[Not curable - Ramnit] Infected with vdpoxdbw.exe ninjafdd.exe

By groovycat
Jul 3, 2012
  1. Hi Techspot helpers,
    I've just picked up a virus (an hour ago), which appears to be vdpoxdbw.exe and/or ninjafdd.exe (full exe name is ninjafddhkfcghbo.exe). I got it from zikro.net where I tried to watch a UK tv program.

    I've followed the 5 step instructions with the following results:
    1. Already have avast
    2. Already had MB, but was unable to launch it after the infection. I downloaded the setup file and tried to install, but on the final step, the program wouldn't launch.
    3. Unable to download from either mirror - I just get that I.e. is unable to open.
    4. as 3, above
    5. no logs to paste.

    Other information:
    a. Since the infection I can't run Opera browser which I was using at the time.
    b. I ran an Avast scan on the C drive and found no virus even though I saw the vdpoxdbw.exe file appear in the files scanned
    c. I ran a hijackthis scan and found the vdpoxdbw.exe entry, but was unable to fix it (scan copied below)
    d. I have Winpatrol which alerts me every few minutes that vdpoxdbw.exe is trying to access the net.

    Any help to remove this virus would be greatly appreciated.
    Many thanks in advance.
    James.

    [HJT log removed by Broni]
  2. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ============================================================

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  3. groovycat

    groovycat Newcomer, in training Topic Starter Posts: 18

    Hi Broni, many thanks for your assistance. I followed your instructions and was able to downlaod CF from the 3rd link provided. I tried to download RKill in case I needed it as per your instructions, but was unable to, with IE saying that it could not connect. I ran CF and was prompted to install recovery console, but was unable to as it said I was not connected to the web.

    The CF log is copied below.
    Thanks again,
    James.

    ComboFix 12-06-28.03 - James Ewing 04/07/2012 21:06:17.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1464 [GMT 2:00]
    Running from: c:\documents and settings\James Ewing\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\James Ewing\0.701131749126591.exe
    c:\documents and settings\James Ewing\Application Data\Adobe\plugs
    c:\documents and settings\James Ewing\Application Data\inst.exe
    c:\documents and settings\James Ewing\Local Settings\Application Data\cnnbbxan.log
    c:\documents and settings\James Ewing\Local Settings\Application Data\jwthsurj.log
    c:\documents and settings\James Ewing\Local Settings\Application Data\lpkeftvm.log
    c:\documents and settings\James Ewing\Local Settings\Application Data\pedthdvk.log
    c:\documents and settings\James Ewing\Local Settings\Application Data\wesgyfjs.log
    c:\documents and settings\James Ewing\Local Settings\Application Data\xuatrcqs.log
    c:\documents and settings\James Ewing\Local Settings\Application Data\yupjpjqj.log
    c:\documents and settings\James Ewing\WINDOWS
    c:\windows\EventSystem.log
    c:\windows\setupapi.log
    c:\windows\system32\SET61.tmp
    c:\windows\system32\SET62.tmp
    c:\windows\system32\SET98.tmp
    c:\windows\system32\SET9D.tmp
    c:\windows\system32\SETA4.tmp
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-04 to 2012-07-04 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-03 19:26 . 2012-07-03 19:27 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2012-07-03 18:15 . 2012-07-03 18:15 -------- d-----w- c:\documents and settings\James Ewing\Local Settings\Application Data\nwbyndug
    2012-06-24 20:55 . 2012-06-24 20:56 -------- d-----w- C:\Expat Shield
    2012-06-24 20:55 . 2012-01-05 00:31 613704 ----a-w- c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor.dll
    2012-06-24 20:55 . 2012-01-05 00:31 597832 ----a-w- c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor90.dll
    2012-06-24 20:55 . 2012-01-05 00:31 597832 ----a-w- c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor80.dll
    2012-06-24 20:55 . 2012-01-05 00:31 597832 ----a-w- c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor70.dll
    2012-06-24 20:55 . 2012-01-05 00:31 597832 ----a-w- c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor60.dll
    2012-06-24 20:55 . 2012-01-05 00:31 597832 ----a-w- c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor50.dll
    2012-06-24 20:55 . 2012-06-24 20:56 -------- d-----w- c:\program files\Expat Shield
    2012-06-24 07:20 . 2012-06-24 07:20 -------- d-----w- c:\documents and settings\James Ewing\Local Settings\Application Data\Opera
    2012-06-24 07:20 . 2012-06-24 07:20 -------- d-----w- c:\program files\Opera
    2012-06-13 16:31 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-31 13:22 . 2006-07-25 08:28 599040 ----a-w- c:\windows\system32\crypt32.dll
    2012-05-16 15:08 . 2006-07-25 08:29 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-05-15 13:20 . 2006-07-25 08:29 1863168 ----a-w- c:\windows\system32\win32k.sys
    2012-05-11 14:42 . 2006-07-25 08:28 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-05-11 14:42 . 2006-07-25 08:28 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2012-05-11 11:38 . 2006-07-25 08:28 385024 ----a-w- c:\windows\system32\html.iec
    2012-05-04 13:16 . 2006-07-25 08:29 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-05-04 12:32 . 2004-08-03 22:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2012-05-02 13:46 . 2006-07-25 16:42 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2008-08-26 08:27 . 2008-10-20 20:55 253952 ----a-w- c:\program files\Uninstall My Search Bar.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3706EE7C-3CAD-445D-8A43-03EBC3B75908}]
    2012-01-04 23:02 233288 ----a-w- c:\program files\Expat Shield\HssIE\ExpatIE.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-06-27 217088]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-08 7561216]
    "Mouse Suite 98 Daemon"="ICO.EXE" [2002-03-14 45056]
    "ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-17 118784]
    "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-07-04 333120]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
    "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2006-2-3 1753088]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
    2006-03-09 13:51 73728 ----a-w- c:\windows\system32\VESWinlogon.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^James Ewing^Start Menu^Programs^Startup^MagicDisc.lnk]
    path=c:\documents and settings\James Ewing\Start Menu\Programs\Startup\MagicDisc.lnk
    backup=c:\windows\pss\MagicDisc.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2012-01-03 21:51 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
    2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-01-25 14:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 16:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
    2006-05-08 05:17 81920 ----a-w- c:\progra~1\Sony\SONICS~1\SSAAD.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2009-05-21 10:34 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Switcher.exe]
    2006-02-14 11:11 176128 ----a-w- c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOCameraUtility]
    2005-12-27 12:58 69632 ----a-w- c:\program files\Sony\VAIO Camera Utility\VCUServe.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
    2011-10-12 15:06 5407850 ----a-w- c:\program files\Vidalia Bundle\Vidalia\vidalia.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "McrdSvc"=2 (0x2)
    "ehSched"=2 (0x2)
    "ehRecvr"=2 (0x2)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\Sony\\Click to DVD 2\\CtoDvd.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Opera\\pluginwrapper\\opera_plugin_wrapper.exe"=
    "c:\\Program Files\\Opera\\opera.exe"=
    .
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [21/10/2008 23:20 165584]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [21/10/2008 23:20 17744]
    R2 ExpatShieldService;Expat Shield Service;c:\program files\Expat Shield\bin\openvpnas.exe [17/01/2012 23:15 331608]
    R2 ExpatSrv;Expat Shield Routing Service;c:\program files\Expat Shield\HssWPR\hsssrv.exe [05/01/2012 01:01 363336]
    R2 ExpatWd;Expat Shield Monitoring Service;c:\program files\Expat Shield\bin\hsswd.exe -product Expat --> c:\program files\Expat Shield\bin\hsswd.exe -product Expat [?]
    R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [03/07/2009 18:35 47360]
    R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [25/07/2006 10:30 30080]
    R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [25/07/2006 10:30 226304]
    S3 ExpatTrayService;Expat Shield Tray Service;c:\program files\Expat Shield\bin\EXPATTrayService.exe [17/01/2012 23:22 77520]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [03/07/2012 21:26 40776]
    S3 ST330;ST330;c:\windows\system32\drivers\st330.sys [18/09/2008 20:57 30464]
    S3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [18/09/2008 20:57 12672]
    S3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\system32\drivers\stppp.sys [18/09/2008 20:57 35328]
    S4 Mdnarette3np;Mdnarette3np; [x]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\documents and settings\James Ewing\Application Data\Mozilla\Firefox\Profiles\gorv87un.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 8118
    FF - prefs.js: network.proxy.socks - 127.0.0.1
    FF - prefs.js: network.proxy.socks_port - 9050
    FF - prefs.js: network.proxy.ssl - 127.0.0.1
    FF - prefs.js: network.proxy.ssl_port - 8118
    FF - prefs.js: network.proxy.type - 1
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\DivXHTML5
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
    FF - Ext: Torbutton: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca} - %profile%\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    - - - - ORPHANS REMOVED - - - -
    .
    MSConfigStartUp-4oD - c:\program files\Kontiki\KHost.exe
    MSConfigStartUp-Acrobat Assistant 7 - c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    MSConfigStartUp-BlackBerryAutoUpdate - c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
    MSConfigStartUp-ctfmon - c:\docume~1\ALLUSE~1\APPLIC~1\andaimesofil.dat
    MSConfigStartUp-kdx - c:\program files\Kontiki\KHost.exe
    MSConfigStartUp-Norton Ghost 10 - c:\program files\Norton Ghost\Agent\GhostTray.exe
    MSConfigStartUp-RoxWatchTray - c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
    MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-07-04 21:13
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    detected NTDLL code modification:
    ZwQueryDirectoryFile
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    c:\documents and settings\James Ewing\Start Menu\Programs\Startup\vdpoxdbw.exe 93312 bytes executable
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1032)
    c:\windows\system32\VESWinlogon.dll
    .
    Completion time: 2012-07-04 21:16:51
    ComboFix-quarantined-files.txt 2012-07-04 19:16
    ComboFix2.txt 2008-01-02 22:49
    .
    Pre-Run: 44,786,302,976 bytes free
    Post-Run: 50,139,070,464 bytes free
    .
    - - End Of File - - B2520932ED3B202DECE628B42B82E6D5
  4. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\documents and settings\James Ewing\Start Menu\Programs\Startup\vdpoxdbw.exe
    
    Driver::
    Mdnarette3np
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  5. groovycat

    groovycat Newcomer, in training Topic Starter Posts: 18

    ComboFix 12-06-28.03 - James Ewing 04/07/2012 21:49:37.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1393 [GMT 2:00]
    Running from: c:\documents and settings\James Ewing\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\James Ewing\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
    .
    FILE ::
    "c:\documents and settings\James Ewing\Start Menu\Programs\Startup\vdpoxdbw.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\James Ewing\Start Menu\Programs\Startup\vdpoxdbw.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_Mdnarette3np
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-04 to 2012-07-04 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-03 19:26 . 2012-07-03 19:27 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2012-07-03 18:15 . 2012-07-03 18:15 -------- d-----w- c:\documents and settings\James Ewing\Local Settings\Application Data\nwbyndug
    2012-06-24 20:55 . 2012-06-24 20:56 -------- d-----w- C:\Expat Shield
    2012-06-24 20:55 . 2012-01-05 00:31 613704 ----a-w- c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor.dll
    2012-06-24 20:55 . 2012-01-05 00:31 597832 ----a-w- c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor90.dll
    2012-06-24 20:55 . 2012-01-05 00:31 597832 ----a-w- c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor80.dll
    2012-06-24 20:55 . 2012-01-05 00:31 597832 ----a-w- c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor70.dll
    2012-06-24 20:55 . 2012-01-05 00:31 597832 ----a-w- c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor60.dll
    2012-06-24 20:55 . 2012-01-05 00:31 597832 ----a-w- c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor50.dll
    2012-06-24 20:55 . 2012-06-24 20:56 -------- d-----w- c:\program files\Expat Shield
    2012-06-24 07:20 . 2012-06-24 07:20 -------- d-----w- c:\documents and settings\James Ewing\Local Settings\Application Data\Opera
    2012-06-24 07:20 . 2012-06-24 07:20 -------- d-----w- c:\program files\Opera
    2012-06-13 16:31 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-31 13:22 . 2006-07-25 08:28 599040 ----a-w- c:\windows\system32\crypt32.dll
    2012-05-16 15:08 . 2006-07-25 08:29 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-05-15 13:20 . 2006-07-25 08:29 1863168 ----a-w- c:\windows\system32\win32k.sys
    2012-05-11 14:42 . 2006-07-25 08:28 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-05-11 14:42 . 2006-07-25 08:28 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2012-05-11 11:38 . 2006-07-25 08:28 385024 ----a-w- c:\windows\system32\html.iec
    2012-05-04 13:16 . 2006-07-25 08:29 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-05-04 12:32 . 2004-08-03 22:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2012-05-02 13:46 . 2006-07-25 16:42 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2008-08-26 08:27 . 2008-10-20 20:55 253952 ----a-w- c:\program files\Uninstall My Search Bar.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-07-04_19.13.50 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-07-04 19:56 . 2012-07-04 19:56 16384 c:\windows\Temp\Perflib_Perfdata_16c.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3706EE7C-3CAD-445D-8A43-03EBC3B75908}]
    2012-01-04 23:02 233288 ----a-w- c:\program files\Expat Shield\HssIE\ExpatIE.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-06-27 217088]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-08 7561216]
    "Mouse Suite 98 Daemon"="ICO.EXE" [2002-03-14 45056]
    "ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-17 118784]
    "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-07-04 333120]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
    "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2006-2-3 1753088]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
    2006-03-09 13:51 73728 ----a-w- c:\windows\system32\VESWinlogon.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^James Ewing^Start Menu^Programs^Startup^MagicDisc.lnk]
    path=c:\documents and settings\James Ewing\Start Menu\Programs\Startup\MagicDisc.lnk
    backup=c:\windows\pss\MagicDisc.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2012-01-03 21:51 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
    2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-01-25 14:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 16:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
    2006-05-08 05:17 81920 ----a-w- c:\progra~1\Sony\SONICS~1\SSAAD.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2009-05-21 10:34 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Switcher.exe]
    2006-02-14 11:11 176128 ----a-w- c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOCameraUtility]
    2005-12-27 12:58 69632 ----a-w- c:\program files\Sony\VAIO Camera Utility\VCUServe.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
    2011-10-12 15:06 5407850 ----a-w- c:\program files\Vidalia Bundle\Vidalia\vidalia.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "McrdSvc"=2 (0x2)
    "ehSched"=2 (0x2)
    "ehRecvr"=2 (0x2)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\Sony\\Click to DVD 2\\CtoDvd.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Opera\\pluginwrapper\\opera_plugin_wrapper.exe"=
    "c:\\Program Files\\Opera\\opera.exe"=
    .
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [21/10/2008 23:20 165584]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [21/10/2008 23:20 17744]
    R2 ExpatShieldService;Expat Shield Service;c:\program files\Expat Shield\bin\openvpnas.exe [17/01/2012 23:15 331608]
    R2 ExpatSrv;Expat Shield Routing Service;c:\program files\Expat Shield\HssWPR\hsssrv.exe [05/01/2012 01:01 363336]
    R2 ExpatWd;Expat Shield Monitoring Service;c:\program files\Expat Shield\bin\hsswd.exe -product Expat --> c:\program files\Expat Shield\bin\hsswd.exe -product Expat [?]
    R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [03/07/2009 18:35 47360]
    R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [25/07/2006 10:30 30080]
    R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [25/07/2006 10:30 226304]
    S3 ExpatTrayService;Expat Shield Tray Service;c:\program files\Expat Shield\bin\EXPATTrayService.exe [17/01/2012 23:22 77520]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [03/07/2012 21:26 40776]
    S3 ST330;ST330;c:\windows\system32\drivers\st330.sys [18/09/2008 20:57 30464]
    S3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [18/09/2008 20:57 12672]
    S3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\system32\drivers\stppp.sys [18/09/2008 20:57 35328]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\documents and settings\James Ewing\Application Data\Mozilla\Firefox\Profiles\gorv87un.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 8118
    FF - prefs.js: network.proxy.socks - 127.0.0.1
    FF - prefs.js: network.proxy.socks_port - 9050
    FF - prefs.js: network.proxy.ssl - 127.0.0.1
    FF - prefs.js: network.proxy.ssl_port - 8118
    FF - prefs.js: network.proxy.type - 1
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\DivXHTML5
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
    FF - Ext: Torbutton: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca} - %profile%\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-07-04 21:57
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1356)
    c:\windows\system32\VESWinlogon.dll
    .
    - - - - - - - > 'explorer.exe'(2208)
    c:\windows\system32\WININET.dll
    c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
    c:\progra~1\WINDOW~3\wmpband.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Intel\Wireless\Bin\EvtEng.exe
    c:\program files\Intel\Wireless\Bin\S24EvMon.exe
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Expat Shield\bin\hsswd.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\nvsvc32.exe
    c:\program files\Intel\Wireless\Bin\RegSrvc.exe
    c:\program files\Sony\VAIO Event Service\VESMgr.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\ICO.EXE
    c:\windows\eHome\ehmsas.exe
    c:\program files\Apoint\Apntex.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
    .
    **************************************************************************
    .
    Completion time: 2012-07-04 22:03:19 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-04 20:03
    ComboFix2.txt 2012-07-04 19:16
    ComboFix3.txt 2008-01-02 22:49
    .
    Pre-Run: 50,132,054,016 bytes free
    Post-Run: 50,058,469,376 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - 5ACFE161FBEED16F77DCD7E1AF2F420B
  6. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Looks good :)

    Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
    NOTE. If you already have MBAM installed, update it before running the scan.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  7. groovycat

    groovycat Newcomer, in training Topic Starter Posts: 18

    Succesfully ran MB this time :). No malicious items detected, however during the MB scan, Avast alerted me to a virus having been blocked with the following details:

    Object: C:\DOCUMENTS AND SETTINGS\ALL USER...\RUNASUSERPROCESS.DLL
    Infection: Win32:Ramon
    Process: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

    MB log:

    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org
    Database version: v2012.07.04.06
    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    James Ewing :: GROOVYCAT [administrator]
    04/07/2012 22:33:04
    mbam-log-2012-07-04 (22-33-04).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 220184
    Time elapsed: 6 minute(s), 52 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)
  8. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Very well :)

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ================================================

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  9. groovycat

    groovycat Newcomer, in training Topic Starter Posts: 18

    First time I ran MBR it srashed after about 10 mintutes. Second time, it completed, but there were about 15 or so lines of red text.

    MBR log:

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-07-04 23:13:20
    -----------------------------
    23:13:20.750 OS Version: Windows 5.1.2600 Service Pack 3
    23:13:20.750 Number of processors: 2 586 0xF06
    23:13:20.750 ComputerName: GROOVYCAT UserName:
    23:13:21.390 Initialize success
    23:13:21.468 AVAST engine defs: 12070400
    23:13:23.890 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
    23:13:23.890 Disk 0 Vendor: FUJITSU_MHV2200BT 0000004F Size: 190782MB BusType: 3
    23:13:23.890 Disk 1 \Device\Harddisk1\DR4 -> \Device\000000a0
    23:13:23.890 Disk 1 Vendor: ( Size: 190782MB BusType: 0
    23:13:23.937 Disk 0 MBR read successfully
    23:13:23.953 Disk 0 MBR scan
    23:13:23.953 Disk 0 Windows XP default MBR code
    23:13:23.953 Disk 0 Partition 1 00 12 Compaq diag NTFS 8110 MB offset 63
    23:13:23.968 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 95370 MB offset 16611210
    23:13:23.984 Disk 0 Partition - 00 0F Extended LBA 87298 MB offset 211929480
    23:13:24.015 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 87298 MB offset 211929543
    23:13:24.031 Disk 0 scanning sectors +390716865
    23:13:24.125 Disk 0 scanning C:\WINDOWS\system32\drivers
    23:13:43.187 Service scanning
    23:14:03.234 Modules scanning
    23:14:19.765 Disk 0 trace - called modules:
    23:14:19.796 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
    23:14:19.812 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a837ab8]
    23:14:19.812 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\0000008f[0x8a83e9e8]
    23:14:19.828 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8a83d940]
    23:14:20.421 AVAST engine scan C:\WINDOWS
    23:14:41.984 AVAST engine scan C:\WINDOWS\system32
    23:18:23.484 AVAST engine scan C:\WINDOWS\system32\drivers
    23:18:52.328 AVAST engine scan C:\Documents and Settings\James Ewing
    23:21:42.343 File: C:\Documents and Settings\James Ewing\Application Data\sony\myclubvaio\tools\PcName.exe **INFECTED** Win32:Ramon
    23:21:47.750 File: C:\Documents and Settings\James Ewing\Application Data\Sun\Java\jre1.6.0_11\lzma.dll **INFECTED** Win32:Ramon
    23:21:48.140 File: C:\Documents and Settings\James Ewing\Application Data\Sun\Java\jre1.6.0_13\lzma.dll **INFECTED** Win32:Ramon
    23:21:48.390 File: C:\Documents and Settings\James Ewing\Application Data\Sun\Java\jre1.6.0_14\lzma.dll **INFECTED** Win32:Ramon
    23:24:43.390 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\ACROBAT 4.0\Reader\Acrofx32.dll **INFECTED** Win32:Ramon
    23:24:45.359 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\ACROBAT 4.0\Reader\AcroRd32.exe **INFECTED** Win32:Ramon
    23:24:45.984 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\ACROBAT 4.0\Reader\Agm.dll **INFECTED** Win32:Ramon
    23:24:46.609 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\ACROBAT 4.0\Reader\Cooltype.dll **INFECTED** Win32:Ramon
    23:24:47.250 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\ACROBAT 4.0\Reader\plug_ins\Movie\QT2.dll **INFECTED** Win32:Ramon
    23:24:47.390 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\ACROBAT 4.0\Reader\plug_ins\Movie\QT3.dll **INFECTED** Win32:Ramon
    23:24:50.828 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\LAUNCH-PAD\LPad-104-98.exe **INFECTED** Win32:Ramon
    23:24:52.843 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\LAUNCH-PAD-EVAL\LP-Evaluation.exe **INFECTED** Win32:Ramon
    23:24:54.093 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\MINITEST\MiniTest2.exe **INFECTED** Win32:Ramon
    23:24:55.359 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\MODULE1\Mod1.exe **INFECTED** Win32:Ramon
    23:24:55.921 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\PR2TEST\VisaTestv2.exe **INFECTED** Win32:Ramon
    23:24:56.656 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\PROG4\Model Answer.exe **INFECTED** Win32:Ramon
    23:24:57.453 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\PROG5\Questions.exe **INFECTED** Win32:Ramon
    23:24:57.828 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\Reader\Acrofx32.dll **INFECTED** Win32:Ramon
    23:24:59.812 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\Reader\AcroRd32.exe **INFECTED** Win32:Ramon
    23:25:00.406 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\Reader\Agm.dll **INFECTED** Win32:Ramon
    23:25:01.000 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\Reader\Cooltype.dll **INFECTED** Win32:Ramon
    23:25:01.734 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\Reader\plug_ins\Movie\QT2.dll **INFECTED** Win32:Ramon
    23:25:01.921 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\Reader\plug_ins\Movie\QT3.dll **INFECTED** Win32:Ramon
    23:25:02.687 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\VISAGOLD2\VisaGold2.exe **INFECTED** Win32:Ramon
    23:25:03.890 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\VISASURE\VisaSure.exe **INFECTED** Win32:Ramon
    23:26:23.921 AVAST engine scan C:\Documents and Settings\All Users
    23:26:35.203 File: C:\Documents and Settings\All Users\Application Data\DivX\Setup\RunAsUser\RUNASUSERPROCESS.dll **INFECTED** Win32:Ramon
    23:28:26.328 Scan finished successfully
    23:28:56.156 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\James Ewing\Desktop\MBR.dat"
    23:28:56.171 The log file has been saved successfully to "C:\Documents and Settings\James Ewing\Desktop\aswMBR.txt"


    -------------------------------------------


    OTL.txt

    OTL logfile created on: 04/07/2012 23:30:34 - Run 1
    OTL by OldTimer - Version 3.2.53.1 Folder = C:\Documents and Settings\James Ewing\Desktop
    Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    2.00 Gb Total Physical Memory | 1.45 Gb Available Physical Memory | 72.75% Memory free
    3.85 Gb Paging File | 3.53 Gb Available in Paging File | 91.76% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 93.14 Gb Total Space | 46.62 Gb Free Space | 50.05% Space Free | Partition Type: NTFS
    Drive D: | 85.25 Gb Total Space | 56.08 Gb Free Space | 65.78% Space Free | Partition Type: NTFS
    Drive F: | 393.41 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: GROOVYCAT | User Name: James Ewing | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/07/04 23:01:57 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\James Ewing\Desktop\OTL.exe
    PRC - [2012/01/17 23:15:44 | 000,331,608 | ---- | M] () -- C:\Program Files\Expat Shield\bin\openvpnas.exe
    PRC - [2012/01/05 01:02:02 | 000,329,544 | ---- | M] () -- C:\Program Files\Expat Shield\bin\hsswd.exe
    PRC - [2012/01/05 01:01:58 | 000,363,336 | ---- | M] (AnchorFree Inc.) -- C:\Program Files\Expat Shield\HssWPR\hsssrv.exe
    PRC - [2010/09/07 18:12:02 | 002,838,912 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    PRC - [2010/09/07 18:11:59 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    PRC - [2008/07/04 18:58:06 | 000,333,120 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
    PRC - [2008/04/14 02:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2006/04/13 14:36:36 | 000,176,128 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
    PRC - [2006/03/07 19:46:06 | 000,290,816 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    PRC - [2006/02/03 00:19:10 | 001,753,088 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    PRC - [2006/01/27 20:17:50 | 000,221,184 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
    PRC - [2006/01/23 23:47:32 | 000,073,728 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
    PRC - [2004/11/17 13:47:16 | 000,118,784 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
    PRC - [2004/08/19 02:40:08 | 000,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
    PRC - [2004/02/20 15:12:34 | 000,032,768 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\ISB Utility\ISBMgr.exe
    PRC - [2002/03/14 17:46:58 | 000,045,056 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\ico.exe


    ========== Modules (No Company Name) ==========

    MOD - [2012/07/04 12:33:59 | 001,781,248 | ---- | M] () -- C:\Program Files\Alwil Software\Avast5\defs\12070400\algo.dll
    MOD - [2012/01/17 23:15:44 | 000,331,608 | ---- | M] () -- C:\Program Files\Expat Shield\bin\openvpnas.exe
    MOD - [2012/01/05 01:02:02 | 000,329,544 | ---- | M] () -- C:\Program Files\Expat Shield\bin\hsswd.exe
    MOD - [2011/03/01 00:37:32 | 000,180,624 | ---- | M] () -- C:\WINDOWS\system32\Primomonnt.dll
    MOD - [2010/09/07 18:13:40 | 000,142,872 | ---- | M] () -- C:\Program Files\Alwil Software\Avast5\aswDld.dll
    MOD - [2009/03/30 04:34:30 | 000,280,143 | ---- | M] () -- C:\Program Files\Expat Shield\bin\libidn-11.dll
    MOD - [2009/03/27 22:02:24 | 000,332,254 | ---- | M] () -- C:\Program Files\Expat Shield\bin\libssl32.dll
    MOD - [2009/03/27 22:02:22 | 001,554,920 | ---- | M] () -- C:\Program Files\Expat Shield\bin\libeay32.dll
    MOD - [2007/09/20 20:34:58 | 000,129,024 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
    MOD - [2005/11/28 12:59:16 | 000,876,544 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\Libeay32.dll
    MOD - [2005/11/28 12:59:16 | 000,208,965 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\iWMSProv.dll
    MOD - [2005/11/28 12:59:16 | 000,053,322 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\IntStngs.dll
    MOD - [2005/07/22 23:30:20 | 000,065,536 | ---- | M] () -- C:\WINDOWS\system32\TosCommAPI.dll
    MOD - [2005/05/20 18:42:20 | 000,010,752 | ---- | M] () -- C:\Program Files\Sony\VAIO Event Service\VESBasePS.dll
    MOD - [2004/07/20 19:04:02 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\TosBtHcrpAPI.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe -- (RoxLiveShare9)
    SRV - File not found [Auto | Stopped] -- -- (KService)
    SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
    SRV - File not found [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus(R)
    SRV - [2012/01/17 23:22:02 | 000,077,520 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Expat Shield\bin\EXPATTrayService.exe -- (ExpatTrayService)
    SRV - [2012/01/17 23:15:44 | 000,331,608 | ---- | M] () [Auto | Running] -- C:\Program Files\Expat Shield\bin\openvpnas.exe -- (ExpatShieldService)
    SRV - [2012/01/05 01:02:02 | 000,329,544 | ---- | M] () [Auto | Running] -- C:\Program Files\Expat Shield\bin\hsswd.exe -- (ExpatWd)
    SRV - [2012/01/05 01:01:58 | 000,363,336 | ---- | M] (AnchorFree Inc.) [Auto | Running] -- C:\Program Files\Expat Shield\HssWPR\hsssrv.exe -- (ExpatSrv)
    SRV - [2010/09/07 18:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
    SRV - [2010/09/07 18:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
    SRV - [2010/09/07 18:11:59 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
    SRV - [2007/10/29 15:27:04 | 000,587,096 | ---- | M] (Lavasoft AB) [On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe -- (aawservice)
    SRV - [2006/04/27 19:35:16 | 000,053,337 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe -- (MSCSPTISRV)
    SRV - [2006/04/27 19:27:06 | 000,049,241 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe -- (PACSPTISVR)
    SRV - [2006/04/27 19:16:28 | 000,069,718 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)
    SRV - [2006/04/13 14:36:36 | 000,176,128 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe -- (VAIO Event Service)
    SRV - [2005/01/04 12:09:36 | 000,398,336 | ---- | M] (Sony Corporation) [Auto | Stopped] -- C:\Program Files\Sony\VAIO Cooperated Initialisation\VCI_svc.exe -- (VCI)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (RimUsb)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
    DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (mcdbus)
    DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
    DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
    DRV - File not found [Kernel | On_Demand | Unknown] -- C:\DOCUME~1\JAMESE~1\LOCALS~1\Temp\aswMBR.sys -- (aswMBR)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (adiusbaw)
    DRV - File not found [Kernel | Auto | Stopped] -- -- (ADILOADER) General Purpose USB Driver (adildr.sys)
    DRV - [2012/01/05 01:01:56 | 000,037,376 | ---- | M] (AnchorFree Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HssDrv.sys -- (HssDrv)
    DRV - [2012/01/05 01:01:54 | 000,032,768 | ---- | M] (AnchorFree Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\taphss.sys -- (taphss)
    DRV - [2010/09/07 17:52:25 | 000,046,672 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
    DRV - [2010/09/07 17:52:03 | 000,165,584 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
    DRV - [2010/09/07 17:47:46 | 000,023,376 | ---- | M] (AVAST Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
    DRV - [2010/09/07 17:47:19 | 000,100,176 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
    DRV - [2010/09/07 17:47:07 | 000,017,744 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
    DRV - [2010/09/07 17:46:51 | 000,028,880 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
    DRV - [2009/03/15 12:25:46 | 000,056,268 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\scdemu.sys -- (SCDEmu)
    DRV - [2008/09/18 20:57:34 | 000,035,328 | ---- | M] (THOMSON Telecom Belgium) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\stppp.sys -- (stppp)
    DRV - [2008/09/18 20:57:34 | 000,030,464 | ---- | M] (THOMSON Telecom Belgium) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\st330.sys -- (ST330)
    DRV - [2008/09/18 20:57:34 | 000,012,672 | ---- | M] (THOMSON Telecom Belgium) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\stbus.sys -- (STBUS)
    DRV - [2008/01/18 11:00:00 | 000,385,072 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
    DRV - [2006/05/26 00:59:12 | 001,177,032 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
    DRV - [2006/03/06 11:39:00 | 000,030,080 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SonyImgF.sys -- (SonyImgF)
    DRV - [2006/02/21 11:32:32 | 000,226,304 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ti21sony.sys -- (ti21sony)
    DRV - [2006/02/08 19:33:34 | 000,062,848 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfhid.sys -- (Tosrfhid)
    DRV - [2006/02/03 01:16:08 | 000,108,928 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfbd.sys -- (Tosrfbd)
    DRV - [2006/01/31 20:35:28 | 000,039,808 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfusb.sys -- (Tosrfusb)
    DRV - [2005/12/29 11:42:00 | 000,234,496 | ---- | M] (Vimicro Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbvm321.sys -- (usbvm321)
    DRV - [2005/12/14 19:07:24 | 000,037,632 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfbnp.sys -- (Tosrfbnp)
    DRV - [2005/12/05 01:55:30 | 001,428,096 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w39n51.sys -- (w39n51) Intel(R)
    DRV - [2005/11/28 13:09:26 | 000,013,568 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
    DRV - [2005/11/24 15:37:36 | 000,047,104 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosporte.sys -- (tosporte)
    DRV - [2005/11/11 17:09:52 | 000,052,864 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfsnd.sys -- (TosRfSnd) Bluetooth Audio Device (WDM)
    DRV - [2005/10/18 09:53:24 | 000,998,656 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
    DRV - [2005/10/18 09:52:34 | 000,202,112 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
    DRV - [2005/10/18 09:52:30 | 000,721,280 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
    DRV - [2005/09/21 02:04:56 | 000,067,456 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SI3132.sys -- (SI3132)
    DRV - [2005/09/20 08:18:20 | 000,005,248 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SiRemFil.sys -- (SiRemFil)
    DRV - [2005/08/01 18:45:08 | 000,064,896 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tosrfcom.sys -- (Tosrfcom)
    DRV - [2005/07/11 20:58:56 | 000,003,712 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\toshidpt.sys -- (toshidpt)
    DRV - [2005/01/06 15:42:42 | 000,018,612 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfnds.sys -- (tosrfnds)
    DRV - [2004/11/22 06:31:10 | 000,108,767 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
    DRV - [2004/11/01 05:21:32 | 000,010,368 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SiWinAcc.sys -- (SiFilter)
    DRV - [2000/12/05 17:18:02 | 000,003,952 | ---- | M] (Sony Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\DMICall.sys -- (DMICall)
    DRV - [2000/11/09 12:15:08 | 000,048,896 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SonyNC.sys -- (SNC)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
    IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
    IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...putEncoding}&oe={outputEncoding}&sourceid=ie7


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.club-vaio.com/en/

    IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.club-vaio.com/en/

    IE - HKU\S-1-5-21-556486716-130466698-4027895535-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
    IE - HKU\S-1-5-21-556486716-130466698-4027895535-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    IE - HKU\S-1-5-21-556486716-130466698-4027895535-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.techspot.com/community/topics/infected-with-vdpoxdbw-exe-ninjafdd-exe.182499/
    IE - HKU\S-1-5-21-556486716-130466698-4027895535-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    IE - HKU\S-1-5-21-556486716-130466698-4027895535-1006\..\SearchScopes,DefaultScope = {BD289AEE-1E05-4A50-AF0C-537A2AAFEFFD}
    IE - HKU\S-1-5-21-556486716-130466698-4027895535-1006\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
    IE - HKU\S-1-5-21-556486716-130466698-4027895535-1006\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...putEncoding}&oe={outputEncoding}&sourceid=ie7
    IE - HKU\S-1-5-21-556486716-130466698-4027895535-1006\..\SearchScopes\{BD289AEE-1E05-4A50-AF0C-537A2AAFEFFD}: "URL" = http://www.google.com/search?q={sea...&oe={outputEncoding}&sourceid=ie7&rlz=1I7SNYK
    IE - HKU\S-1-5-21-556486716-130466698-4027895535-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-556486716-130466698-4027895535-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

    ========== FireFox ==========

    FF - prefs.js..browser.search.suggest.enabled: false
    FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
    FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1.6.2.63
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
    FF - prefs.js..extensions.enabledItems: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca}:1.4.4.1
    FF - prefs.js..extensions.enabledItems: {23fcfd51-4958-4f00-80a3-ae97e717ed8b}:2.1.2.145
    FF - prefs.js..network.proxy.http: "127.0.0.1"
    FF - prefs.js..network.proxy.http_port: 8118
    FF - prefs.js..network.proxy.no_proxies_on: "127.0.0.1"
    FF - prefs.js..network.proxy.socks: "127.0.0.1"
    FF - prefs.js..network.proxy.socks_port: 9050
    FF - prefs.js..network.proxy.socks_remote_dns: true
    FF - prefs.js..network.proxy.ssl: "127.0.0.1"
    FF - prefs.js..network.proxy.ssl_port: 8118
    FF - prefs.js..network.proxy.type: 1


    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
    FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
    FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll File not found
    FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.3088: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.2.3146: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.11.3006: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF - HKCU\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2008/02/23 22:46:10 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2012/05/06 21:18:04 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/10/01 18:21:40 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/02/12 14:37:09 | 000,000,000 | ---D | M]

    [2009/04/05 16:19:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\James Ewing\Application Data\Mozilla\Extensions
    [2012/06/24 15:48:33 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\James Ewing\Application Data\Mozilla\Firefox\Profiles\gorv87un.default\extensions
    [2010/04/28 19:02:14 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\James Ewing\Application Data\Mozilla\Firefox\Profiles\gorv87un.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2011/12/09 20:44:45 | 000,000,000 | ---D | M] (Torbutton) -- C:\Documents and Settings\James Ewing\Application Data\Mozilla\Firefox\Profiles\gorv87un.default\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
    [2010/05/19 15:23:27 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus(R))) -- C:\Documents and Settings\James Ewing\Application Data\Mozilla\Firefox\Profiles\gorv87un.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
    [2012/06/24 22:55:24 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2012/06/24 22:55:24 | 000,000,000 | ---D | M] (Expat Shield Helper (Please allow this installation)) -- C:\Program Files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com
    [2012/05/06 21:18:04 | 000,000,000 | ---D | M] (DivX Plus Web Player HTML5 <video>) -- C:\PROGRAM FILES\DIVX\DIVX PLUS WEB PLAYER\FIREFOX\DIVXHTML5
    [2009/01/13 20:20:52 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
    [2008/01/04 17:36:50 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
    [2008/01/04 17:36:50 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
    [2008/09/22 21:14:04 | 000,000,759 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
    [2008/01/04 17:36:50 | 000,000,831 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

    O1 HOSTS File: ([2012/07/04 21:57:07 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
    O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
    O2 - BHO: (Expat Shield Class) - {3706EE7C-3CAD-445D-8A43-03EBC3B75908} - C:\Program Files\Expat Shield\HssIE\ExpatIE.dll (AnchorFree Inc.)
    O3 - HKU\S-1-5-21-556486716-130466698-4027895535-1006\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
    O3 - HKU\S-1-5-21-556486716-130466698-4027895535-1006\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
    O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
    O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
    O4 - HKLM..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe (Sony Corporation)
    O4 - HKLM..\Run: [Mouse Suite 98 Daemon] C:\WINDOWS\System32\ico.exe (Primax Electronics Ltd.)
    O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe (Sony Corporation)
    O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe (BillP Studios)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk = C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TOSHIBA CORPORATION.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-556486716-130466698-4027895535-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-556486716-130466698-4027895535-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-556486716-130466698-4027895535-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-21-556486716-130466698-4027895535-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O15 - HKU\.DEFAULT\..Trusted Domains: sony-europe.com ([] in Local intranet)
    O15 - HKU\.DEFAULT\..Trusted Domains: sony-europe.com ([]* in Trusted sites)
    O15 - HKU\.DEFAULT\..Trusted Domains: sonystyle-europe.com ([] in Local intranet)
    O15 - HKU\.DEFAULT\..Trusted Domains: sonystyle-europe.com ([]* in Trusted sites)
    O15 - HKU\.DEFAULT\..Trusted Domains: vaio-link.com ([] in Local intranet)
    O15 - HKU\.DEFAULT\..Trusted Domains: vaio-link.com ([]* in Trusted sites)
    O15 - HKU\S-1-5-18\..Trusted Domains: sony-europe.com ([] in Local intranet)
    O15 - HKU\S-1-5-18\..Trusted Domains: sony-europe.com ([]* in Trusted sites)
    O15 - HKU\S-1-5-18\..Trusted Domains: sonystyle-europe.com ([] in Local intranet)
    O15 - HKU\S-1-5-18\..Trusted Domains: sonystyle-europe.com ([]* in Trusted sites)
    O15 - HKU\S-1-5-18\..Trusted Domains: vaio-link.com ([] in Local intranet)
    O15 - HKU\S-1-5-18\..Trusted Domains: vaio-link.com ([]* in Trusted sites)
    O16 - DPF: {00000055-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/fhg.CAB (Reg Error: Key error.)
    O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
    O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab (Reg Error: Key error.)
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab (MSN Photo Upload Tool)
    O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} http://www.eset.eu/buxus/docs/OnlineScanner.cab (Reg Error: Key error.)
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://go.divx.com/plugin/DivXBrowserPlugin.cab (DivXBrowserPlugin Object)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1194716112250 (MUWebControl Class)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
    O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{324C06D2-5BF0-40FE-8FC3-90CAB2BAB7E8}: DhcpNameServer = 192.168.0.1
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\VESWinlogon: DllName - (VESWinlogon.dll) - C:\WINDOWS\System32\VESWinlogon.dll (Sony Corporation)
    O24 - Desktop WallPaper: C:\Documents and Settings\James Ewing\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\James Ewing\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/07/25 18:47:54 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O34 - HKLM BootExecute: (lsdelete)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/07/04 23:01:45 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\James Ewing\Desktop\OTL.exe
    [2012/07/04 23:01:23 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\James Ewing\Desktop\aswMBR.exe
    [2012/07/04 22:30:00 | 010,063,000 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\James Ewing\Desktop\mbam-setup-1.61.0.1400.exe
    [2012/07/04 22:29:13 | 000,000,000 | -HSD | C] -- C:\RECYCLER
    [2012/07/04 21:48:24 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2012/07/04 20:52:28 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2012/07/04 20:52:28 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2012/07/04 20:52:28 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2012/07/04 20:52:28 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2012/07/04 20:52:10 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/07/04 20:46:30 | 004,566,110 | R--- | C] (Swearware) -- C:\Documents and Settings\James Ewing\Desktop\ComboFix.exe
    [2012/07/03 20:15:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\James Ewing\Local Settings\Application Data\nwbyndug
    [2012/06/24 22:55:56 | 000,000,000 | ---D | C] -- C:\Expat Shield
    [2012/06/24 22:55:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Expat Shield
    [2012/06/24 22:55:24 | 000,000,000 | ---D | C] -- C:\Program Files\Expat Shield
    [2012/06/24 09:20:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\James Ewing\Local Settings\Application Data\Opera
    [2012/06/24 09:20:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\James Ewing\Application Data\Opera
    [2012/06/24 09:20:24 | 000,000,000 | ---D | C] -- C:\Program Files\Opera
    [2009/07/03 18:35:12 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\James Ewing\Application Data\pcouffin.sys
    [2008/10/20 22:55:14 | 000,253,952 | ---- | C] (My Search) -- C:\Program Files\Uninstall My Search Bar.dll
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/07/04 23:28:56 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\James Ewing\Desktop\MBR.dat
    [2012/07/04 23:01:57 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\James Ewing\Desktop\OTL.exe
    [2012/07/04 23:01:23 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\James Ewing\Desktop\aswMBR.exe
    [2012/07/04 22:44:45 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2012/07/04 22:44:24 | 000,050,868 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
    [2012/07/04 22:44:07 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2012/07/04 22:44:01 | 2145,570,816 | -HS- | M] () -- C:\hiberfil.sys
    [2012/07/04 22:30:00 | 010,063,000 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\James Ewing\Desktop\mbam-setup-1.61.0.1400.exe
    [2012/07/04 21:57:07 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2012/07/04 21:48:30 | 000,000,325 | RHS- | M] () -- C:\boot.ini
    [2012/07/04 20:46:30 | 004,566,110 | R--- | M] (Swearware) -- C:\Documents and Settings\James Ewing\Desktop\ComboFix.exe
    [2012/06/26 18:16:53 | 000,000,209 | ---- | M] () -- C:\Boot.bak
    [2012/06/24 09:20:32 | 000,001,514 | ---- | M] () -- C:\Documents and Settings\James Ewing\Application Data\Microsoft\Internet Explorer\Quick Launch\Opera.lnk
    [2012/06/14 18:43:48 | 000,303,656 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2012/06/13 23:45:05 | 000,462,640 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2012/06/13 23:45:05 | 000,080,234 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2012/06/13 23:38:51 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/07/04 23:28:56 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\James Ewing\Desktop\MBR.dat
    [2012/07/04 21:48:30 | 000,000,209 | ---- | C] () -- C:\Boot.bak
    [2012/07/04 21:48:26 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2012/07/04 20:52:28 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2012/07/04 20:52:28 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2012/07/04 20:52:28 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2012/07/04 20:52:28 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2012/07/04 20:52:28 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2012/06/24 09:20:32 | 000,001,514 | ---- | C] () -- C:\Documents and Settings\James Ewing\Application Data\Microsoft\Internet Explorer\Quick Launch\Opera.lnk
    [2012/06/24 09:20:32 | 000,001,502 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Opera.lnk
    [2012/02/14 20:27:53 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
    [2011/12/14 23:50:43 | 000,180,624 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
    [2011/11/04 21:20:52 | 076,004,920 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\lifosemiadna.dat
    [2011/02/10 06:03:48 | 000,000,314 | ---- | C] () -- C:\WINDOWS\primopdf.ini
    [2009/07/03 18:35:12 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\James Ewing\Application Data\pcouffin.cat
    [2009/07/03 18:35:12 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\James Ewing\Application Data\pcouffin.inf
    [2009/05/25 18:07:04 | 000,000,256 | ---- | C] () -- C:\Documents and Settings\James Ewing\pool.bin
    [2008/04/29 21:52:38 | 000,000,167 | ---- | C] () -- C:\Documents and Settings\James Ewing\udownload.dat
    [2007/12/06 22:49:20 | 000,000,134 | ---- | C] () -- C:\Documents and Settings\James Ewing\Local Settings\Application Data\fusioncache.dat
    [2007/11/09 21:08:50 | 000,121,856 | ---- | C] () -- C:\Documents and Settings\James Ewing\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

    ========== LOP Check ==========

    [2010/11/19 19:31:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
    [2009/11/11 20:17:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund
    [2008/03/14 21:02:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Channel4
    [2007/11/11 00:47:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\espionServerData
    [2008/08/26 10:27:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FreeRIP
    [2008/10/21 23:27:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kontiki
    [2007/11/25 18:22:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Translution Limited
    [2009/07/03 19:24:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\vsosdk
    [2011/02/21 22:43:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    [2009/12/01 21:37:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
    [2007/11/28 23:38:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\.ABC
    [2011/02/27 14:37:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\AE69276CA26488C5D9F978A96C0EF48E
    [2009/11/11 20:17:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\Broderbund
    [2012/05/06 21:19:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\DDMSettings
    [2007/11/09 20:07:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\InterVideo
    [2007/11/11 00:32:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\Leadertech
    [2009/10/19 22:06:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\MSNInstaller
    [2011/12/13 21:18:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\Obzy
    [2012/06/24 09:20:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\Opera
    [2009/02/19 01:18:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\Red Kawa
    [2007/11/09 21:10:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\sony
    [2008/02/21 00:10:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\Translution
    [2008/02/27 01:36:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\Uniblue
    [2012/02/28 00:15:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\uTorrent
    [2009/07/03 20:13:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\Vso
    [2008/07/15 11:40:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\WinPatrol
    [2011/12/14 19:53:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\Yluhe
    [2008/01/29 23:24:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\sony

    ========== Purity Check ==========


    < End of report >

    --------------------------------------

    extras.txt to follow in another post
  10. groovycat

    groovycat Newcomer, in training Topic Starter Posts: 18

    Extras.txt

    Extras.txt

    OTL Extras logfile created on: 04/07/2012 23:30:34 - Run 1
    OTL by OldTimer - Version 3.2.53.1 Folder = C:\Documents and Settings\James Ewing\Desktop
    Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    2.00 Gb Total Physical Memory | 1.45 Gb Available Physical Memory | 72.75% Memory free
    3.85 Gb Paging File | 3.53 Gb Available in Paging File | 91.76% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 93.14 Gb Total Space | 46.62 Gb Free Space | 50.05% Space Free | Partition Type: NTFS
    Drive D: | 85.25 Gb Total Space | 56.08 Gb Free Space | 65.78% Space Free | Partition Type: NTFS
    Drive F: | 393.41 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: GROOVYCAT | User Name: James Ewing | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .html [@ = Opera.HTML] -- C:\Program Files\Opera\Opera.exe (Opera Software)
    .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

    [HKEY_USERS\S-1-5-21-556486716-130466698-4027895535-1006\SOFTWARE\Classes\<extension>]
    .html [@ = Opera.HTML] -- C:\Program Files\Opera\Opera.exe (Opera Software)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    https [open] -- "C:\Program Files\Opera\Opera.exe" "%1" (Opera Software)
    InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DoNotAllowExceptions" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "139:TCP" = 139:TCP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22002
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- ()
    "C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
    "C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.)
    "C:\Program Files\Sony\Click to DVD 2\CtoDvd.exe" = C:\Program Files\Sony\Click to DVD 2\CtoDvd.exe:*:Enabled:Click to DVD -- (Sony Corporation)
    "C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe" = C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe:*:Enabled:Opera Internet Browser - Plugin wrapper -- (Opera Software)
    "C:\Program Files\Opera\opera.exe" = C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{01FDC9FC-4D4F-4DB0-ACD1-D3E8E1D52902}" = Sony MP4 Shared Library
    "{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio DigitalMedia Data
    "{0ECB59D5-A3FC-4D61-AD3B-6CE679B3F852}" = Java DB 10.2.2.0
    "{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
    "{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
    "{1417F599-1DBD-4499-9375-B2813E9F890C}" = VAIO Camera Utility
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{2063C2E8-3812-4BBD-9998-6610F80C1DD4}" = VAIO Media AC3 Decoder 1.0
    "{23BE930B-6AC4-4D0D-B5C3-03062A2BF2A3}" = OpenMG AAC Add-on Module 1.0.00
    "{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
    "{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0
    "{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 14
    "{27337663-2619-11D4-99DC-0000F49094C7}" = Memory Stick Formatter
    "{2A0F3EF9-68EE-49E9-A05B-ED5B82DF63E5}" = Wireless Switch Setting Utility
    "{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
    "{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
    "{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
    "{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
    "{32A3A4F4-B792-11D6-A78A-00B0D0160030}" = Java(TM) SE Development Kit 6 Update 3
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{3633BA28-67CE-4AC8-A677-3406CA84C3D8}" = OpenMG Secure Module 4.5.01
    "{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = Browser Address Error Redirector
    "{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
    "{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
    "{4AE3A0CB-87B0-4F51-BECD-3D1F8DFDD62F}" = SAGEM F@st 800-840
    "{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
    "{58F9D852-9443-4955-A1ED-12C9E0504DD0}" = Mavis Beacon Teaches Typing Platinum 20
    "{59452470-A902-477F-9338-9B88101681BD}" = Setting Utility Series
    "{5958CAC6-373E-402F-84FE-0A699AA920B9}" = LAN Setting Utility
    "{5BF5F9C5-E95B-4AFA-94BE-F2A9CA73B61D}" = Apple Mobile Device Support
    "{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
    "{61D6E4FB-1A62-4EB1-BE56-929B00C155CF}" = Wireless LAN Starter
    "{668B1BD6-4593-4959-970E-249AFFE6F35C}" = VOR
    "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
    "{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{83CDA18E-0BF3-4ACA-872C-B4CDABF2360E}" = VAIO Update 4
    "{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
    "{8EDBA74D-0686-4C99-BFDD-F894678E5102}" = Adobe Common File Installer
    "{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
    "{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}_PRJPRO_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}_PRJPRO_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
    "{90120000-001F-0C0A-0000-0000000FF1CE}_PRJPRO_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
    "{90120000-003B-0000-0000-0000000FF1CE}" = Microsoft Office Project Professional 2007
    "{90120000-003B-0000-0000-0000000FF1CE}_PRJPRO_{8446EB22-A746-46DC-B1BD-E0DFA1F3CDDA}" = Microsoft Office Project 2007 Service Pack 3 (SP3)
    "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}_PRJPRO_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-00B4-0409-0000-0000000FF1CE}" = Microsoft Office Project MUI (English) 2007
    "{90120000-00B4-0409-0000-0000000FF1CE}_PRJPRO_{F3CD3F3F-726C-4414-A1FE-5CD0968313EA}" = Microsoft Office Project 2007 Service Pack 3 (SP3)
    "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
    "{90120000-0115-0409-0000-0000000FF1CE}_PRJPRO_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{933B4015-4618-4716-A828-5289FC03165F}" = VC80CRTRedist - 8.0.50727.6195
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
    "{9E319E96-ED8E-4B01-9775-C521A1869A25}" = VAIO Power Management
    "{9E407618-D9CD-4F39-9490-9ED45294073D}" = Click to DVD 2.0.03 Menu Data
    "{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
    "{A947C2B3-7445-42C4-9063-EE704CACCB22}" = VAIO Hardware Diagnostics
    "{AAD47011-8518-4608-9656-951DA35B587B}" = iTunes
    "{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio DigitalMedia Audio
    "{AC76BA86-7AD7-1033-7B44-A95000000001}" = Adobe Reader 9.5.0
    "{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio DigitalMedia Copy
    "{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
    "{BB406CEB-6207-4512-9BB2-89950DC9D6B6}_is1" = ConvertXtoDVD 2.2.3.258h
    "{BE56FEF0-1A0F-4719-B3AD-34B5087AFA6D}" = Sony Video Shared Library
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C27BF761-C499-488D-A964-A3718BC6EC3E}" = DSD Direct
    "{C89EB8CD-675F-44F4-9729-4C9A8FAC2D4F}" = DSD Playback Plug-in 1.0
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
    "{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware 2007
    "{E809063C-51A3-4269-8984-D1EB742F2151}" = Click to DVD 2.5.30
    "{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
    "{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
    "{EF3D45BB-2260-4008-88EA-492E7744A9DF}" = Sony Utilities DLL
    "{EFB21DE7-8C19-4A88-BB28-A766E16493BC}" = Adobe Photoshop CS
    "{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
    "{F0D85ADD-DD61-4B43-87A0-6DA52A211A8B}" = VAIO Event Service
    "{F8131A35-47FD-27AD-116D-0E79AF5DE5EE}" = Acrobat.com
    "{FC37C108-821D-4EDE-8F40-D5B497586805}" = VAIO Control Center
    "{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
    "Adobe Shockwave Player" = Adobe Shockwave Player 11.6
    "avast5" = avast! Free Antivirus
    "CCleaner" = CCleaner
    "CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_20030003" = HDAUDIO SoftV92 Data Fax Modem with SmartCP
    "com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
    "DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
    "DivX Setup" = DivX Setup
    "ExpatShield" = Expat Shield 2.25
    "Guitar Pro 5_is1" = Guitar Pro 5.2
    "HijackThis" = HijackThis 2.0.2
    "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
    "ie7" = Windows Internet Explorer 7
    "ie8" = Windows Internet Explorer 8
    "InstallShield_{23BE930B-6AC4-4D0D-B5C3-03062A2BF2A3}" = OpenMG AAC Add-on Module 1.0.00
    "InstallShield_{3633BA28-67CE-4AC8-A677-3406CA84C3D8}" = OpenMG Secure Module 4.5.01
    "InstallShield_{668B1BD6-4593-4959-970E-249AFFE6F35C}" = VAIO Online Registration (English)
    "IrfanView" = IrfanView (remove only)
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "MouseSuite98" = Sony USB Mouse
    "Mozilla Firefox (3.0.19)" = Mozilla Firefox (3.0.19)
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
    "NVIDIA Drivers" = NVIDIA Drivers
    "OpenMG HotFix4.5-06-05-10-01" = OpenMG Limited Patch 4.5-06-05-12-01
    "Opera 12.00.1467" = Opera 12.00
    "Opera Multimedia (ECDL 4.0 XP)" = Opera Multimedia (ECDL 4.0 XP)
    "Polipo" = Polipo 1.0.4.1
    "PowerISO" = PowerISO
    "PrimoPDF" = PrimoPDF -- brought to you by Nitro PDF Software
    "PRJPRO" = Microsoft Office Project Professional 2007
    "ProInst" = Intel(R) PROSet/Wireless Software
    "PROSet" = Intel(R) PRO Network Connections Drivers
    "RealPlayer 6.0" = RealPlayer
    "Revo Uninstaller" = Revo Uninstaller 1.75
    "Tor" = Tor 0.2.2.34
    "Vidalia" = Vidalia 0.2.15
    "Videora iPod Converter" = Videora iPod Converter 4.06
    "VLC media player" = VideoLAN VLC media player 0.8.6d
    "WGA" = Windows Genuine Advantage Validation Tool
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "WinHTTrack Website Copier_is1" = WinHTTrack Website Copier 3.43-9C
    "WinPatrol" = WinPatrol 2008
    "WinRAR archiver" = WinRAR archiver
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-556486716-130466698-4027895535-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "uTorrent" = µTorrent

    ========== Last 20 Event Log Errors ==========

    [ Antivirus Events ]
    Error - 04/05/2009 10:43:09 | Computer Name = GROOVYCAT | Source = avast! | ID = 33554522
    Description =

    Error - 04/05/2009 10:43:10 | Computer Name = GROOVYCAT | Source = avast! | ID = 33554522
    Description =

    Error - 04/05/2009 10:43:11 | Computer Name = GROOVYCAT | Source = avast! | ID = 33554522
    Description =

    Error - 04/05/2009 10:43:11 | Computer Name = GROOVYCAT | Source = avast! | ID = 33554522
    Description =

    Error - 04/05/2009 10:43:12 | Computer Name = GROOVYCAT | Source = avast! | ID = 33554522
    Description =

    Error - 04/05/2009 10:43:14 | Computer Name = GROOVYCAT | Source = avast! | ID = 33554522
    Description =

    Error - 04/05/2009 10:43:14 | Computer Name = GROOVYCAT | Source = avast! | ID = 33554522
    Description =

    Error - 04/05/2009 10:43:15 | Computer Name = GROOVYCAT | Source = avast! | ID = 33554522
    Description =

    Error - 04/05/2009 10:43:16 | Computer Name = GROOVYCAT | Source = avast! | ID = 33554522
    Description =

    Error - 21/11/2009 05:07:46 | Computer Name = GROOVYCAT | Source = avast! | ID = 33554522
    Description =

    [ Application Events ]
    Error - 26/06/2012 16:02:16 | Computer Name = GROOVYCAT | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledSPRetry 474797

    Error - 26/06/2012 17:35:56 | Computer Name = GROOVYCAT | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: Continuously busy for more than a second

    Error - 26/06/2012 17:35:56 | Computer Name = GROOVYCAT | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledEvent 2109

    Error - 26/06/2012 17:35:56 | Computer Name = GROOVYCAT | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledSPRetry 2109

    Error - 26/06/2012 17:35:58 | Computer Name = GROOVYCAT | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: Continuously busy for more than a second

    Error - 26/06/2012 17:35:58 | Computer Name = GROOVYCAT | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledEvent 4062

    Error - 26/06/2012 17:35:58 | Computer Name = GROOVYCAT | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledSPRetry 4062

    Error - 03/07/2012 14:31:04 | Computer Name = GROOVYCAT | Source = Bonjour Service | ID = 100
    Description = DNS Message from «ZERO ADDRESS»:0 to «ZERO ADDRESS»:0 length 0
    too short

    Error - 04/07/2012 14:41:37 | Computer Name = GROOVYCAT | Source = Application Hang | ID = 1002
    Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 04/07/2012 17:13:05 | Computer Name = GROOVYCAT | Source = Application Error | ID = 1000
    Description = Faulting application aswmbr.exe, version 0.9.9.1665, faulting module
    aswmbr.exe, version 0.9.9.1665, fault address 0x00005b96.

    [ System Events ]
    Error - 04/07/2012 16:01:38 | Computer Name = GROOVYCAT | Source = DCOM | ID = 10005
    Description = DCOM got error "%1058" attempting to start the service ehSched with
    arguments "-Service" in order to run the server: {4B635ECB-0887-4015-8CA6-D621362F98D1}

    Error - 04/07/2012 16:31:37 | Computer Name = GROOVYCAT | Source = DCOM | ID = 10005
    Description = DCOM got error "%1058" attempting to start the service ehSched with
    arguments "-Service" in order to run the server: {4B635ECB-0887-4015-8CA6-D621362F98D1}

    Error - 04/07/2012 16:44:40 | Computer Name = GROOVYCAT | Source = Service Control Manager | ID = 7000
    Description = The General Purpose USB Driver (adildr.sys) service failed to start
    due to the following error: %%2

    Error - 04/07/2012 16:44:40 | Computer Name = GROOVYCAT | Source = Service Control Manager | ID = 7000
    Description = The KService service failed to start due to the following error: %%3

    Error - 04/07/2012 16:44:49 | Computer Name = GROOVYCAT | Source = DCOM | ID = 10005
    Description = DCOM got error "%1058" attempting to start the service ehSched with
    arguments "-Service" in order to run the server: {4B635ECB-0887-4015-8CA6-D621362F98D1}

    Error - 04/07/2012 16:45:49 | Computer Name = GROOVYCAT | Source = DCOM | ID = 10005
    Description = DCOM got error "%1058" attempting to start the service ehSched with
    arguments "-Service" in order to run the server: {4B635ECB-0887-4015-8CA6-D621362F98D1}

    Error - 04/07/2012 16:46:49 | Computer Name = GROOVYCAT | Source = DCOM | ID = 10005
    Description = DCOM got error "%1058" attempting to start the service ehSched with
    arguments "-Service" in order to run the server: {4B635ECB-0887-4015-8CA6-D621362F98D1}

    Error - 04/07/2012 16:47:49 | Computer Name = GROOVYCAT | Source = DCOM | ID = 10005
    Description = DCOM got error "%1058" attempting to start the service ehSched with
    arguments "-Service" in order to run the server: {4B635ECB-0887-4015-8CA6-D621362F98D1}

    Error - 04/07/2012 16:48:49 | Computer Name = GROOVYCAT | Source = DCOM | ID = 10005
    Description = DCOM got error "%1058" attempting to start the service ehSched with
    arguments "-Service" in order to run the server: {4B635ECB-0887-4015-8CA6-D621362F98D1}

    Error - 04/07/2012 17:18:49 | Computer Name = GROOVYCAT | Source = DCOM | ID = 10005
    Description = DCOM got error "%1058" attempting to start the service ehSched with
    arguments "-Service" in order to run the server: {4B635ECB-0887-4015-8CA6-D621362F98D1}

    [ Translog Events ]
    Error - 22/12/2007 15:49:28 | Computer Name = GROOVYCAT | Source = TranslutionPro | ID = 0
    Description = ClassName: Connect Method: WordApplication_WindowActivate Message: System.Runtime.InteropServices.COMException
    (0x800A01A8): Exception from HRESULT: 0x800A01A8 at Microsoft.Office.Core.CommandBar.set_Enabled(Boolean
    pvarfEnabled) at Translution.TransClient.Addin.Word.Connect.WordApplication_WindowActivate(Document
    Document, Window Window)

    Error - 22/12/2007 15:49:48 | Computer Name = GROOVYCAT | Source = TranslutionPro | ID = 0
    Description = ClassName: Connect Method: WordApplication_WindowActivate Message: System.Runtime.InteropServices.COMException
    (0x800A01A8): Exception from HRESULT: 0x800A01A8 at Microsoft.Office.Core.CommandBar.set_Enabled(Boolean
    pvarfEnabled) at Translution.TransClient.Addin.Word.Connect.WordApplication_WindowActivate(Document
    Document, Window Window)

    Error - 22/12/2007 15:50:11 | Computer Name = GROOVYCAT | Source = TranslutionPro | ID = 0
    Description = ClassName: Connect Method: WordApplication_WindowActivate Message: System.Runtime.InteropServices.COMException
    (0x800A01A8): Exception from HRESULT: 0x800A01A8 at Microsoft.Office.Core.CommandBar.set_Enabled(Boolean
    pvarfEnabled) at Translution.TransClient.Addin.Word.Connect.WordApplication_WindowActivate(Document
    Document, Window Window)

    Error - 22/12/2007 15:50:34 | Computer Name = GROOVYCAT | Source = TranslutionPro | ID = 0
    Description = ClassName: Connect Method: WordApplication_WindowActivate Message: System.Runtime.InteropServices.COMException
    (0x800A01A8): Exception from HRESULT: 0x800A01A8 at Microsoft.Office.Core.CommandBar.set_Enabled(Boolean
    pvarfEnabled) at Translution.TransClient.Addin.Word.Connect.WordApplication_WindowActivate(Document
    Document, Window Window)

    Error - 25/12/2007 08:01:04 | Computer Name = GROOVYCAT | Source = TranslutionPro | ID = 0
    Description = ClassName: Connect Method: WordApplication_WindowActivate Message: System.Runtime.InteropServices.COMException
    (0x800A01A8): Exception from HRESULT: 0x800A01A8 at Microsoft.Office.Core.CommandBar.set_Enabled(Boolean
    pvarfEnabled) at Translution.TransClient.Addin.Word.Connect.WordApplication_WindowActivate(Document
    Document, Window Window)

    Error - 25/12/2007 08:01:16 | Computer Name = GROOVYCAT | Source = TranslutionPro | ID = 0
    Description = ClassName: Connect Method: WordApplication_WindowActivate Message: System.Runtime.InteropServices.COMException
    (0x800A01A8): Exception from HRESULT: 0x800A01A8 at Microsoft.Office.Core.CommandBar.set_Enabled(Boolean
    pvarfEnabled) at Translution.TransClient.Addin.Word.Connect.WordApplication_WindowActivate(Document
    Document, Window Window)

    Error - 27/12/2007 11:28:11 | Computer Name = GROOVYCAT | Source = TranslutionPro | ID = 0
    Description = ClassName: Connect Method: WordApplication_WindowActivate Message: System.Runtime.InteropServices.COMException
    (0x800A01A8): Exception from HRESULT: 0x800A01A8 at Microsoft.Office.Core.CommandBar.set_Enabled(Boolean
    pvarfEnabled) at Translution.TransClient.Addin.Word.Connect.WordApplication_WindowActivate(Document
    Document, Window Window)

    Error - 27/12/2007 12:00:03 | Computer Name = GROOVYCAT | Source = TranslutionPro | ID = 0
    Description = ClassName: Connect Method: WordApplication_WindowActivate Message: System.Runtime.InteropServices.COMException
    (0x800A01A8): Exception from HRESULT: 0x800A01A8 at Microsoft.Office.Core.CommandBar.set_Enabled(Boolean
    pvarfEnabled) at Translution.TransClient.Addin.Word.Connect.WordApplication_WindowActivate(Document
    Document, Window Window)

    Error - 30/12/2007 15:22:48 | Computer Name = GROOVYCAT | Source = TranslutionPro | ID = 0
    Description = ClassName: Connect Method: WordApplication_WindowActivate Message: System.Runtime.InteropServices.COMException
    (0x800A01A8): Exception from HRESULT: 0x800A01A8 at Microsoft.Office.Core.CommandBar.set_Enabled(Boolean
    pvarfEnabled) at Translution.TransClient.Addin.Word.Connect.WordApplication_WindowActivate(Document
    Document, Window Window)


    < End of report >
  11. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
    NOTE. Make sure to reverse the above changes, when done with this step.
    Upload following files to http://www.virustotal.com/ for security check:
    - C:\Documents and Settings\James Ewing\Application Data\sony\myclubvaio\tools\PcName.exe
    If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.
     
  12. groovycat

    groovycat Newcomer, in training Topic Starter Posts: 18

    SHA256: 72f98e179b64a667a4ee621a29327e357802017f634e04871f931f69aa7f352a
    SHA1: 5df298dd43a7944d0604a0f701040aa6f14d0354
    MD5: b5542b0f06a84979c5e3faaff0529cae
    File size: 489.0 KB ( 500736 bytes )
    File name: C:\Documents and Settings\James Ewing\Application Data\sony\myclubvaio\tools\PcName.exe
    File type: Win32 EXE
    Detection ratio: 27 / 42
    Analysis date: 2012-07-05 15:55:27 UTC ( 0 minutes ago )
    AntivirusResultUpdate
    AhnLab-V3 Win32/Ramnit.Q 20120705
    AntiVir - 20120705
    Antiy-AVL - 20120705
    Avast Win32:Ramon 20120705
    AVG Win32/Cryptor 20120705
    BitDefender Win32.Ramnit.Y 20120705
    ByteHero Trojan.Win32.Heur.Gen 20120613
    CAT-QuickHeal - 20120705
    ClamAV - 20120705
    Commtouch W32/Ramnit.Q 20120705
    Comodo - 20120705
    DrWeb Win32.Rmnet.16 20120705
    Emsisoft Virus.Win32.Ramnit!IK 20120705
    eSafe - 20120704
    F-Prot W32/Ramnit.Q 20120705
    F-Secure Win32.Ramnit.Y 20120705
    Fortinet - 20120705
    GData Win32.Ramnit.Y 20120705
    Ikarus Virus.Win32.Ramnit 20120705
    Jiangmin Win32/PatchFile.jr 20120705
    K7AntiVirus Riskware 20120704
    Kaspersky Virus.Win32.Nimnul.e 20120705
    McAfee W32/Ramnit.I 20120705
    McAfee-GW-Edition W32/Ramnit.I 20120705
    Microsoft Virus:Win32/Ramnit.Z 20120705
    NOD32 a variant of Win32/Ramnit.T 20120705
    Norman W32/Nimnul.CY 20120705
    nProtect Win32.Ramnit.Y 20120705
    Panda - 20120705
    PCTools - 20120705
    Rising - 20120705
    Sophos W32/Ramnit-BD 20120705
    SUPERAntiSpyware - 20120705
    Symantec - 20120705
    TheHacker - 20120704
    TotalDefense Win32/Ramnit.D!Dropper 20120705
    TrendMicro PE_RAMNIT.EVL 20120705
    TrendMicro-HouseCall PE_RAMNIT.EVL 20120705
    VBA32 Virus.Nimnul.E 20120705
    VIPRE Virus.Win32.Nimnul.ea (v) 20120705
    ViRobot - 20120705
    VirusBuster - 20120704
  13. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    I'm afraid I have very bad news.

    You're infected with Ramnit file infector virus.

    Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

    -- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.
    With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

    Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

    Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

    In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

    Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
    Backdoors and What They Mean to You

    This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

    Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.
  14. groovycat

    groovycat Newcomer, in training Topic Starter Posts: 18

    I feared as much when I saw the results! Many thanks for the information.

    If you don't mind, I have a couple of questions:
    1. Since the Ramnit virus infects .exe/.dll/.html files, can I safely copy documents/photos/music (or any files without those extensions) from my machine before formatting?
    2. If I do copy some files, is there a foolproof way of determining that the ramnit virus has not been transferred before copying them to a clean machine?
    3. Just out of interest, was the file 'C:\Documents and Settings\James Ewing\Application Data\sony\myclubvaio\tools\PcName.exe' a legitimate file that was corrupted, or a file installed by the virus?

    Many thanks for your help!
    James.
  15. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    PcName.exe seems to be a legit file but to say for sure you'd have to scan it (http://www.virustotal.com/).

    Now, you can safe any file you want but...
    1. Make sure you won't connect the device you're saving your date to to any other healthy computer.
    2. After Windows reinstallation...
    Install Panda USB Vaccine, or BitDefender’s USB Immunizer on clean computer to protect it from any infected USB device.
    Then you'll be safe to connect your external device and scan it with your AV program.
  16. groovycat

    groovycat Newcomer, in training Topic Starter Posts: 18

    Thanks again, Broni.
    In the next couple of days I hope to complete the migration of files and the reinstall of an OS. I've been considering my options and, again, I have a few questions:
    1.I have a legitimate copy of XP, but don't have the disk, so was wondering if I can run the formatting and install from the Windows I386 folder?
    2. Can this specific folder be scanned to ensure 100% that there is no virus?
    3. Would it be better to copy the folder to a CD/USB and run the formatting/install from there or can it be done from the HD?
    4. I have the Windows product key on a sticker on my computer, but do I need any other information from my machine before performing the formatting/install?

    Many thanks,
    James.
  17. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    I suggest you ask those questions in Windows forum.
  18. groovycat

    groovycat Newcomer, in training Topic Starter Posts: 18

     
  19. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    You're very welcome [​IMG]


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.