\ not found.
File F:\RunClubSanDisk.exe not found.
Folder C:\ProgramData\utqhnutbmilxvtk\ not found.
C:\Users\Elaine\Desktop\~WRL0001.tmp deleted successfully.
C:\ProgramData\xxaycjloqrmcsmw moved successfully.
C:\ProgramData\peqfbjht.exe moved successfully.
File C:\ProgramData\peqfbjht.exe not found.
File C:\ProgramData\xxaycjloqrmcsmw not found.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Elaine
->Temp folder emptied: 34422292 bytes
->Temporary Internet Files folder emptied: 6090155 bytes
->Java cache emptied: 164882 bytes
->FireFox cache emptied: 79010836 bytes
->Google Chrome cache emptied: 21630691 bytes
->Flash cache emptied: 59377 bytes
User: Garrett
->Temp folder emptied: 137452886 bytes
->Temporary Internet Files folder emptied: 2558192496 bytes
->Java cache emptied: 350087 bytes
->FireFox cache emptied: 59729846 bytes
->Google Chrome cache emptied: 8377314 bytes
->Flash cache emptied: 93286 bytes
User: Guest
->Temp folder emptied: 50859 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: Public
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 532911095 bytes
RecycleBin emptied: 672974 bytes
Total Files Cleaned = 3,280.00 mb
[EMPTYFLASH]
User: All Users
User: Default
->Flash cache emptied: 0 bytes
User: Default User
->Flash cache emptied: 0 bytes
User: Elaine
->Flash cache emptied: 0 bytes
User: Garrett
->Flash cache emptied: 0 bytes
User: Guest
User: Public
Total Flash Files Cleaned = 0.00 mb
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
[EMPTYJAVA]
User: All Users
User: Default
User: Default User
User: Elaine
->Java cache emptied: 0 bytes
User: Garrett
->Java cache emptied: 0 bytes
User: Guest
User: Public
Total Java Files Cleaned = 0.00 mb
Restore point Set: OTL Restore Point
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Elaine\Downloads\cmd.bat deleted successfully.
C:\Users\Elaine\Downloads\cmd.txt deleted successfully.
OTL by OldTimer - Version 3.2.69.0 log created on 10142012_155036
Files\Folders moved on Reboot...
C:\Users\Elaine\AppData\Local\Temp\ehmsas.txt moved successfully.
PendingFileRenameOperations files...
Registry entries deleted on Reboot...0 -
-
-
-
Advertisement
-
-
-
-
-
-
-
-
-
-
i forgot all about the hidden files ...
i have re named the folder and have re booted in normal mode
i am not seeing the garda screen but instead a full page stating that "this program cannot display the webpage"
a box popped up saying that the program peqfbjht.exe was not responding but before i could do anything it disappeared
i cant x out of this screen or indeed do anything to it at all
so although its not showing the same garda screen its still there ?
are these part of it too ?
C:\ProgramData\xxaycjloqrmcsmw
C:\ProgramData\peqfbjht.exe
C:\ProgramData\ezsidmv.dat
i have not done anything to them just found them when i was looking through the programData folder
thanks !
Well ruarua,
I've removed this off 2 laptops this week.
What I did on them was:
1. boot into safe mode
2. run msconfig
3. disable the dodgy file from the startup tab(it was an obvious one but I googled it with me own laptop in advance to be sure it was part of the virus and not a mousepad driver etc..)
4. rebooted normally.
5. ran system restore.
6. hey presto.
I can't be sure now of the program name or folder now because it was just random letters like yours.
Just to note, you may have deleted the suspect folder but that file C:\ProgramData\peqfbjht.exe will be still on your system given it's in the ProgramData folder.
Given you got a warning saying "the program peqfbjht.exe was not responding" I reckon whats happening is:
1. peqfbjht.exe was being run from startup and it was emulating a web browser feature in full screen mode(notice the scroll bar on the right?).
2. The html file was probably in the suspect folder which is why you got the not responding message.
I noticed the program over rides task manager stopping you from ending the peqfbjht.exe program:
if you press Ctrl+Alt+Del in Vista or Win7, it still brings up the "Lock computer/switch user/log off/task manager" screen but if you click on task manager the screen goes blank for a few seconds and then just goes back to the virus screen.
System restore disabled?
If anyone looking here for help with an older PC(and had system restore disabled to try free up some system resources) you can still always boot into safe mode and disable the dodgy program and then delete the file.
Don't forget to delete the dodgy file AND suspect folder!
I just googled peqfbjht.exe and there's no search results so the file/folder names must be randomly generated when the virus creates them.
To find them
At the end of the day if you have a restore point set, it's easy to disable and reset you computer back to a previous working state.
Hope someone finds this useful
0 -
Advertisement
-
-
Well ruarua,
I've removed this off 2 laptops this week.
What I did on them was:
1. boot into safe mode
2. run msconfig
3. disable the dodgy file from the startup tab(it was an obvious one but I googled it with me own laptop in advance to be sure it was part of the virus and not a mousepad driver etc..)
4. rebooted normally.
5. ran system restore.
6. hey presto.
I can't be sure now of the program name or folder now because it was just random letters like yours.
Just to note, you may have deleted the suspect folder but that file C:\ProgramData\peqfbjht.exe will be still on your system given it's in the ProgramData folder.
Given you got a warning saying "the program peqfbjht.exe was not responding" I reckon whats happening is:
1. peqfbjht.exe was being run from startup and it was emulating a web browser feature in full screen mode(notice the scroll bar on the right?).
2. The html file was probably in the suspect folder which is why you got the not responding message.
I noticed the program over rides task manager stopping you from ending the peqfbjht.exe program:
if you press Ctrl+Alt+Del in Vista or Win7, it still brings up the "Lock computer/switch user/log off/task manager" screen but if you click on task manager the screen goes blank for a few seconds and then just goes back to the virus screen.
System restore disabled?
If anyone looking here for help with an older PC(and had system restore disabled to try free up some system resources) you can still always boot into safe mode and disable the dodgy program and then delete the file.
Don't forget to delete the dodgy file AND suspect folder!
I just googled peqfbjht.exe and there's no search results so the file/folder names must be randomly generated when the virus creates them.
To find them
At the end of the day if you have a restore point set, it's easy to disable and reset you computer back to a previous working state.
Hope someone finds this useful
thanks for that -
i will go in today and make sure they are gone, i had to step away from it yesterday as my eyes were shot from the marathon session on sunday -
what i also noticed, post scans and fixes (i forgot to say this in my earlier post ASJ112), is that services.msc cannot be run - this in part affects auto updates, right ?
any thoughts on how i could fix it ?
thanks!0 -
-
also, if you have vista or later it, services can be accessed from the task manager, it has it's own tab.
here's a few quick tips for increasing performance:
1. Housecall is good for doing a quick scan, it's an online scanner so it has the benefit of being up to date at all times AND it's free
http://www.google.ie/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&sqi=2&ved=0CBwQFjAA&url=http%3A%2F%2Fhousecall.trendmicro.com%2F&ei=7j59UIyoA4jRhAf9kYBI&usg=AFQjCNHXGbPsfDQ5o8Ea_9lfFPVZQp-sIA
downside being you have to have an internet connection.
2. Go into programs and uninstall all the c**p that you don't use anymore, you'll find even more in the control panel/add&remove programs, just make sure you're not removing any drivers that you might use for your router/soundcard etc, probably best to sort them by date and work from the most recently installed ones backwards, one benefit of this is freeing up the hard drive space, another would be stopping unnecessary programs from being run at startup and the hogging ram too, remember if you're ram gets filled up the operating system starts to use a 'page file' from the hard drive but sure if that's full of c**p installed that's not even used too then that won't make any things better.
3. Delete your temp internet files too, they can build up and be a right hog. you may have a lot of crap in your windows temp folder too but i wouldn't delete this without checking your downloads havn't been saved to there first.
4. Do a disc defrag on it do, this is handiest found by right clicking on the drive, then properties, then tools tab, then defragment now.
5. If it's 10yrs old then it's most likely ddr(ddr1) ram, but it could be pc100 ram or pc133 ram(both ancient compared to ddr), i've two old pcs, one with ddr1 & one with pc133, got upgrade for the pc133, 3 sticks of 512MB(the max it would take going by the motherboard book), a few days after the ram arrived the computer stopped working, turns out the motherboard had dodgy capacitors on it, so gonna have to wait an get a new one, old pcs like that are handy for using as a media center/server or wiring a few security cameras using a USB card, well cheaper than getting a dvr anyway!
I'm rambling now.. anyway, I got that upgrade for under 15 euros on the bay including postage so it can be very affordable on older systems, best to make sure you know what type ram yer system takes first(ram has many different characteristics, especially ddr) and what the maximum amount the motherboard will take is, you will find this out by googling your motherboard model number to find it's manual(every motherboard has one).
Happy hunting pal 0 -
i know is isn't directed at me but the services.msc file is in the windows system32 folder, check and see if it's been deleted, if it is, defo go with a system restore if you've got the option, that's a very n00bish question i have to say!:D
no, that was directed at you too .... you mentioned misconfig, system restore etc so i was hoping the services.msc issue was in the same realm so to speak
as for n00bish well in my defence its my brother's computer that i am trying to sort out. i havent messed round with a windows os in years ...... though being totally honest even when i had one i really didnt know all that much !
i will boot the other up and see what havoc i can wreak!
thanks a lot for all your help, tis much appreciated
i may be back ......0 -
Yeah you can use MBAM as a stand alone program, don't need others really.i have 2 quick questions if you dont mind -
can mbam stand alone or should it have something else running alongside it ?
have c. 10year old desktop, now used by the mother for email, browsing etc. its a bit clunky at this stage, would running otl clean out the clutter and help smooth out the performance ? or is that not its purpose ?
The CleanUp! button in OTL removes itself and its folder, click that if you still have OTL on your PC, no need to keep the program.
As for the services.msc problem, probably related to the malware. Gimme a little while to think about it and I'll post back with a solution hopefully Can you get your hands on a Windows XP cd ?
Also don't use system restore as you are going to go back to a previous state when your PC was infected.0 -
-
-
it downloaded to the download folder - does that matter ?
OTL logfile created on: 16/10/2012 18:35:09 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Elaine\Downloads
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.17037)
Locale: 00001809 | Country: Ireland | Language: ENI | Date Format: dd/MM/yyyy
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 50.16% Memory free
4.20 Gb Paging File | 3.01 Gb Available in Paging File | 71.56% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 100.21 Gb Total Space | 51.08 Gb Free Space | 50.97% Space Free | Partition Type: NTFS
Drive | 11.57 Gb Total Space | 1.84 Gb Free Space | 15.93% Space Free | Partition Type: NTFS
Computer Name: ELAINE-PC | User Name: Elaine | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days
========== Custom Scans ==========
< C:\WINDOWS\system32\services.exe >
[2006/11/02 10:45:40 | 000,279,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\services.exe
< C:\windows\system32\services.msc >
[2006/09/18 22:29:40 | 000,092,745 | ---- | M] () -- C:\windows\system32\services.msc
< End of report >0 -
Advertisement
-
Advertisement