Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Problems caused by someone pharming on my computer.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Problems caused by someone pharming on my computer.

Unread postby LB1 » April 12th, 2011, 2:22 pm

I have a problem whereby when I log on to online banking I get redirected to a false login page. I only realised this as it asked for my whole password not just 3 digits. I found a trojan on the computer and have got rid of this however the problem is still the same when attempting to log on to my bank.

I have run HiJackThis in safe mode as it wouldn't let me save the log in normal mode.
Here it is...any suggestions to help solve this will be gratefully welcomed!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 19:12:56, on 12/04/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.19019)
Boot mode: Safe mode

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.philips.com/pc
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {c2db4fe6-8409-45ce-8010-189a7b5cce86} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: vShare Plugin - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (file missing)
O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: vShare Plugin - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [Keyboard Manager Utility] "C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe" /lang en /H
O4 - HKLM\..\Run: [Wireless Manager] "C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe" startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [lxeamon.exe] "C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark S300-S400 Series\ezprint.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [{E949EBA8-96DF-6075-796B-6EEB3426825C}] C:\Users\Bruce\AppData\Roaming\Iksevu\elno.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - C:\Program Files\vShare\vshare_toolbar.dll
O20 - AppInit_DLLs: avgrsstx.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: AffinegyService - Affinegy, Inc. - C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxeaCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxeaserv.exe
O23 - Service: lxea_device - - C:\Windows\system32\lxeacoms.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

--
End of file - 8954 bytes
LB1
Active Member
 
Posts: 13
Joined: April 12th, 2011, 1:11 pm
Advertisement
Register to Remove

Re: Problems caused by someone pharming on my computer.

Unread postby deltalima » April 14th, 2011, 3:24 pm

Checking your log - back soon.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Problems caused by someone pharming on my computer.

Unread postby deltalima » April 14th, 2011, 3:39 pm

Hi LB1,

Welcome to the forum.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Please note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please do not run any scans or make any changes to the system unless I ask you too.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Please Note:
The programs I ask you to run need to be run in Administrator Mode by... Right clicking the program file and selecting: Run as Administrator.
Additionally, the built-in User Account Control (UAC) utility, if enabled, may prompt you for permission to run the program.
When prompted, please select: Allow. Reference: User Account Control (UAC) and Running as Administrator

Download and run OTL
Download OTL by Old Timer and save it to your Desktop.
  • Right click on OTL.exe and select: Run as Administrator.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.

Please download GMER Rootkit Scanner from here.
  • Right click the .exe file and select: Run as Administrator.. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE
Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log along with OTL.txt and Extras.txt from the OTL scan into your next reply.

Upload a File to Virustotal

Please go to Virustotal

Copy/paste this file and path into the white box at the top:
C:\Users\Bruce\AppData\Roaming\Iksevu\elno.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Problems caused by someone pharming on my computer.

Unread postby LB1 » April 14th, 2011, 4:05 pm

OTL logfile created on: 14/04/2011 20:50:23 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Bruce\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19019)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 51.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 226.05 Gb Total Space | 149.13 Gb Free Space | 65.97% Space Free | Partition Type: NTFS
Drive S: | 1.46 Gb Total Space | 1.41 Gb Free Space | 96.05% Space Free | Partition Type: NTFS

Computer Name: BRUCE-PC | User Name: Bruce | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Bruce\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgemc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Lexmark S300-S400 Series\ezprint.exe ()
PRC - C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe ()
PRC - C:\Windows\System32\lxeacoms.exe ( )
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe (Affinegy, Inc.)
PRC - C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe (Affinegy, Inc.)
PRC - C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe (Quanta Computer, INC.)
PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)


========== Modules (SafeList) ==========

MOD - C:\Users\Bruce\Downloads\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll (Microsoft Corporation)
MOD - C:\Windows\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)


========== Win32 Services (SafeList) ==========

SRV - (AVG Security Toolbar Service) -- C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe ()
SRV - (avg9emc) -- C:\Program Files\AVG\AVG9\avgemc.exe (AVG Technologies CZ, s.r.o.)
SRV - (avg9wd) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (lxea_device) -- C:\Windows\System32\lxeacoms.exe ( )
SRV - (lxeaCATSCustConnectService) -- C:\Windows\System32\spool\DRIVERS\W32X86\3\\lxeaserv.exe ()
SRV - (AffinegyService) -- C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe (Affinegy, Inc.)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (IAANTMON) Intel(R) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)


========== Driver Services (SafeList) ==========

DRV - (sptd) -- C:\Windows\System32\Drivers\sptd.sys ()
DRV - (AvgTdiX) -- C:\Windows\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgLdx86) -- C:\Windows\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86) -- C:\Windows\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AFGSp50) -- C:\Windows\System32\drivers\AFGSp50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (hwdatacard) -- C:\Windows\System32\drivers\ewusbmdm.sys (Huawei Technologies Co., Ltd.)
DRV - (NETw4v32) Intel(R) -- C:\Windows\System32\drivers\NETw4v32.sys (Intel Corporation)
DRV - (qkbfiltr) -- C:\Windows\System32\drivers\qkbfiltr.sys (KM Software Team)
DRV - (AgereSoftModem) -- C:\Windows\System32\drivers\AGRSM.sys (Agere Systems)
DRV - (smserial) -- C:\Windows\System32\drivers\smserial.sys (Motorola Inc.)
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation)
DRV - (NETw3v32) Intel(R) -- C:\Windows\System32\drivers\NETw3v32.sys (Intel® Corporation)
DRV - (tifm21) -- C:\Windows\System32\drivers\tifm21.sys (Texas Instruments)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-902699257-3274578124-2423667398-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.philips.com/pc
IE - HKU\S-1-5-21-902699257-3274578124-2423667398-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\S-1-5-21-902699257-3274578124-2423667398-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-902699257-3274578124-2423667398-1000\..\URLSearchHook: {c2db4fe6-8409-45ce-8010-189a7b5cce86} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-902699257-3274578124-2423667398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========



FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/12 10:59:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2009/11/04 20:13:40 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Bruce\AppData\Roaming\Mozilla\Extensions
[2009/11/04 20:13:40 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Bruce\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org
[2011/04/12 10:59:51 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
File not found (No name found) --
[2009/09/03 03:01:02 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/03/18 18:57:02 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010/01/01 09:00:00 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/01/01 09:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml
[2010/01/01 09:00:00 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/01/01 09:00:00 | 000,001,180 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/01/01 09:00:00 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2006/09/18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll ()
O2 - BHO: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - File not found
O2 - BHO: (Lexmark Printable Web) - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll ()
O3 - HKLM\..\Toolbar: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll ()
O3 - HKLM\..\Toolbar: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKU\S-1-5-21-902699257-3274578124-2423667398-1000\..\Toolbar\ShellBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKU\S-1-5-21-902699257-3274578124-2423667398-1000\..\Toolbar\WebBrowser: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll ()
O3 - HKU\S-1-5-21-902699257-3274578124-2423667398-1000\..\Toolbar\WebBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKU\S-1-5-21-902699257-3274578124-2423667398-1000\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()
O3 - HKU\S-1-5-21-902699257-3274578124-2423667398-1000\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [EzPrint] C:\Program Files\Lexmark S300-S400 Series\ezprint.exe ()
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [Keyboard Manager Utility] C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe (Quanta Computer, INC.)
O4 - HKLM..\Run: [lxeamon.exe] C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe ()
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Wireless Manager] C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe (Affinegy, Inc.)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-902699257-3274578124-2423667398-1000..\Run: [{E949EBA8-96DF-6075-796B-6EEB3426825C}] C:\Users\Bruce\AppData\Roaming\Iksevu\elno.exe (Adobe Systems Incorporated)
O4 - HKU\S-1-5-21-902699257-3274578124-2423667398-1000..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll (Google Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\vsharechrome {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - C:\Program Files\vShare\vshare_toolbar.dll ()
O20 - AppInit_DLLs: (avgrsstx.dll) - C:\Windows\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Bruce\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Bruce\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{1bdcc814-7c21-11de-a013-001b24b8f0dd}\Shell - "" = AutoRun
O33 - MountPoints2\{1bdcc814-7c21-11de-a013-001b24b8f0dd}\Shell\AutoRun\command - "" = D:\setup.exe
O33 - MountPoints2\{948d960b-8940-11de-b6aa-001b24b8f0dd}\Shell - "" = AutoRun
O33 - MountPoints2\{948d960b-8940-11de-b6aa-001b24b8f0dd}\Shell\AutoRun\command - "" = D:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{948d962f-8940-11de-b6aa-001b24b8f0dd}\Shell - "" = AutoRun
O33 - MountPoints2\{948d962f-8940-11de-b6aa-001b24b8f0dd}\Shell\AutoRun\command - "" = D:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{948d9631-8940-11de-b6aa-001b24b8f0dd}\Shell - "" = AutoRun
O33 - MountPoints2\{948d9631-8940-11de-b6aa-001b24b8f0dd}\Shell\AutoRun\command - "" = D:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{b957cbde-7ae2-11de-94cc-001b24b8f0dd}\Shell - "" = AutoRun
O33 - MountPoints2\{b957cbde-7ae2-11de-94cc-001b24b8f0dd}\Shell\AutoRun\command - "" = D:\setup.exe
O33 - MountPoints2\{ee851538-8598-11de-8a13-001b24b8f0dd}\Shell - "" = AutoRun
O33 - MountPoints2\{ee851538-8598-11de-8a13-001b24b8f0dd}\Shell\AutoRun\command - "" = D:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{ee85153a-8598-11de-8a13-001b24b8f0dd}\Shell - "" = AutoRun
O33 - MountPoints2\{ee85153a-8598-11de-8a13-001b24b8f0dd}\Shell\AutoRun\command - "" = D:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{f28dc070-79fd-11de-94cc-001b24b8f0dd}\Shell - "" = AutoRun
O33 - MountPoints2\{f28dc070-79fd-11de-94cc-001b24b8f0dd}\Shell\AutoRun\command - "" = D:\setup.exe
O33 - MountPoints2\{f28dc075-79fd-11de-94cc-001b24b8f0dd}\Shell - "" = AutoRun
O33 - MountPoints2\{f28dc075-79fd-11de-94cc-001b24b8f0dd}\Shell\AutoRun\command - "" = F:\setup.exe
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\setup_vmc_lite.exe /checkApplicationPresence
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/12 17:57:52 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/04/12 17:57:52 | 000,000,000 | ---D | C] -- C:\Users\Bruce\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2011/04/12 11:00:52 | 000,000,000 | ---D | C] -- C:\Users\Bruce\AppData\Local\Mozilla
[2011/04/12 10:59:48 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2011/04/11 17:00:26 | 000,000,000 | ---D | C] -- C:\Users\Bruce\AppData\Local\Temp
[2011/04/11 16:47:43 | 000,000,000 | -HSD | C] -- C:\found.000
[2011/04/11 15:40:28 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2011/04/11 15:40:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2011/04/11 15:40:19 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/04/11 15:40:01 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2011/04/11 15:40:01 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2011/04/11 15:40:01 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2011/04/11 15:40:01 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2011/04/11 13:20:45 | 000,000,000 | ---D | C] -- C:\Users\Bruce\AppData\Roaming\f-secure
[2011/04/11 13:19:28 | 000,000,000 | ---D | C] -- C:\ProgramData\F-Secure
[2011/04/08 20:58:17 | 000,000,000 | ---D | C] -- C:\Users\Bruce\AppData\Roaming\Maulu
[2011/04/08 20:58:17 | 000,000,000 | ---D | C] -- C:\Users\Bruce\AppData\Roaming\Iksevu
[2011/03/22 19:16:56 | 001,068,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\DWrite.dll
[2011/03/22 19:16:56 | 000,288,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsGdiConverter.dll
[2010/03/17 22:11:10 | 000,425,984 | ---- | C] ( ) -- C:\Windows\System32\lxeacoin.dll
[2010/03/17 22:06:19 | 000,446,464 | ---- | C] ( ) -- C:\Windows\System32\LXEAhcp.dll
[2010/03/17 22:06:19 | 000,368,640 | ---- | C] ( ) -- C:\Windows\System32\lxeainpa.dll
[2010/03/17 22:06:19 | 000,348,160 | ---- | C] ( ) -- C:\Windows\System32\lxeaiesc.dll
[2010/03/17 22:06:18 | 001,056,768 | ---- | C] ( ) -- C:\Windows\System32\lxeaserv.dll
[2010/03/17 22:06:18 | 000,851,968 | ---- | C] ( ) -- C:\Windows\System32\lxeausb1.dll
[2010/03/17 22:06:17 | 000,651,264 | ---- | C] ( ) -- C:\Windows\System32\lxeapmui.dll
[2010/03/17 22:06:17 | 000,581,632 | ---- | C] ( ) -- C:\Windows\System32\lxealmpm.dll
[2010/03/17 22:06:16 | 000,688,128 | ---- | C] ( ) -- C:\Windows\System32\lxeahbn3.dll
[2010/03/17 22:06:16 | 000,328,360 | ---- | C] ( ) -- C:\Windows\System32\lxeaih.exe
[2010/03/17 22:06:15 | 000,602,792 | ---- | C] ( ) -- C:\Windows\System32\lxeacoms.exe
[2010/03/17 22:06:15 | 000,376,832 | ---- | C] ( ) -- C:\Windows\System32\lxeacomm.dll
[2010/03/17 22:06:14 | 000,802,816 | ---- | C] ( ) -- C:\Windows\System32\lxeacomc.dll
[2010/03/17 22:06:14 | 000,369,320 | ---- | C] ( ) -- C:\Windows\System32\lxeacfg.exe
[1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/14 20:44:28 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/14 20:44:26 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/04/14 20:44:26 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/04/14 20:44:20 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/04/14 20:44:17 | 2137,448,448 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/14 16:39:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/14 11:33:53 | 000,000,418 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{168E9BA7-1F49-4B7E-A6AA-A533F915EF27}.job
[2011/04/14 11:20:58 | 074,612,961 | ---- | M] () -- C:\Windows\System32\drivers\Avg\incavi.avm
[2011/04/14 11:17:35 | 000,000,036 | ---- | M] () -- C:\Users\Bruce\AppData\Local\housecall.guid.cache
[2011/04/12 19:12:40 | 000,002,523 | ---- | M] () -- C:\Users\Bruce\Desktop\HiJackThis.lnk
[2011/04/12 11:00:03 | 000,000,875 | ---- | M] () -- C:\Users\Bruce\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/04/12 11:00:03 | 000,000,851 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2011/04/12 10:08:18 | 000,609,196 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/04/12 10:08:18 | 000,108,672 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/03/25 20:05:30 | 002,229,197 | ---- | M] () -- C:\Users\Bruce\Desktop\pri_lit_grammar_wrtng_010700[1].pdf
[1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/14 11:17:35 | 000,000,036 | ---- | C] () -- C:\Users\Bruce\AppData\Local\housecall.guid.cache
[2011/04/12 19:14:22 | 2137,448,448 | -HS- | C] () -- C:\hiberfil.sys
[2011/04/12 17:57:52 | 000,002,523 | ---- | C] () -- C:\Users\Bruce\Desktop\HiJackThis.lnk
[2011/04/12 11:00:03 | 000,000,875 | ---- | C] () -- C:\Users\Bruce\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/04/12 11:00:03 | 000,000,863 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2011/04/12 11:00:03 | 000,000,851 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2011/03/25 20:05:30 | 002,229,197 | ---- | C] () -- C:\Users\Bruce\Desktop\pri_lit_grammar_wrtng_010700[1].pdf
[2011/02/27 14:15:22 | 000,000,680 | ---- | C] () -- C:\Users\Bruce\AppData\Local\d3d9caps.dat
[2011/01/12 21:28:05 | 000,000,173 | ---- | C] () -- C:\Windows\KPCMS.INI
[2011/01/12 21:27:47 | 000,210,944 | ---- | C] () -- C:\Windows\System32\MSVCRT10.DLL
[2010/07/09 03:07:45 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2010/07/08 19:07:00 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2010/07/08 19:06:59 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2010/03/17 22:11:14 | 000,040,960 | ---- | C] () -- C:\Windows\System32\lxeavs.dll
[2010/03/17 22:10:59 | 000,081,920 | ---- | C] () -- C:\Windows\System32\lxeagcfg.dll
[2010/03/17 22:10:58 | 000,294,912 | ---- | C] () -- C:\Windows\System32\lxeacui.dll
[2010/03/17 22:10:58 | 000,110,592 | ---- | C] () -- C:\Windows\System32\lxeacuir.dll
[2010/03/17 22:06:36 | 000,000,044 | -H-- | C] () -- C:\Windows\System32\lxearwrd.ini
[2010/03/17 22:06:20 | 000,385,024 | ---- | C] () -- C:\Windows\System32\LXEAinst.dll
[2010/03/17 22:06:17 | 000,262,144 | ---- | C] () -- C:\Windows\System32\lxeainsb.dll
[2010/03/17 22:06:17 | 000,057,344 | ---- | C] () -- C:\Windows\System32\lxeajswr.dll
[2010/03/17 22:06:16 | 000,323,584 | ---- | C] () -- C:\Windows\System32\lxeains.dll
[2010/03/17 22:06:16 | 000,208,896 | ---- | C] () -- C:\Windows\System32\lxeagrd.dll
[2010/03/17 22:06:16 | 000,106,496 | ---- | C] () -- C:\Windows\System32\lxeainsr.dll
[2010/03/17 22:06:15 | 000,253,952 | ---- | C] () -- C:\Windows\System32\lxeacu.dll
[2010/03/17 22:06:15 | 000,090,112 | ---- | C] () -- C:\Windows\System32\lxeacub.dll
[2010/03/17 22:06:15 | 000,036,864 | ---- | C] () -- C:\Windows\System32\lxeacur.dll
[2010/03/17 22:05:32 | 000,299,008 | ---- | C] () -- C:\Windows\System32\LXEAsm.dll
[2010/03/17 22:05:32 | 000,023,552 | ---- | C] () -- C:\Windows\System32\LXEAsmr.dll
[2009/10/03 12:09:02 | 000,289,590 | ---- | C] () -- C:\Users\Bruce\AppData\Local\zfafbn_nav.dat
[2009/10/03 12:09:02 | 000,001,699 | ---- | C] () -- C:\Users\Bruce\AppData\Local\zfafbn_navps.dat
[2009/10/03 12:09:01 | 000,003,372 | ---- | C] () -- C:\Users\Bruce\AppData\Local\zfafbn.dat
[2009/09/15 19:49:55 | 000,000,089 | ---- | C] () -- C:\Users\Bruce\AppData\Local\akwitny.bat
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/07/26 21:18:24 | 000,013,824 | ---- | C] () -- C:\Users\Bruce\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/05/18 17:15:33 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2007/05/18 17:13:47 | 000,910,464 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2007/05/18 17:13:47 | 000,249,856 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2007/05/18 17:13:47 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1283.dll
[2007/02/21 11:26:58 | 000,995,328 | ---- | C] () -- C:\Windows\System32\WLIHVUI.dll
[2006/11/02 13:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 13:47:37 | 000,270,552 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 11:33:01 | 000,609,196 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 11:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 11:33:01 | 000,108,672 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 11:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 11:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 09:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 09:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 08:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

< End of report >

OTL Extras logfile created on: 14/04/2011 20:50:23 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Bruce\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19019)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 51.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 226.05 Gb Total Space | 149.13 Gb Free Space | 65.97% Space Free | Partition Type: NTFS
Drive S: | 1.46 Gb Total Space | 1.41 Gb Free Space | 96.05% Space Free | Partition Type: NTFS

Computer Name: BRUCE-PC | User Name: Bruce | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-902699257-3274578124-2423667398-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{69CEE180-4CAA-4739-825F-BCD0351AEF4C}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{754C7CC5-8835-4EB2-88D9-DEB22AA6DBCE}" = lport=2869 | protocol=6 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{003A19DE-DFA2-46DA-A743-6850C4D09CEC}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{0193F413-6AAA-4972-9789-D6292D9E8423}" = dir=in | app=c:\program files\avg\avg8\avgupd.exe |
"{01E1ACD0-FB22-4795-B39D-F324209420D9}" = protocol=17 | dir=in | app=c:\program files\virgin broadband wireless\wireless manager.exe |
"{04CEF54C-242E-4E61-8D9F-30E9A50C1F6B}" = protocol=17 | dir=in | app=c:\program files\virgin broadband wireless\wireless manager.exe |
"{06F74EBC-0114-418F-A8F0-6FD9F68D4DDB}" = protocol=6 | dir=in | app=c:\program files\virgin broadband wireless\wireless manager.exe |
"{45B9F3D5-A602-43AB-BA91-433B6C31B531}" = protocol=6 | dir=in | app=c:\program files\virgin broadband wireless\wireless manager.exe |
"{4EF2B35C-71EC-4496-AFED-67E8A41189A7}" = dir=in | app=c:\program files\itunes\itunes.exe |
"{54BC1327-B2AC-4E75-AD1F-C0A46BC1E205}" = protocol=6 | dir=in | app=c:\program files\virgin broadband wireless\wireless manager.exe |
"{59AAC070-E722-463F-B939-B1085095769C}" = protocol=6 | dir=in | app=c:\windows\system32\lxeacoms.exe |
"{60A619AA-7203-4A65-AF2B-D08F10CA8302}" = dir=in | app=c:\program files\avg\avg8\avgnsx.exe |
"{77B8C2A6-E462-47DF-8DDF-A01CBA1FFA40}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{807F69FD-0BF1-40C5-B52B-0999B3499BEA}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{94C3717D-CFEB-4E8E-8E96-1F4A53EC653F}" = dir=in | app=c:\program files\avg\avg8\avgemc.exe |
"{9B948537-E2D3-45EB-B586-F9DD4C05AD83}" = protocol=6 | dir=in | app=c:\program files\abbyy finereader 6.0 sprint\scan\scanman6.exe |
"{A51A72BA-0508-4833-AC0F-F20ECA991B77}" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"{ACF7244F-857D-4060-8A91-AB9356A5581B}" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"{AE1B0332-497A-4103-A7D4-491652B96019}" = protocol=17 | dir=in | app=c:\program files\virgin broadband wireless\wireless manager.exe |
"{DDA00406-FEDB-426A-AF16-5A97B5330A4E}" = protocol=17 | dir=in | app=c:\program files\abbyy finereader 6.0 sprint\scan\scanman6.exe |
"{FBAA5E3A-FE55-4A92-AF06-FD55A7AEA93F}" = protocol=17 | dir=in | app=c:\windows\system32\lxeacoms.exe |
"TCP Query User{9CD01674-FBAF-4F67-9931-DC4F329A83EB}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{E5715618-CE8C-419A-9989-4D12E8E045B4}C:\program files\live-player\live-player.exe" = protocol=6 | dir=in | app=c:\program files\live-player\live-player.exe |
"UDP Query User{03008707-8210-46E3-8F97-5BEE9032A0E1}C:\program files\live-player\live-player.exe" = protocol=17 | dir=in | app=c:\program files\live-player\live-player.exe |
"UDP Query User{237E3A4A-32EA-4F49-BB4C-27C81FEABD2C}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0409969E-BEFB-44D3-90B9-63BE50FBAE5E}" = TIPCI
"{0DFB3DE8-65B9-44FF-AA0A-3BECC5A2BFD1}" = Adobe Flash Player 10 Plugin
"{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" = Lexmark Toolbar
"{10812DE7-2E57-4740-B226-6B3BE34AF9D7}" = Lexmark Tools for Office
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 24
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{359FCAA7-B544-4147-AE3B-8C8A526E2427}" = Sony Image Data Suite
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5D2CF9D0-113A-476B-986F-288B54571614}" = DevalVR plugin for Internet Explorer (remove)
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6B9B0C6F-E5FA-4633-A640-AB98A272ECCA}" = Safari
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8C2690CF-5B74-4F93-8139-7B5644CD6A3B}" = MobileMe Control Panel
"{8C6BB412-D3A8-4AAE-A01B-35B681789D68}" = mHelp
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel Matrix Storage Manager
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{C99EF05C-A49C-4C8C-902B-BD4B96A6F3A8}" = Keyboard Manager Utility
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2C5E510-BE6D-42CC-9F61-E4F939078474}" = Lexmark Printable Web
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{EEC010D0-1252-4E1D-BAD9-F1B8F414535C}" = PL-2303 Vista Driver Installer
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F5D7FAB5-A1FD-4DD3-983E-4155B09D7102}" = mCore
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FAE36873-1941-4076-A9A5-48812B5EA0B7}" = iTunes
"2B0D8F3C-18AD-4D8E-879A-74A867C5C3CB_is1" = Wireless Manager
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"AVG9Uninstall" = AVG Free 9.0
"bjagbj" = Favorit
"DAEMON Tools Toolbar" = DAEMON Tools Toolbar
"Disketch" = Disketch CD Label Software
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{0409969E-BEFB-44D3-90B9-63BE50FBAE5E}" = Texas Instruments PCIxx21/x515/xx12 drivers.
"InstallShield_{C99EF05C-A49C-4C8C-902B-BD4B96A6F3A8}" = Keyboard Manager Utility
"Lexmark S300-S400 Series" = Lexmark S300-S400 Series
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Miniport Driver" = Marvell Miniport Driver
"Mozilla Firefox 4.0 (x86 en-GB)" = Mozilla Firefox 4.0 (x86 en-GB)
"ProInst" = Intel(R) PROSet/Wireless Software
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Veetle TV" = Veetle TV 0.9.18
"vShare" = vShare Plugin
"WinLiveSuite_Wave3" = Windows Live Essentials

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 13/02/2011 16:04:16 | Computer Name = Bruce-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.19019, time stamp
0x4d0c3d4c, faulting module avgssie.dll, version 9.0.0.872, time stamp 0x4cdcdaf6,
exception code 0xc0000005, fault offset 0x00054524, process id 0x10c0, application
start time 0x01cbcbb8f0cc4920.

Error - 27/02/2011 08:49:11 | Computer Name = Bruce-PC | Source = EventSystem | ID = 4609
Description =

Error - 27/02/2011 14:10:52 | Computer Name = Bruce-PC | Source = EventSystem | ID = 4609
Description =

Error - 12/03/2011 06:28:46 | Computer Name = Bruce-PC | Source = VSS | ID = 8194
Description =

Error - 14/03/2011 13:35:19 | Computer Name = Bruce-PC | Source = VSS | ID = 8194
Description =

Error - 14/03/2011 13:37:42 | Computer Name = Bruce-PC | Source = VSS | ID = 8194
Description =

Error - 30/03/2011 08:28:23 | Computer Name = Bruce-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.19019, time stamp
0x4d0c3d4c, faulting module SHELL32.dll, version 6.0.6002.18393, time stamp 0x4d39b5c7,
exception code 0xc0000005, fault offset 0x00088af9, process id 0x1dd0, application
start time 0x01cbeed375dad180.

Error - 08/04/2011 08:34:35 | Computer Name = Bruce-PC | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 8.0.6001.19019 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: 1c58 Start Time: 01cbf5dc63bfbf00 Termination Time: 40

Error - 09/04/2011 05:12:42 | Computer Name = Bruce-PC | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 8.0.6001.19019 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: 2570 Start Time: 01cbf696111529b0 Termination Time: 0

Error - 10/04/2011 08:49:13 | Computer Name = Bruce-PC | Source = Application Error | ID = 1000
Description = Faulting application 0.46858168709324.exe, version 0.0.0.0, time stamp
0x4d9f7ac6, faulting module 0.46858168709324.exe, version 0.0.0.0, time stamp 0x4d9f7ac6,
exception code 0xc0000005, fault offset 0x000dd160, process id 0x17e4, application
start time 0x01cbf77db11d0990.

[ System Events ]
Error - 14/04/2011 06:17:29 | Computer Name = Bruce-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 14/04/2011 09:01:26 | Computer Name = Bruce-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 14/04/2011 09:01:26 | Computer Name = Bruce-PC | Source = Service Control Manager | ID = 7009
Description =

Error - 14/04/2011 09:01:26 | Computer Name = Bruce-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 14/04/2011 11:36:21 | Computer Name = Bruce-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 14/04/2011 11:36:21 | Computer Name = Bruce-PC | Source = Service Control Manager | ID = 7009
Description =

Error - 14/04/2011 11:36:21 | Computer Name = Bruce-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 14/04/2011 15:45:50 | Computer Name = Bruce-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 14/04/2011 15:45:50 | Computer Name = Bruce-PC | Source = Service Control Manager | ID = 7009
Description =

Error - 14/04/2011 15:45:50 | Computer Name = Bruce-PC | Source = Service Control Manager | ID = 7000
Description =


< End of report >
LB1
Active Member
 
Posts: 13
Joined: April 12th, 2011, 1:11 pm

Re: Problems caused by someone pharming on my computer.

Unread postby LB1 » April 14th, 2011, 4:41 pm

The programme stopped half way through the 1st run. I restarted it in normal mode. Can rerun in safe mode if needed.

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-14 21:38:24
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD25 rev.11.0
Running: bnubndfo.exe; Driver: C:\Users\Bruce\AppData\Local\Temp\kwtoqpog.sys


---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\spam.sys The system cannot find the path specified. !

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4A 0x3D 0x1F 0x36 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4A 0x3D 0x1F 0x36 ...

---- Files - GMER 1.0.15 ----

File C:\Users\Bruce\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O4Q3HOTW\114[1] 0 bytes

---- EOF - GMER 1.0.15 ----
LB1
Active Member
 
Posts: 13
Joined: April 12th, 2011, 1:11 pm

Re: Problems caused by someone pharming on my computer.

Unread postby LB1 » April 14th, 2011, 4:47 pm

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
elno.exe
Submission date:
2011-04-14 20:39:27 (UTC)
Current status:
finished
Result:
2/ 41 (4.9%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.04.14.00 2011.04.14 Win-Trojan/Zbot.221184.H
AntiVir 7.11.6.129 2011.04.14 -
Antiy-AVL 2.0.3.7 2011.04.14 -
Avast 4.8.1351.0 2011.04.14 -
Avast5 5.0.677.0 2011.04.14 -
AVG 10.0.0.1190 2011.04.14 -
BitDefender 7.2 2011.04.14 -
CAT-QuickHeal 11.00 2011.04.14 -
ClamAV 0.97.0.0 2011.04.14 -
Commtouch 5.2.11.5 2011.04.14 -
Comodo 8341 2011.04.14 -
DrWeb 5.0.2.03300 2011.04.14 -
eSafe 7.0.17.0 2011.04.13 -
eTrust-Vet 36.1.8272 2011.04.14 -
F-Prot 4.6.2.117 2011.04.14 -
F-Secure 9.0.16440.0 2011.04.14 -
Fortinet 4.2.257.0 2011.04.14 -
GData 22 2011.04.14 -
Ikarus T3.1.1.103.0 2011.04.14 -
Jiangmin 13.0.900 2011.04.13 -
K7AntiVirus 9.96.4382 2011.04.13 -
Kaspersky 7.0.0.125 2011.04.14 -
McAfee 5.400.0.1158 2011.04.14 -
McAfee-GW-Edition 2010.1D 2011.04.14 -
Microsoft 1.6702 2011.04.14 -
NOD32 6042 2011.04.14 -
Norman 6.07.07 2011.04.13 -
Panda 10.0.3.5 2011.04.14 -
PCTools 7.0.3.5 2011.04.14 -
Prevx 3.0 2011.04.14 High Risk Cloaked Malware
Rising 23.53.03.06 2011.04.14 -
Sophos 4.64.0 2011.04.14 -
SUPERAntiSpyware 4.40.0.1006 2011.04.14 -
Symantec 20101.3.2.89 2011.04.14 -
TheHacker 6.7.0.1.173 2011.04.13 -
TrendMicro 9.200.0.1012 2011.04.14 -
TrendMicro-HouseCall 9.200.0.1012 2011.04.14 -
VBA32 3.12.16.0 2011.04.13 -
VIPRE 9013 2011.04.14 -
ViRobot 2011.4.14.4410 2011.04.14 -
VirusBuster 13.6.305.0 2011.04.14 -
Additional information
MD5 : c989e5db39579aaa6adb1b0782e6d22a
SHA1 : b1a8b7e7e4ba0917de0d38a8c4b3cfe07185c1c5
SHA256: 6c673ca1b5f49f34d1ed595a0dc3a67c71e71eba3c66f7a167afd44586a5718d
LB1
Active Member
 
Posts: 13
Joined: April 12th, 2011, 1:11 pm

Re: Problems caused by someone pharming on my computer.

Unread postby deltalima » April 14th, 2011, 4:53 pm

Hi LB1,

  • Click Start, point to Settings, and then click Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs,
    highlight vShare Plugin
    click Remove
  • Close the Add or Remove Programs and the Control Panel windows.

TFC

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

Malwarebytes Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and select then follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post that log in your next reply.
The log can also be found here:
  1. Launch Malwarebytes' Anti-Malware
  2. Click on the Logs radio tab.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Problems caused by someone pharming on my computer.

Unread postby LB1 » April 14th, 2011, 5:21 pm

Upon restarting windows has blocked some programmes on the startup. It brings up an information bubble to click on and see the list. I haven't done this yet..should I?

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6365

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19019

14/04/2011 22:14:53
mbam-log-2011-04-14 (22-14-53).txt

Scan type: Quick scan
Objects scanned: 147381
Time elapsed: 3 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\fcn (Rogue.Residue) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{E949EBA8-96DF-6075-796B-6EEB3426825C} (Trojan.ZbotR.Gen) -> Value: {E949EBA8-96DF-6075-796B-6EEB3426825C} -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)
LB1
Active Member
 
Posts: 13
Joined: April 12th, 2011, 1:11 pm

Re: Problems caused by someone pharming on my computer.

Unread postby deltalima » April 14th, 2011, 5:25 pm

Is that Malwarebytes log complete? It looks like the last few lines are missing.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Problems caused by someone pharming on my computer.

Unread postby LB1 » April 14th, 2011, 5:35 pm

oops yes, sorry. Here it is again.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6365

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19019

14/04/2011 22:14:53
mbam-log-2011-04-14 (22-14-53).txt

Scan type: Quick scan
Objects scanned: 147381
Time elapsed: 3 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\fcn (Rogue.Residue) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{E949EBA8-96DF-6075-796B-6EEB3426825C} (Trojan.ZbotR.Gen) -> Value: {E949EBA8-96DF-6075-796B-6EEB3426825C} -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Bruce\AppData\Roaming\Iksevu\elno.exe (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.
LB1
Active Member
 
Posts: 13
Joined: April 12th, 2011, 1:11 pm

Re: Problems caused by someone pharming on my computer.

Unread postby deltalima » April 14th, 2011, 5:41 pm

Hi LB1,

Run OTL Script

  • Right click OTL.exe and select: Run as Administrator.
  • Copy and Paste the following code into the Image textbox. Do not include the word Code
    Code: Select all
    :processes
    killallprocesses
    :otl
    R3 - URLSearchHook: (no name) - {c2db4fe6-8409-45ce-8010-189a7b5cce86} - (no file)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    :commands
    [EMPTYTEMP]
    [EMPTYFLASH]
    [REBOOT]
    
  • Then click the Run Fix button at the top.
  • Click Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Please let me know how the computer is running now.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Problems caused by someone pharming on my computer.

Unread postby LB1 » April 14th, 2011, 5:47 pm

All processes killed
========== PROCESSES ==========
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
File not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Bruce
->Temp folder emptied: 175876 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 24370026 bytes
->Flash cache emptied: 0 bytes

User: Default
->Temp folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 106 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 23.00 mb


[EMPTYFLASH]

User: All Users

User: Bruce
->Flash cache emptied: 0 bytes

User: Default
->Flash cache emptied: 0 bytes

User: Default User

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 04142011_224431

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
LB1
Active Member
 
Posts: 13
Joined: April 12th, 2011, 1:11 pm

Re: Problems caused by someone pharming on my computer.

Unread postby LB1 » April 14th, 2011, 7:16 pm

C:\Applications\Tools\AOL\stdnet_updater.exe probably a variant of Win32/StartPage.LWOOMNQ trojan
C:\Applications\Tools\AOL\comps\acs\acssetup.exe probably a variant of Win32/StartPage.LWOOMNQ trojan
LB1
Active Member
 
Posts: 13
Joined: April 12th, 2011, 1:11 pm

Re: Problems caused by someone pharming on my computer.

Unread postby LB1 » April 14th, 2011, 7:17 pm

Looks like theres still something in there..
LB1
Active Member
 
Posts: 13
Joined: April 12th, 2011, 1:11 pm

Re: Problems caused by someone pharming on my computer.

Unread postby deltalima » April 15th, 2011, 4:14 am

Hi LB1,

C:\Applications\Tools\AOL\stdnet_updater.exe
C:\Applications\Tools\AOL\comps\acs\acssetup.exe


Please submit those two files to Virustotal and post the logs.

Looks like theres still something in there..


Does the online banking still get redirected to a false login page?
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 294 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware