Annoying virus - difficult to remove

breadmonkey

Hi folks,

I have a virus on my lap top that I can't seem to get rid of. One feature of it is that it brings up these "smart suggester" ads when I google something and if I go on any sort of shopping website these little "coupon" windows start appearing. I suspect it's collecting and sending information as I get the occasional "Malwarebytes has blocked access to a potentially malicious website. Type: outgoing".

If I scan with Malwarebytes I am able to detect and remove but it just shows up again quite quickly. Could anyone suggest a solution? I'm running XP.

Thanks

yeppydeppy

What anti virus software have you installed? Did you try a malwarebytes scan in safe boot?

breadmonkey

I have Symantec Endpoint. Probably not the best but I got it free! What's the idea behind scanning in safe mode?

yeppydeppy

when you boot in safe mode windows will only load the services it must to boot therefore if there is a virus / malware it wont be able to load / re-install itself when cleaned by malwarebytes. I'd also suggest you uninstall symantec and use either microsoft essentials or avast - both are also free.
You may need to google how to run malware bytes in safe mode - I've a vague recollection of it not starting either without first changing settings in windows to allow it start.

ASJ112

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click the Quick Scan button. Do not change any settings. The scan wont take long.
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files here

murphyaii

then scan you computer with antivirus once you log in and let it run and detect the virus:D

breadmonkey

Thanks for the replies. I haven't scanned in safe mode yet but here are the results of the OTL scan:

(1) OTL

OTL logfile created on: 05/12/2012 15:44:45 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Ross\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00001809 | Country: Ireland | Language: ENI | Date Format: dd/MM/yyyy

1.99 Gb Total Physical Memory | 1.01 Gb Available Physical Memory | 50.95% Memory free
3.84 Gb Paging File | 2.93 Gb Available in Paging File | 76.34% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 143.66 Gb Total Space | 26.12 Gb Free Space | 18.18% Space Free | Partition Type: NTFS
Drive | 694.61 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: ROSSDELL | User Name: Ross | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/12/05 15:27:44 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ross\My Documents\Downloads\OTL.exe
PRC - [2012/11/28 03:43:18 | 001,242,728 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Ross\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2012/11/22 10:29:16 | 003,290,304 | ---- | M] (Skype Technologies S.A.) -- C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
PRC - [2012/09/29 19:54:26 | 000,766,536 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012/09/29 19:54:26 | 000,676,936 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/09/29 19:54:26 | 000,399,432 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2012/05/24 18:39:22 | 027,112,840 | ---- | M] (Dropbox, Inc.) -- C:\Documents and Settings\Ross\Application Data\Dropbox\bin\Dropbox.exe
PRC - [2012/04/04 17:47:32 | 000,161,664 | ---- | M] (Oracle Corporation) -- C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
PRC - [2009/02/20 15:11:30 | 000,364,544 | ---- | M] (ELAN Microelectronics Corp.) -- C:\Program Files\ELAN\USB\ETDUSBCtrl.exe
PRC - [2009/02/03 09:53:28 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2009/02/03 09:53:28 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2009/02/03 09:53:26 | 002,440,120 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2009/02/03 09:53:26 | 001,795,400 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
PRC - [2009/02/03 09:53:26 | 001,443,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/24 14:30:03 | 000,072,704 | ---- | M] (Creative Labs) -- C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
PRC - [2007/11/15 09:23:56 | 000,202,544 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2007/11/15 09:23:56 | 000,202,544 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - [2003/01/30 22:35:45 | 000,452,096 | ---- | M] (Subjective Software) -- C:\Program Files\NetTime\NeTmSvNT.exe


========== Modules (No Company Name) ==========

MOD - [2012/11/28 03:43:16 | 012,456,040 | ---- | M] () -- C:\Documents and Settings\Ross\Local Settings\Application Data\Google\Chrome\Application\23.0.1271.95\PepperFlash\pepflashplayer.dll
MOD - [2012/11/17 10:16:22 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\d35b50eb6bb7b1bfb6592419d9feba47\System.Xml.ni.dll
MOD - [2012/11/17 10:07:39 | 007,977,472 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\90ad0c96693527ae685ff40019bb33b0\System.ni.dll
MOD - [2012/11/17 10:06:40 | 011,492,352 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\3add69b075f3da012fb97ce00cd795c0\mscorlib.ni.dll
MOD - [2009/11/05 07:39:40 | 000,087,552 | ---- | M] () -- C:\WINDOWS\system32\cpwmon2k.dll
MOD - [2009/06/21 23:26:00 | 000,305,664 | ---- | M] () -- C:\Program Files\TeraCopy\TeraCopyExt.dll
MOD - [2008/04/14 00:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/14 00:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2006/11/05 10:28:18 | 004,587,520 | R--- | M] () -- C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\ROXIPP41.dll
MOD - [2006/10/31 21:48:18 | 000,757,760 | ---- | M] () -- C:\WINDOWS\system32\bcm1xsup.dll
MOD - [2006/08/18 13:17:36 | 000,056,056 | ---- | M] () -- C:\WINDOWS\system32\DLAAPI_W.DLL
MOD - [2002/05/03 07:40:32 | 000,094,274 | ---- | M] () -- C:\WINDOWS\system32\HPBHEALR.DLL


========== Services (SafeList) ==========

SRV - [2012/11/22 10:29:16 | 003,290,304 | ---- | M] (Skype Technologies S.A.) [Auto | Running] -- C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe -- (Skype C2C Service)
SRV - [2012/11/09 11:21:24 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012/09/29 19:54:26 | 000,676,936 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/09/29 19:54:26 | 000,399,432 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2012/04/04 17:47:32 | 000,161,664 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2011/06/01 14:48:28 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe -- (GoToAssist)
SRV - [2011/02/15 21:08:38 | 001,045,256 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/07/26 15:00:24 | 000,066,112 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper)
SRV - [2009/02/03 09:53:28 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2009/02/03 09:53:28 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2009/02/03 09:53:26 | 002,440,120 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2009/02/03 09:53:26 | 001,795,400 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2009/02/03 09:53:26 | 000,320,840 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
SRV - [2008/06/30 16:36:35 | 003,093,872 | ---- | M] (Symantec Corporation) [On_Demand | Running] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2008/01/24 14:30:03 | 000,072,704 | ---- | M] (Creative Labs) [Auto | Running] -- C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe -- (Creative Labs Licensing Service)
SRV - [2007/11/15 09:23:56 | 000,202,544 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter)
SRV - [2006/03/03 20:03:10 | 000,069,632 | ---- | M] (HP) [Auto | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2003/01/30 22:35:45 | 000,452,096 | ---- | M] (Subjective Software) [Auto | Running] -- C:\Program Files\NetTime\NeTmSvNT.exe -- (NetTimeSvc)


========== Driver Services (SafeList) ==========

DRV - File not found [File_System | On_Demand | Stopped] -- -- (StarOpen)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS -- (MRENDIS5)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS -- (MREMPR5)
DRV - [2012/09/29 19:54:26 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012/09/12 08:00:00 | 001,601,184 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20121205.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2012/09/12 08:00:00 | 000,092,704 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20121205.002\NAVENG.SYS -- (NAVENG)
DRV - [2012/08/08 08:00:00 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/08/08 08:00:00 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2011/05/26 15:03:56 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2011/05/26 15:03:50 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2010/12/01 16:04:38 | 000,123,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/05/10 18:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Documents and Settings\Ross\Local Settings\Temp\SAS_SelfExtract\saskutil.sys -- (SASKUTIL)
DRV - [2010/02/17 18:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Documents and Settings\Ross\Local Settings\Temp\SAS_SelfExtract\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/05/18 19:44:25 | 000,025,280 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2009/02/06 15:46:50 | 000,025,088 | ---- | M] (ELAN Microelectronics Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ETDUSB.sys -- (hidflt)
DRV - [2009/02/03 09:53:28 | 000,319,664 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2009/02/03 09:53:28 | 000,279,600 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)
DRV - [2009/02/03 09:53:28 | 000,043,824 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2009/02/03 09:53:22 | 000,420,400 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2009/02/03 09:53:22 | 000,191,536 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\symtdi.sys -- (SYMTDI)
DRV - [2009/02/03 09:53:22 | 000,027,696 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\symredrv.sys -- (SYMREDRV)
DRV - [2009/02/03 09:53:22 | 000,023,888 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\COH_Mon.sys -- (COH_Mon)
DRV - [2006/11/02 23:34:00 | 000,604,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2006/08/25 00:23:08 | 000,044,544 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/08/18 13:18:08 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006/08/18 13:17:46 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006/08/18 13:17:44 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/08/18 13:17:44 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/08/18 13:17:42 | 000,026,008 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/08/18 13:17:40 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/08/18 13:17:38 | 000,104,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/08/18 13:17:38 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/08/11 10:35:18 | 000,012,920 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/08/11 10:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2006/03/24 16:34:30 | 001,156,648 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/01/04 00:41:48 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\monfilt.sys -- (monfilt)
DRV - [2005/10/14 08:40:18 | 000,307,968 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2005/10/14 08:40:18 | 000,051,328 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2005/10/14 08:40:18 | 000,028,544 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2005/08/12 16:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\APPDRV.SYS -- (APPDRV)
DRV - [2005/07/21 20:02:12 | 001,035,008 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/07/21 20:01:08 | 000,201,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2005/07/21 20:01:00 | 000,717,952 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/05/25 02:34:00 | 000,158,464 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctusfsyn.sys -- (CTUSFSYN)
DRV - [2005/05/09 19:08:40 | 000,033,792 | ---- | M] (Team H2O) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cledx.sys -- (CLEDX)
DRV - [2005/01/10 03:15:00 | 000,138,752 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2005/01/10 03:15:00 | 000,106,496 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2004/10/19 09:07:22 | 000,009,728 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PFModNT.sys -- (PfModNT)
DRV - [2004/02/13 09:46:00 | 000,017,153 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (omci)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=ie&l=en&s=gen
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=ie&l=en&s=gen
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ie/ig/dell?hl=en&client=dell-row&channel=ie&ibd=2080124
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.ie/hws/sb/dell-row/en/side.html?channel=ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.ie/ig/dell?hl=en&client=dell-row&channel=ie&ibd=2080124

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ie/ig/dell?hl=en&client=dell-row&channel=ie&ibd=2080124
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.ie/hws/sb/dell-row/en/side.html?channel=ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ie/hws/sb/dell-row/en/side.html?channel=ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/ig/dell?hl=en&client=dell-row&channel=ie&ibd=2080124
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.4.1: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.4.1: C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Motive, Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc;version=0.8.6d: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN Team)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Documents and Settings\Ross\Application Data\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Documents and Settings\Ross\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Ross\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Ross\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/04/14 11:19:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/06/07 19:01:13 | 000,000,000 | ---D | M]

[2012/04/14 11:21:06 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Ross\Application Data\Mozilla\Extensions
[2012/05/06 09:07:18 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/11/27 21:26:52 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2012/03/13 04:39:39 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/03/13 04:38:32 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/03/13 04:38:32 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - homepage: http://www.google.com
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter}
CHR - homepage: http://www.google.com
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Ross\Local Settings\Application Data\Google\Chrome\Application\23.0.1271.95\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Ross\Local Settings\Application Data\Google\Chrome\Application\23.0.1271.95\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Ross\Local Settings\Application Data\Google\Chrome\Application\23.0.1271.95\gcswf32.dll
CHR - plugin: Shockwave Flash (Disabled) = C:\Documents and Settings\Ross\Local Settings\Application Data\Google\Chrome\User Data\PepperFlash\11.1.31.203\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Skype Toolbars (Enabled) = C:\Documents and Settings\Ross\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.9.0.9216_0\npSkypeChromePlugin.dll
CHR - plugin: Google Talk Plugin (Enabled) = C:\Documents and Settings\Ross\Application Data\Mozilla\plugins\npgoogletalk.dll
CHR - plugin: Google Talk Plugin Video Accelerator (Enabled) = C:\Documents and Settings\Ross\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 8.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.290.11 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java(TM) Platform SE 6 U29 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\Program Files\Mozilla Firefox\plugins\np32dsw.dll
CHR - plugin: DivX Web Player (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npdivx32.dll
CHR - plugin: DivX Player Netscape Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
CHR - plugin: Microsoft Office 2003 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Ross\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Motive Plugin (Enabled) = C:\Program Files\Common Files\Motive\npMotive.dll
CHR - plugin: VLC Multimedia Plugin (Enabled) = C:\Program Files\VideoLAN\VLC\npvlc.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: Fast save = C:\Documents and Settings\Ross\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ajoceppeihgjiamjlcdencbgljckbacm\1.1_0\
CHR - Extension: YouTube = C:\Documents and Settings\Ross\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_1\
CHR - Extension: Adblock Plus = C:\Documents and Settings\Ross\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb\1.3.1_0\
CHR - Extension: Google Search = C:\Documents and Settings\Ross\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_1\
CHR - Extension: Hover Zoom = C:\Documents and Settings\Ross\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nonjdcjchghhkdoolnlbekcfllmednbl\4.7.4_0\
CHR - Extension: Gmail = C:\Documents and Settings\Ross\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\

O1 HOSTS File: ([2010/12/01 09:25:13 | 000,000,736 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (FlashGetBHO) - {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - C:\Documents and Settings\Ross\Application Data\FlashGetBHO\FlashGetBHO3.dll (Trend Media Group)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No CLSID value found.
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [ETDUSBWare] C:\Program Files\ELAN\USB\ETDUSBCtrl.exe (ELAN Microelectronics Corp.)
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil10h_ActiveX.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\Ross\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Ross\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Download all by FlashGet3 - C:\Documents and Settings\Ross\Application Data\FlashGetBHO\GetAllUrl.htm ()
O8 - Extra context menu item: Download by FlashGet3 - C:\Documents and Settings\Ross\Application Data\FlashGetBHO\GetUrl.htm ()
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{87EE66CF-A146-4778-9AB6-B703A8B501A4}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll) - C:\Program Files\Citrix\GoToAssist\570\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O22 - SharedTaskScheduler: {1984DD45-52CF-49cd-AB77-18F378FEA264} - FencesShellExt - No CLSID value found.
O24 - Desktop WallPaper: C:\Documents and Settings\Ross\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Ross\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 17:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{158ccece-3566-11dd-abf1-001c23a587e4}\Shell - "" = AutoRun
O33 - MountPoints2\{158ccece-3566-11dd-abf1-001c23a587e4}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{158ccece-3566-11dd-abf1-001c23a587e4}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe
O33 - MountPoints2\{fbfeb802-4715-11df-be0a-001c23a587e4}\Shell\AutoRun\command - "" = DUPLI//blizanko.exe
O33 - MountPoints2\{fbfeb802-4715-11df-be0a-001c23a587e4}\Shell\open\command - "" = DUPLI//blizanko.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/12/03 20:27:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2012/12/03 20:27:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Skype
[2012/11/12 22:27:36 | 000,000,000 | ---D | C] -- C:\Program Files\SysRestorePoint
[2012/11/12 22:25:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/11/12 22:24:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2012/11/12 22:24:53 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[11 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/12/05 15:06:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1645414227-3086384831-3108886906-1005UA.job
[2012/12/05 09:17:30 | 000,000,204 | ---- | M] () -- C:\WINDOWS\System32\secustat.dat
[2012/12/04 15:25:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/12/03 22:06:00 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1645414227-3086384831-3108886906-1005Core.job
[2012/12/03 20:27:29 | 000,001,878 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2012/12/02 11:58:18 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/12/02 11:52:57 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/12/02 11:52:56 | 2137,456,640 | -HS- | M] () -- C:\hiberfil.sys
[2012/11/30 22:10:50 | 000,002,277 | ---- | M] () -- C:\Documents and Settings\Ross\Desktop\Google Chrome.lnk
[2012/11/30 22:10:50 | 000,002,255 | ---- | M] () -- C:\Documents and Settings\Ross\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/11/26 19:43:32 | 000,016,681 | ---- | M] () -- C:\Documents and Settings\Ross\Desktop\Asos proof of postage.pdf
[2012/11/17 11:40:12 | 000,444,150 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/11/17 11:40:10 | 000,073,058 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/11/17 11:33:31 | 000,333,872 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/11/17 10:09:25 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/11/12 22:24:55 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Ross\Desktop\ERUNT.lnk
[2012/11/06 18:51:32 | 000,000,000 | ---- | M] () -- C:\t1a0.1
[11 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/12/05 09:17:30 | 000,000,204 | ---- | C] () -- C:\WINDOWS\System32\secustat.dat
[2012/12/03 20:27:29 | 000,001,878 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2012/11/26 19:43:32 | 000,016,681 | ---- | C] () -- C:\Documents and Settings\Ross\Desktop\Asos proof of postage.pdf
[2012/11/12 22:24:55 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Ross\Desktop\ERUNT.lnk
[2012/11/06 18:51:32 | 000,000,000 | ---- | C] () -- C:\t1a0.1
[2012/02/16 17:05:26 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/08/31 06:28:22 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2011/06/21 08:21:47 | 000,000,025 | ---- | C] () -- C:\WINDOWS\libem.INI
[2008/05/23 00:33:25 | 000,055,808 | ---- | C] () -- C:\Documents and Settings\Ross\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2004/08/11 17:21:56 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2012/08/30 20:29:36 | 001,510,400 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 12:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/14 00:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2012/01/08 12:23:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Autodesk
[2010/01/10 18:41:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Canneverbe Limited
[2008/06/21 17:11:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FRISK Software
[2008/02/26 15:38:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IsolatedStorage
[2009/01/15 21:27:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Propellerhead Software
[2008/01/24 14:41:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2009/03/24 15:53:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2011/02/02 16:48:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/01/09 17:14:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2008/02/26 15:42:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ross\Application Data\Ansys
[2011/06/21 10:24:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ross\Application Data\Autodesk
[2012/12/05 09:17:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ross\Application Data\BITS
[2009/10/18 16:15:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ross\Application Data\CheckPoint
[2008/02/13 22:13:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ross\Application Data\Command & Conquer 3 Tiberium Wars
[2008/03/11 15:19:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ross\Application Data\Design Science
[2012/12/02 12:01:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ross\Application Data\Dropbox
[2011/06/21 08:21:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ross\Application Data\FlashGet
[2011/06/21 08:20:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ross\Application Data\FlashGetBHO
[2008/07/04 15:17:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ross\Application Data\FRISK Software
[2012/09/05 19:56:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ross\Application Data\Internet Chess Club
[2009/10/19 10:12:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ross\Application Data\Leadertech
[2012/06/07 19:01:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ross\Application Data\Oracle
[2009/01/15 21:27:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ross\Application Data\Propellerhead Software
[2010/01/21 16:29:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ross\Application Data\SmartDraw
[2010/01/09 15:53:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ross\Application Data\Stardock
[2008/04/06 05:22:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ross\Application Data\Steinberg
[2012/09/06 22:00:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ross\Application Data\TeraCopy
[2012/10/13 23:26:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ross\Application Data\uTorrent

========== Purity Check ==========



< End of report >


(2) Extras

OTL Extras logfile created on: 05/12/2012 15:44:45 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Ross\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00001809 | Country: Ireland | Language: ENI | Date Format: dd/MM/yyyy

1.99 Gb Total Physical Memory | 1.01 Gb Available Physical Memory | 50.95% Memory free
3.84 Gb Paging File | 2.93 Gb Available in Paging File | 76.34% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 143.66 Gb Total Space | 26.12 Gb Free Space | 18.18% Space Free | Partition Type: NTFS
Drive | 694.61 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: ROSSDELL | User Name: Ross | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = Reg Error: Value error.] -- Reg Error: Key error. File not found
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AllAlertsDisabled" = 1
"TermService" = 1
"DisableMonitoring" = 1
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\ANSYS Inc\v110\AISOL\CommonFiles\intel\AnsysWBU.exe" = C:\Program Files\ANSYS Inc\v110\AISOL\CommonFiles\intel\AnsysWBU.exe:*:Enabled:AnsysWBU.exe
"C:\Program Files\ANSYS Inc\v110\ANSYS\bin\intel\ANSYS.exe" = C:\Program Files\ANSYS Inc\v110\ANSYS\bin\intel\ANSYS.exe:*:Enabled:ANSYS.exe
"C:\Program Files\ANSYS Inc\v110\AISOL\CAD Integration\intel\ActivePIMgrU.exe" = C:\Program Files\ANSYS Inc\v110\AISOL\CAD Integration\intel\ActivePIMgrU.exe:*:Enabled:ActivePIMgrU.exe
"C:\Program Files\ANSYS Inc\v110\AISOL\CAD Integration\intel\ReaderHostU.exe" = C:\Program Files\ANSYS Inc\v110\AISOL\CAD Integration\intel\ReaderHostU.exe:*:Enabled:ReaderHostU.exe
"C:\Program Files\ANSYS Inc\v110\CommonFiles\TCL\bin\intel\tclsh.exe" = C:\Program Files\ANSYS Inc\v110\CommonFiles\TCL\bin\intel\tclsh.exe:*:Enabled:AWP tclsh.exe
"C:\Program Files\ANSYS Inc\v110\CommonFiles\TCL\bin\intel\wish.exe" = C:\Program Files\ANSYS Inc\v110\CommonFiles\TCL\bin\intel\wish.exe:*:Enabled:AWP wish.exe
"C:\Program Files\ANSYS Inc\v110\CommonFiles\CATIAV5\intel\code\bin\ReaderHostCAT5U.exe" = C:\Program Files\ANSYS Inc\v110\CommonFiles\CATIAV5\intel\code\bin\ReaderHostCAT5U.exe:*:Enabled:ReaderHostCAT5U.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\Dell\MediaDirect\PCMService.exe" = C:\Program Files\Dell\MediaDirect\PCMService.exe:*:Enabled:CyberLink PowerCinema Resident Program -- (CyberLink Corp.)
"C:\KasperskyAV\kis7.0\english\setup.exe" = C:\KasperskyAV\kis7.0\english\setup.exe:*:Enabled:Kaspersky Internet Security 7.0 Setup
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\ANSYS Inc\v110\AISOL\CommonFiles\intel\AnsysWBU.exe" = C:\Program Files\ANSYS Inc\v110\AISOL\CommonFiles\intel\AnsysWBU.exe:*:Enabled:AnsysWBU.exe
"C:\Program Files\ANSYS Inc\v110\ANSYS\bin\intel\ANSYS.exe" = C:\Program Files\ANSYS Inc\v110\ANSYS\bin\intel\ANSYS.exe:*:Enabled:ANSYS.exe
"C:\Program Files\ANSYS Inc\v110\AISOL\CAD Integration\intel\ActivePIMgrU.exe" = C:\Program Files\ANSYS Inc\v110\AISOL\CAD Integration\intel\ActivePIMgrU.exe:*:Enabled:ActivePIMgrU.exe
"C:\Program Files\ANSYS Inc\v110\AISOL\CAD Integration\intel\ReaderHostU.exe" = C:\Program Files\ANSYS Inc\v110\AISOL\CAD Integration\intel\ReaderHostU.exe:*:Enabled:ReaderHostU.exe
"C:\Program Files\ANSYS Inc\v110\CommonFiles\TCL\bin\intel\tclsh.exe" = C:\Program Files\ANSYS Inc\v110\CommonFiles\TCL\bin\intel\tclsh.exe:*:Enabled:AWP tclsh.exe
"C:\Program Files\ANSYS Inc\v110\CommonFiles\TCL\bin\intel\wish.exe" = C:\Program Files\ANSYS Inc\v110\CommonFiles\TCL\bin\intel\wish.exe:*:Enabled:AWP wish.exe
"C:\Program Files\ANSYS Inc\v110\CommonFiles\CATIAV5\intel\code\bin\ReaderHostCAT5U.exe" = C:\Program Files\ANSYS Inc\v110\CommonFiles\CATIAV5\intel\code\bin\ReaderHostCAT5U.exe:*:Enabled:ReaderHostCAT5U.exe
"C:\Program Files\Google\Google Talk\googletalk.exe" = C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk
"C:\Documents and Settings\Ross\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll" = C:\Documents and Settings\Ross\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll:*:Enabled:Google Talk Plugin -- (Google)
"C:\Documents and Settings\Ross\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\Ross\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)
"C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe" = C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe:*:Enabled:SMC Service -- (Symantec Corporation)
"C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE" = C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE:*:Enabled:SNAC Service -- (Symantec Corporation)
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email -- (Symantec Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour Service -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Documents and Settings\Ross\Application Data\Dropbox\bin\Dropbox.exe" = C:\Documents and Settings\Ross\Application Data\Dropbox\bin\Dropbox.exe:*:Enabled:Dropbox -- (Dropbox, Inc.)
"C:\Program Files\FlashGet 3\FlashGet3.exe" = C:\Program Files\FlashGet 3\FlashGet3.exe:*:Enabled:Flashget3 -- (Trend Media Corporation Limited)
"C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe" = C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe:*:Enabled:BT Broadband Desktop Help -- (Alcatel-Lucent)
"C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" = C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe:*:Enabled:BT Broadband Desktop Help Notifier -- (Alcatel-Lucent)
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Disabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{1111706F-666A-4037-7777-210328764D10}" = JavaFX 2.1.0
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress
"{26A24AE4-039D-4CA4-87B4-2F83216023FF}" = Java(TM) 6 Update 29
"{26A24AE4-039D-4CA4-87B4-2F83217004FF}" = Java(TM) 7 Update 4
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}" = Creative MediaSource
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{363790D2-DA98-41DD-9C9F-69FA36B169DE}" = PanoStandAlone
"{3BAB4914-9CC1-4CC2-A3DA-56EF62DFD373}" = Symantec Endpoint Protection
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{43602F34-1AA3-44FB-AEB2-D08C2C73743F}" = Paint.NET v3.36
"{43D16DA8-BF42-3C62-89D3-3AD47829DC2E}" = Google Talk Plugin
"{45B8A76B-57EC-4242-B019-066400CD8428}" = BufferChm
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A163531-5D37-4FEE-9491-BBC1BC73E212}" = SmartPad Software 1.0
"{4EA684E9-5C81-4033-A696-3019EC57AC3A}" = HPProductAssistant
"{53C6D09E-EAB6-49E5-BA4C-BA7FF13830FB}" = Sound Blaster Audigy ADVANCED MB
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5BF5F9C5-E95B-4AFA-94BE-F2A9CA73B61D}" = Apple Mobile Device Support
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6909F917-5499-482e-9AA1-FAD06A99F231}" = Toolbox
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{8331C3EA-0C91-43AA-A4D4-27221C631139}" = Status
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}" = Unload
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91490409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Primary Interop Assemblies
"{951B0F30-9F1A-4BF6-B3DA-99EB0E917B1C}" = FARO LS 1.1.406.58
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BDEF074-020E-458D-ADC5-8FF68E0C9B56}" = OutlookAddinSetup
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}" = MediaDirect
"{A040AC77-C1AA-4CC9-8931-9F648AF178F6}" = VC 9.0 Runtime
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AAD47011-8518-4608-9656-951DA35B587B}" = iTunes
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.6
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}" = HP Software Update
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476}" = SolutionCenter
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D639085F-4B6E-4105-9F37-A0DBB023E2FB}" = Roxio MyDVD DE
"{DAB5C521-80B2-48C3-B0DA-326A1B331F55}" = GoToAssist Corporate
"{DBC20735-34E6-4E97-A9E5-2066B66B243D}" = TrayApp
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{EA17F4FC-FDBF-4CF8-A529-2D983132D053}" = Skype™ 6.0
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F157460F-720E-482f-8625-AD7843891E5F}" = InstantShareDevicesMFC
"7-Zip" = 7-Zip 4.65
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"Bridge Builder" = Bridge Builder
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"BT Broadband Desktop Help" = BT Broadband Desktop Help
"BTHomeHub" = BTHomeHub
"CCleaner" = CCleaner
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"Creative Removable Disk Manager" = Creative Removable Disk Manager
"CutePDF Writer Installation" = CutePDF Writer 2.8
"Dasher" = Dasher
"ERUNT_is1" = ERUNT 1.1j
"FlashGet 3.7" = FlashGet 3.7
"GoToAssist" = GoToAssist Corporate
"HP Imaging Device Functions" = HP Imaging Device Functions 7.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center 7.0
"InstallShield_{4A163531-5D37-4FEE-9491-BBC1BC73E212}" = SmartPad Software 1.0
"IrfanView" = IrfanView (remove only)
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 4.1.7
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.65.1.1000
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 11.0 (x86 en-US)" = Mozilla Firefox 11.0 (x86 en-US)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyDefrag v4.2.8_is1" = MyDefrag v4.2.8
"NetTime_is1" = NetTime 2.0
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Pontifex Demo" = Pontifex Demo
"SAMB_ADVMB_FILTER_DRV" = Sound Blaster ADVANCED MB Drivers
"SearchAssist" = SearchAssist
"Sound Blaster Audigy ADVANCED MB Product Registration" = Sound Blaster Audigy ADVANCED MB Product Registration
"SyncroSoft Emu" = SyncroSoft Emu (Remove only)
"Syncrosoft's License Control" = Syncrosoft's License Control
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"SysInfo" = Creative System Information
"TeraCopy_is1" = TeraCopy 2.1
"VLC media player" = VideoLAN VLC media player 0.8.6d
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
"Google Chrome" = Google Chrome
"uTorrent" = µTorrent
"WinDirStat" = WinDirStat 1.1.2

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 04/12/2012 20:10:27 | Computer Name = ROSSDELL | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 2000

Error - 04/12/2012 20:10:29 | Computer Name = ROSSDELL | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 04/12/2012 20:10:29 | Computer Name = ROSSDELL | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 4188

Error - 04/12/2012 20:10:29 | Computer Name = ROSSDELL | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 4188

Error - 05/12/2012 04:50:14 | Computer Name = ROSSDELL | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 05/12/2012 04:50:14 | Computer Name = ROSSDELL | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 31189500

Error - 05/12/2012 04:50:14 | Computer Name = ROSSDELL | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 31189500

Error - 05/12/2012 04:50:16 | Computer Name = ROSSDELL | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 05/12/2012 04:50:16 | Computer Name = ROSSDELL | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 31191531

Error - 05/12/2012 04:50:16 | Computer Name = ROSSDELL | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 31191531

[ System Events ]
Error - 18/11/2012 09:59:45 | Computer Name = ROSSDELL | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the HTTP SSL service to connect.

Error - 18/11/2012 09:59:45 | Computer Name = ROSSDELL | Source = Service Control Manager | ID = 7000
Description = The HTTP SSL service failed to start due to the following error: %%1053

Error - 04/12/2012 08:03:29 | Computer Name = ROSSDELL | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the Netman service.

Error - 04/12/2012 19:01:32 | Computer Name = ROSSDELL | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the Netman service.


< End of report >

ASJ112

can you post any mbam logs you have


open OTL copy and paste this in the custom scan/fixes box


:OTL
O33 - MountPoints2\{158ccece-3566-11dd-abf1-001c23a587e4}\Shell - "" = AutoRun
O33 - MountPoints2\{158ccece-3566-11dd-abf1-001c23a587e4}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{158ccece-3566-11dd-abf1-001c23a587e4}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe
O33 - MountPoints2\{fbfeb802-4715-11df-be0a-001c23a587e4}\Shell\AutoRun\command - "" = DUPLI//blizanko.exe
O33 - MountPoints2\{fbfeb802-4715-11df-be0a-001c23a587e4}\Shell\open\command - "" = DUPLI//blizanko.exe
[11 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]


:Commands
[PURITY]
[EMPTYTEMP]
[EMPTYFLASH]
[RESETHOSTS]
[EMPTYJAVA]
[CREATERESTOREPOINT]
[Reboot]
:Files
ipconfig /flushdns /c
C:\blizanko.exe /s


click run fix post the log it gives.


You been using a USB on this PC lately ?

breadmonkey

Thanks a mil for taking the time to look into this. When I run the script you posted OTL appears to freeze. I've tried three times giving it 10, 20 and 30 mins. Does it usually need longer or is it more likely I need to reinstall OTL?

Also, yes I have been using a USB quite regularly. iPod, Kindle and a dongle for a wireless keyboard. What's the significance?

ASJ112

the fix should only take a minute or two, can you try it in safe mode, or close down as many programs as possible in normal mode

This is related to a USB infection

O33 - MountPoints2\{fbfeb802-4715-11df-be0a-001c23a587e4}\Shell\AutoRun\command - "" = DUPLI//blizanko.exe
O33 - MountPoints2\{fbfeb802-4715-11df-be0a-001c23a587e4}\Shell\open\command - "" = DUPLI//blizanko.exe

Although not sure if those 3 would be responsible.

Don't forget the MBAM logs too

breadmonkey

OK I'll give that a lash tomorrow evening and report back!

breadmonkey

I managed to run the OTL custom fix in safe mode. Here is the log:

All processes killed
========== OTL ==========
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{158ccece-3566-11dd-abf1-001c23a587e4}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{158ccece-3566-11dd-abf1-001c23a587e4}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{158ccece-3566-11dd-abf1-001c23a587e4}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{158ccece-3566-11dd-abf1-001c23a587e4}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{158ccece-3566-11dd-abf1-001c23a587e4}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{158ccece-3566-11dd-abf1-001c23a587e4}\ not found.
File C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fbfeb802-4715-11df-be0a-001c23a587e4}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fbfeb802-4715-11df-be0a-001c23a587e4}\ not found.
File DUPLI//blizanko.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fbfeb802-4715-11df-be0a-001c23a587e4}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fbfeb802-4715-11df-be0a-001c23a587e4}\ not found.
File DUPLI//blizanko.exe not found.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\System32\SET236.tmp deleted successfully.
C:\WINDOWS\System32\SET238.tmp deleted successfully.
C:\WINDOWS\System32\SET239.tmp deleted successfully.
C:\WINDOWS\System32\SET23E.tmp deleted successfully.
C:\WINDOWS\System32\SET245.tmp deleted successfully.
C:\WINDOWS\System32\SET248.tmp deleted successfully.
C:\WINDOWS\System32\SET24E.tmp deleted successfully.
C:\WINDOWS\System32\SET24F.tmp deleted successfully.
C:\WINDOWS\System32\SET250.tmp deleted successfully.
C:\WINDOWS\System32\SET253.tmp deleted successfully.
C:\WINDOWS\002907_.tmp deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 92732 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: All Users

User: Default User
->Temp folder emptied: 92732 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService
->Temp folder emptied: 2046104 bytes
->Temporary Internet Files folder emptied: 41569 bytes

User: NetworkService
->Temp folder emptied: 1984728 bytes
->Temporary Internet Files folder emptied: 83345167 bytes

User: postgres
->Temp folder emptied: 1090916 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Ross
->Temp folder emptied: 184676345 bytes
->Temporary Internet Files folder emptied: 355187391 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 43625778 bytes
->Google Chrome cache emptied: 316871023 bytes
->Flash cache emptied: 3101 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16317585 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 296313896 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 904214620 bytes

Total Files Cleaned = 2,104.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: postgres

User: Ross
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: postgres

User: Ross
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb

Unable to start System Restore Service. Error code 10
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
An internal error occurred: The request is not supported.

Please contact Microsoft Product Support Services for further help.
Additional information: Unable to query host name.
C:\Documents and Settings\Ross\My Documents\Downloads\cmd.bat deleted successfully.
C:\Documents and Settings\Ross\My Documents\Downloads\cmd.txt deleted successfully.
File\Folder C:\blizanko.exe not found.

OTL by OldTimer - Version 3.2.69.0 log created on 12082012_145203

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...


After rebooting I scanned with Malwarebytes. Here's the log:

Malwarebytes Anti-Malware (PRO) 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.04.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Ross :: ROSSDELL [administrator]

Protection: Enabled

08/12/2012 15:01:46
mbam-log-2012-12-08 (15-01-46).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 252185
Time elapsed: 11 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 2
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Any thoughts?!

ASJ112

hows it running ?

breadmonkey

Virus is still alive and well unfortunately. Is there anything else I could try? It seems to be affecting chrome directly. Would it be worth removing that from my system and reinstalling?

ASJ112

no that wont help

download and run combofix, post the log it gives

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

breadmonkey

I couldn't fully disable poxy Symantec - the box I need to uncheck is frozen even though I'm logged in as an admin. I did google around that but the fixes started to get too complicated for me quite quickly. Anyway, hopefully that's not critical. Here's the log:

ComboFix 12-12-07.01 - Ross 08/12/2012 21:59:13.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.2038.1280 [GMT 0:00]
Running from: c:\documents and settings\Ross\My Documents\Downloads\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Ross\System
c:\documents and settings\Ross\System\win_qs8.jqx
c:\windows\is-I7DIJ.exe
c:\windows\system32\drivers\etc\hosts.txt
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
c:\windows\wininit.ini
.
.
((((((((((((((((((((((((( Files Created from 2012-11-08 to 2012-12-08 )))))))))))))))))))))))))))))))
.
.
2012-12-05 20:09 . 2012-12-05 20:09

---

d

---

w- C:\_OTL
2012-12-03 20:27 . 2012-12-03 20:27

---

d

---

w- c:\program files\Common Files\Skype
2012-11-22 10:34 . 2012-11-22 10:34 5885632 ----a-w- c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2012-11-12 22:27 . 2012-11-12 22:29

---

d

---

w- c:\program files\SysRestorePoint
2012-11-12 22:24 . 2012-11-12 22:25

---

d

---

w- c:\program files\ERUNT
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-22 08:37 . 2004-08-11 17:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-10-02 18:04 . 2004-08-11 17:00 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-29 19:54 . 2008-12-13 14:48 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-13 04:39 . 2012-04-14 11:19 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.

---

Sigcheck

---

Note: Unsigned files aren't necessarily malware.
.
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB2509553\SP3QFE\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@=&quot;{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Ross\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@=&quot;{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Ross\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@=&quot;{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Ross\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@=&quot;{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Ross\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-02-03 115560]
"ETDUSBWare"="c:\program files\Elan\USB\ETDUSBCtrl.exe" [2009-02-20 364544]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
.
c:\documents and settings\Ross\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Ross\Application Data\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-06-01 14:48 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@=&quot;Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@=&quot;Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@=&quot;Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Ross^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\Ross\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-22 05:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_McciTrayApp]
2009-12-07 11:50 1584640 ----a-w- c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2007-11-15 09:23 202544 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-02-24 13:20 135664 ----atw- c:\documents and settings\Ross\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 15:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-09-29 19:54 766536 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 10:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Broadcom Wireless Manager UI"=c:\windows\system32\WLTRAY.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AllAlertsDisabled"=dword:00000001
"TermService"=dword:00000001
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Ross\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Ross\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Ross\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\FlashGet 3\\FlashGet3.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpBrowser.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpNotifier.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [31/10/2012 21:30 399432]
R2 NetTimeSvc;NetTime;c:\program files\NetTime\NeTmSvNT.exe [30/01/2003 22:35 452096]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [05/04/2008 22:19 33792]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/08/2012 23:03 106656]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Ross\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Ross\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Ross\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Ross\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [13/12/2008 14:48 676936]
S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [22/11/2012 10:29 3290304]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [09/11/2012 11:21 160944]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [03/02/2009 09:53 23888]
S3 hidflt;Elan HID/USB Mouse Driver;c:\windows\system32\drivers\ETDUSB.sys [06/01/2012 23:04 25088]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [13/12/2008 14:48 22856]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [11/08/2004 17:00 14336]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - MBAMSwissArmy
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
2012-12-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645414227-3086384831-3108886906-1005Core.job
- c:\documents and settings\Ross\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-24 13:20]
.
2012-12-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645414227-3086384831-3108886906-1005UA.job
- c:\documents and settings\Ross\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-24 13:20]
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://www.google.ie/ig/dell?hl=en&client=dell-row&channel=ie&ibd=2080124
mStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=ie&l=en&s=gen
IE: Download all by FlashGet3 - c:\documents and settings\Ross\Application Data\FlashGetBHO\GetAllUrl.htm
IE: Download by FlashGet3 - c:\documents and settings\Ross\Application Data\FlashGetBHO\GetUrl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Ross\Application Data\Mozilla\Firefox\Profiles\n37zlxu5.default\
.
.

---

File Associations

---

.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
SharedTaskScheduler-{1984DD45-52CF-49cd-AB77-18F378FEA264} - (no file)
SafeBoot-Symantec Antvirus
MSConfigStartUp-Everything - c:\program files\Everything\Everything.exe
MSConfigStartUp-F-PROT Antivirus Tray application - c:\program files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
MSConfigStartUp-googletalk - c:\program files\Google\Google Talk\googletalk.exe
MSConfigStartUp-ISW - c:\program files\CheckPoint\ZAForceField\ForceField.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-08 22:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.

---

LOCKED REGISTRY KEYS

---

.
[HKEY_USERS\S-1-5-21-1645414227-3086384831-3108886906-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a9,d0,51,d3,97,9f,e1,3e,2f,08,4e,55,ce,4b,66,c0,49,de,b5,ab,b3,f7,6f,
64,0c,5e,02,3e,81,27,58,bc,91,25,e1,dd,b9,50,61,8e,97,9e,d7,25,f9,59,06,c5,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.

---

DLLs Loaded Under Running Processes

---

.
- - - - - - - > 'winlogon.exe'(884)
c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2012-12-08 22:06:57
ComboFix-quarantined-files.txt 2012-12-08 22:06
.
Pre-Run: 29,771,841,536 bytes free
Post-Run: 29,723,336,704 bytes free
.
- - End Of File - - 372251608C5132C64CFD970C6445DDEA

ASJ112

hows it running now

breadmonkey

Haha. I didn't realise that was supposed to fix it! Same old story, virus still here. Does that output indicate that everything should be OK?

ASJ112

can you post all the logs you have from mbam ? I want to see the ones that seemed to catch and remove the infection.


also download and run adwcleaner and post its log

http://www.bleepingcomputer.com/download/adwcleaner/