[Not curable - Ramnit] Infected with vdpoxdbw.exe ninjafdd.exe

groovycat · Jul 3, 2012

Hi Techspot helpers,
I've just picked up a virus (an hour ago), which appears to be vdpoxdbw.exe and/or ninjafdd.exe (full exe name is ninjafddhkfcghbo.exe). I got it from zikro.net where I tried to watch a UK tv program.

I've followed the 5 step instructions with the following results:
1. Already have avast
2. Already had MB, but was unable to launch it after the infection. I downloaded the setup file and tried to install, but on the final step, the program wouldn't launch.
3. Unable to download from either mirror - I just get that I.e. is unable to open.
4. as 3, above
5. no logs to paste.

Other information:
a. Since the infection I can't run Opera browser which I was using at the time.
b. I ran an Avast scan on the C drive and found no virus even though I saw the vdpoxdbw.exe file appear in the files scanned
c. I ran a hijackthis scan and found the vdpoxdbw.exe entry, but was unable to fix it (scan copied below)
d. I have Winpatrol which alerts me every few minutes that vdpoxdbw.exe is trying to access the net.

Any help to remove this virus would be greatly appreciated.
Many thanks in advance.
James.

[HJT log removed by Broni]

Broni · Jul 3, 2012

Welcome aboard

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
If you're stuck, or you're not sure about certain step, always ask before doing anything else.
Please refrain from running tools or applying updates other than those I suggest.
Never run more than one scan at a time.
Keep updating me regarding your computer behavior, good, or bad.
The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

============================================================

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe

Double-click on the Rkill icon to run the tool.
If using Vista or Windows 7 right-click on it and choose Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
Do not reboot until instructed.
If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

groovycat · Jul 4, 2012

Hi Broni, many thanks for your assistance. I followed your instructions and was able to downlaod CF from the 3rd link provided. I tried to download RKill in case I needed it as per your instructions, but was unable to, with IE saying that it could not connect. I ran CF and was prompted to install recovery console, but was unable to as it said I was not connected to the web.

The CF log is copied below.
Thanks again,
James.

ComboFix 12-06-28.03 - James Ewing 04/07/2012 21:06:17.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1464 [GMT 2:00]
Running from: c:\documents and settings\James Ewing\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\James Ewing\0.701131749126591.exe
c:\documents and settings\James Ewing\Application Data\Adobe\plugs
c:\documents and settings\James Ewing\Application Data\inst.exe
c:\documents and settings\James Ewing\Local Settings\Application Data\cnnbbxan.log
c:\documents and settings\James Ewing\Local Settings\Application Data\jwthsurj.log
c:\documents and settings\James Ewing\Local Settings\Application Data\lpkeftvm.log
c:\documents and settings\James Ewing\Local Settings\Application Data\pedthdvk.log
c:\documents and settings\James Ewing\Local Settings\Application Data\wesgyfjs.log
c:\documents and settings\James Ewing\Local Settings\Application Data\xuatrcqs.log
c:\documents and settings\James Ewing\Local Settings\Application Data\yupjpjqj.log
c:\documents and settings\James Ewing\WINDOWS
c:\windows\EventSystem.log
c:\windows\setupapi.log
c:\windows\system32\SET61.tmp
c:\windows\system32\SET62.tmp
c:\windows\system32\SET98.tmp
c:\windows\system32\SET9D.tmp
c:\windows\system32\SETA4.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-06-04 to 2012-07-04 )))))))))))))))))))))))))))))))
.
.
2012-07-03 19:26 . 2012-07-03 19:27 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-07-03 18:15 . 2012-07-03 18:15 -------- d-----w- c:\documents and settings\James Ewing\Local Settings\Application Data\nwbyndug
2012-06-24 20:55 . 2012-06-24 20:56 -------- d-----w- C:\Expat Shield
2012-06-24 20:55 . 2012-01-05 00:31 613704 ----a-w- c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor.dll
2012-06-24 20:55 . 2012-01-05 00:31 597832 ----a-w- c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor90.dll
2012-06-24 20:55 . 2012-01-05 00:31 597832 ----a-w- c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor80.dll
2012-06-24 20:55 . 2012-01-05 00:31 597832 ----a-w- c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor70.dll
2012-06-24 20:55 . 2012-01-05 00:31 597832 ----a-w- c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor60.dll
2012-06-24 20:55 . 2012-01-05 00:31 597832 ----a-w- c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor50.dll
2012-06-24 20:55 . 2012-06-24 20:56 -------- d-----w- c:\program files\Expat Shield
2012-06-24 07:20 . 2012-06-24 07:20 -------- d-----w- c:\documents and settings\James Ewing\Local Settings\Application Data\Opera
2012-06-24 07:20 . 2012-06-24 07:20 -------- d-----w- c:\program files\Opera
2012-06-13 16:31 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-31 13:22 . 2006-07-25 08:28 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2006-07-25 08:29 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2006-07-25 08:29 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2006-07-25 08:28 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2006-07-25 08:28 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2006-07-25 08:28 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:16 . 2006-07-25 08:29 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-03 22:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2006-07-25 16:42 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2008-08-26 08:27 . 2008-10-20 20:55 253952 ----a-w- c:\program files\Uninstall My Search Bar.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3706EE7C-3CAD-445D-8A43-03EBC3B75908}]
2012-01-04 23:02 233288 ----a-w- c:\program files\Expat Shield\HssIE\ExpatIE.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-06-27 217088]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-08 7561216]
"Mouse Suite 98 Daemon"="ICO.EXE" [2002-03-14 45056]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-17 118784]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-07-04 333120]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2006-2-3 1753088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-03-09 13:51 73728 ----a-w- c:\windows\system32\VESWinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^James Ewing^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\James Ewing\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-01-03 21:51 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 14:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 16:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
2006-05-08 05:17 81920 ----a-w- c:\progra~1\Sony\SONICS~1\SSAAD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-05-21 10:34 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Switcher.exe]
2006-02-14 11:11 176128 ----a-w- c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOCameraUtility]
2005-12-27 12:58 69632 ----a-w- c:\program files\Sony\VAIO Camera Utility\VCUServe.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
2011-10-12 15:06 5407850 ----a-w- c:\program files\Vidalia Bundle\Vidalia\vidalia.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McrdSvc"=2 (0x2)
"ehSched"=2 (0x2)
"ehRecvr"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Sony\\Click to DVD 2\\CtoDvd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Opera\\pluginwrapper\\opera_plugin_wrapper.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [21/10/2008 23:20 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [21/10/2008 23:20 17744]
R2 ExpatShieldService;Expat Shield Service;c:\program files\Expat Shield\bin\openvpnas.exe [17/01/2012 23:15 331608]
R2 ExpatSrv;Expat Shield Routing Service;c:\program files\Expat Shield\HssWPR\hsssrv.exe [05/01/2012 01:01 363336]
R2 ExpatWd;Expat Shield Monitoring Service;c:\program files\Expat Shield\bin\hsswd.exe -product Expat --> c:\program files\Expat Shield\bin\hsswd.exe -product Expat [?]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [03/07/2009 18:35 47360]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [25/07/2006 10:30 30080]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [25/07/2006 10:30 226304]
S3 ExpatTrayService;Expat Shield Tray Service;c:\program files\Expat Shield\bin\EXPATTrayService.exe [17/01/2012 23:22 77520]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [03/07/2012 21:26 40776]
S3 ST330;ST330;c:\windows\system32\drivers\st330.sys [18/09/2008 20:57 30464]
S3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [18/09/2008 20:57 12672]
S3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\system32\drivers\stppp.sys [18/09/2008 20:57 35328]
S4 Mdnarette3np;Mdnarette3np; [x]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\James Ewing\Application Data\Mozilla\Firefox\Profiles\gorv87un.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 8118
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 8118
FF - prefs.js: network.proxy.type - 1
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Torbutton: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca} - %profile%\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-4oD - c:\program files\Kontiki\KHost.exe
MSConfigStartUp-Acrobat Assistant 7 - c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
MSConfigStartUp-BlackBerryAutoUpdate - c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
MSConfigStartUp-ctfmon - c:\docume~1\ALLUSE~1\APPLIC~1\andaimesofil.dat
MSConfigStartUp-kdx - c:\program files\Kontiki\KHost.exe
MSConfigStartUp-Norton Ghost 10 - c:\program files\Norton Ghost\Agent\GhostTray.exe
MSConfigStartUp-RoxWatchTray - c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-04 21:13
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\James Ewing\Start Menu\Programs\Startup\vdpoxdbw.exe 93312 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1032)
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2012-07-04 21:16:51
ComboFix-quarantined-files.txt 2012-07-04 19:16
ComboFix2.txt 2008-01-02 22:49
.
Pre-Run: 44,786,302,976 bytes free
Post-Run: 50,139,070,464 bytes free
.
- - End Of File - - B2520932ED3B202DECE628B42B82E6D5

Broni · Jul 4, 2012

1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
c:\documents and settings\James Ewing\Start Menu\Programs\Startup\vdpoxdbw.exe

Driver::
Mdnarette3np

ClearJavaCache::

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

groovycat · Jul 4, 2012

ComboFix 12-06-28.03 - James Ewing 04/07/2012 21:49:37.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1393 [GMT 2:00]
Running from: c:\documents and settings\James Ewing\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\James Ewing\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
FILE ::
"c:\documents and settings\James Ewing\Start Menu\Programs\Startup\vdpoxdbw.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\James Ewing\Start Menu\Programs\Startup\vdpoxdbw.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_Mdnarette3np
.
.
((((((((((((((((((((((((( Files Created from 2012-06-04 to 2012-07-04 )))))))))))))))))))))))))))))))
.
.
2012-07-03 19:26 . 2012-07-03 19:27 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-07-03 18:15 . 2012-07-03 18:15 -------- d-----w- c:\documents and settings\James Ewing\Local Settings\Application Data\nwbyndug
2012-06-24 20:55 . 2012-06-24 20:56 -------- d-----w- C:\Expat Shield
2012-06-24 20:55 . 2012-01-05 00:31 613704 ----a-w- c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor.dll
2012-06-24 20:55 . 2012-01-05 00:31 597832 ----a-w- c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor90.dll
2012-06-24 20:55 . 2012-01-05 00:31 597832 ----a-w- c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor80.dll
2012-06-24 20:55 . 2012-01-05 00:31 597832 ----a-w- c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor70.dll
2012-06-24 20:55 . 2012-01-05 00:31 597832 ----a-w- c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor60.dll
2012-06-24 20:55 . 2012-01-05 00:31 597832 ----a-w- c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor50.dll
2012-06-24 20:55 . 2012-06-24 20:56 -------- d-----w- c:\program files\Expat Shield
2012-06-24 07:20 . 2012-06-24 07:20 -------- d-----w- c:\documents and settings\James Ewing\Local Settings\Application Data\Opera
2012-06-24 07:20 . 2012-06-24 07:20 -------- d-----w- c:\program files\Opera
2012-06-13 16:31 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-31 13:22 . 2006-07-25 08:28 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2006-07-25 08:29 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2006-07-25 08:29 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2006-07-25 08:28 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2006-07-25 08:28 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2006-07-25 08:28 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:16 . 2006-07-25 08:29 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-03 22:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2006-07-25 16:42 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2008-08-26 08:27 . 2008-10-20 20:55 253952 ----a-w- c:\program files\Uninstall My Search Bar.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-04_19.13.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-07-04 19:56 . 2012-07-04 19:56 16384 c:\windows\Temp\Perflib_Perfdata_16c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3706EE7C-3CAD-445D-8A43-03EBC3B75908}]
2012-01-04 23:02 233288 ----a-w- c:\program files\Expat Shield\HssIE\ExpatIE.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-06-27 217088]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-08 7561216]
"Mouse Suite 98 Daemon"="ICO.EXE" [2002-03-14 45056]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-17 118784]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-07-04 333120]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2006-2-3 1753088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-03-09 13:51 73728 ----a-w- c:\windows\system32\VESWinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^James Ewing^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\James Ewing\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-01-03 21:51 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 14:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 16:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
2006-05-08 05:17 81920 ----a-w- c:\progra~1\Sony\SONICS~1\SSAAD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-05-21 10:34 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Switcher.exe]
2006-02-14 11:11 176128 ----a-w- c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOCameraUtility]
2005-12-27 12:58 69632 ----a-w- c:\program files\Sony\VAIO Camera Utility\VCUServe.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
2011-10-12 15:06 5407850 ----a-w- c:\program files\Vidalia Bundle\Vidalia\vidalia.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McrdSvc"=2 (0x2)
"ehSched"=2 (0x2)
"ehRecvr"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Sony\\Click to DVD 2\\CtoDvd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Opera\\pluginwrapper\\opera_plugin_wrapper.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [21/10/2008 23:20 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [21/10/2008 23:20 17744]
R2 ExpatShieldService;Expat Shield Service;c:\program files\Expat Shield\bin\openvpnas.exe [17/01/2012 23:15 331608]
R2 ExpatSrv;Expat Shield Routing Service;c:\program files\Expat Shield\HssWPR\hsssrv.exe [05/01/2012 01:01 363336]
R2 ExpatWd;Expat Shield Monitoring Service;c:\program files\Expat Shield\bin\hsswd.exe -product Expat --> c:\program files\Expat Shield\bin\hsswd.exe -product Expat [?]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [03/07/2009 18:35 47360]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [25/07/2006 10:30 30080]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [25/07/2006 10:30 226304]
S3 ExpatTrayService;Expat Shield Tray Service;c:\program files\Expat Shield\bin\EXPATTrayService.exe [17/01/2012 23:22 77520]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [03/07/2012 21:26 40776]
S3 ST330;ST330;c:\windows\system32\drivers\st330.sys [18/09/2008 20:57 30464]
S3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [18/09/2008 20:57 12672]
S3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\system32\drivers\stppp.sys [18/09/2008 20:57 35328]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\James Ewing\Application Data\Mozilla\Firefox\Profiles\gorv87un.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 8118
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 8118
FF - prefs.js: network.proxy.type - 1
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Torbutton: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca} - %profile%\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-04 21:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1356)
c:\windows\system32\VESWinlogon.dll
.
- - - - - - - > 'explorer.exe'(2208)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Expat Shield\bin\hsswd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\ICO.EXE
c:\windows\eHome\ehmsas.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
.
**************************************************************************
.
Completion time: 2012-07-04 22:03:19 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-04 20:03
ComboFix2.txt 2012-07-04 19:16
ComboFix3.txt 2008-01-02 22:49
.
Pre-Run: 50,132,054,016 bytes free
Post-Run: 50,058,469,376 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 5ACFE161FBEED16F77DCD7E1AF2F420B

Broni · Jul 4, 2012

Looks good

Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
NOTE. If you already have MBAM installed, update it before running the scan.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

groovycat · Jul 4, 2012

Succesfully ran MB this time

. No malicious items detected, however during the MB scan, Avast alerted me to a virus having been blocked with the following details:

Object: C:\DOCUMENTS AND SETTINGS\ALL USER...\RUNASUSERPROCESS.DLL
Infection: Win32:Ramon
Process: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

MB log:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Database version: v2012.07.04.06
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
James Ewing :: GROOVYCAT [administrator]
04/07/2012 22:33:04
mbam-log-2012-07-04 (22-33-04).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 220184
Time elapsed: 6 minute(s), 52 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

Broni · Jul 4, 2012

Very well

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

================================================

Download OTL to your Desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Click the Scan All Users checkbox.
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

groovycat · Jul 4, 2012

First time I ran MBR it srashed after about 10 mintutes. Second time, it completed, but there were about 15 or so lines of red text.

MBR log:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-04 23:13:20
-----------------------------
23:13:20.750 OS Version: Windows 5.1.2600 Service Pack 3
23:13:20.750 Number of processors: 2 586 0xF06
23:13:20.750 ComputerName: GROOVYCAT UserName:
23:13:21.390 Initialize success
23:13:21.468 AVAST engine defs: 12070400
23:13:23.890 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
23:13:23.890 Disk 0 Vendor: FUJITSU_MHV2200BT 0000004F Size: 190782MB BusType: 3
23:13:23.890 Disk 1 \Device\Harddisk1\DR4 -> \Device\000000a0
23:13:23.890 Disk 1 Vendor: ( Size: 190782MB BusType: 0
23:13:23.937 Disk 0 MBR read successfully
23:13:23.953 Disk 0 MBR scan
23:13:23.953 Disk 0 Windows XP default MBR code
23:13:23.953 Disk 0 Partition 1 00 12 Compaq diag NTFS 8110 MB offset 63
23:13:23.968 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 95370 MB offset 16611210
23:13:23.984 Disk 0 Partition - 00 0F Extended LBA 87298 MB offset 211929480
23:13:24.015 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 87298 MB offset 211929543
23:13:24.031 Disk 0 scanning sectors +390716865
23:13:24.125 Disk 0 scanning C:\WINDOWS\system32\drivers
23:13:43.187 Service scanning
23:14:03.234 Modules scanning
23:14:19.765 Disk 0 trace - called modules:
23:14:19.796 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
23:14:19.812 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a837ab8]
23:14:19.812 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\0000008f[0x8a83e9e8]
23:14:19.828 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8a83d940]
23:14:20.421 AVAST engine scan C:\WINDOWS
23:14:41.984 AVAST engine scan C:\WINDOWS\system32
23:18:23.484 AVAST engine scan C:\WINDOWS\system32\drivers
23:18:52.328 AVAST engine scan C:\Documents and Settings\James Ewing
23:21:42.343 File: C:\Documents and Settings\James Ewing\Application Data\sony\myclubvaio\tools\PcName.exe **INFECTED** Win32:Ramon
23:21:47.750 File: C:\Documents and Settings\James Ewing\Application Data\Sun\Java\jre1.6.0_11\lzma.dll **INFECTED** Win32:Ramon
23:21:48.140 File: C:\Documents and Settings\James Ewing\Application Data\Sun\Java\jre1.6.0_13\lzma.dll **INFECTED** Win32:Ramon
23:21:48.390 File: C:\Documents and Settings\James Ewing\Application Data\Sun\Java\jre1.6.0_14\lzma.dll **INFECTED** Win32:Ramon
23:24:43.390 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\ACROBAT 4.0\Reader\Acrofx32.dll **INFECTED** Win32:Ramon
23:24:45.359 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\ACROBAT 4.0\Reader\AcroRd32.exe **INFECTED** Win32:Ramon
23:24:45.984 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\ACROBAT 4.0\Reader\Agm.dll **INFECTED** Win32:Ramon
23:24:46.609 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\ACROBAT 4.0\Reader\Cooltype.dll **INFECTED** Win32:Ramon
23:24:47.250 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\ACROBAT 4.0\Reader\plug_ins\Movie\QT2.dll **INFECTED** Win32:Ramon
23:24:47.390 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\ACROBAT 4.0\Reader\plug_ins\Movie\QT3.dll **INFECTED** Win32:Ramon
23:24:50.828 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\LAUNCH-PAD\LPad-104-98.exe **INFECTED** Win32:Ramon
23:24:52.843 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\LAUNCH-PAD-EVAL\LP-Evaluation.exe **INFECTED** Win32:Ramon
23:24:54.093 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\MINITEST\MiniTest2.exe **INFECTED** Win32:Ramon
23:24:55.359 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\MODULE1\Mod1.exe **INFECTED** Win32:Ramon
23:24:55.921 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\PR2TEST\VisaTestv2.exe **INFECTED** Win32:Ramon
23:24:56.656 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\PROG4\Model Answer.exe **INFECTED** Win32:Ramon
23:24:57.453 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\PROG5\Questions.exe **INFECTED** Win32:Ramon
23:24:57.828 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\Reader\Acrofx32.dll **INFECTED** Win32:Ramon
23:24:59.812 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\Reader\AcroRd32.exe **INFECTED** Win32:Ramon
23:25:00.406 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\Reader\Agm.dll **INFECTED** Win32:Ramon
23:25:01.000 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\Reader\Cooltype.dll **INFECTED** Win32:Ramon
23:25:01.734 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\Reader\plug_ins\Movie\QT2.dll **INFECTED** Win32:Ramon
23:25:01.921 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\Reader\plug_ins\Movie\QT3.dll **INFECTED** Win32:Ramon
23:25:02.687 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\VISAGOLD2\VisaGold2.exe **INFECTED** Win32:Ramon
23:25:03.890 File: C:\Documents and Settings\James Ewing\My Documents\Downloads\Prince 2 Project methods\Prince 2 Project methods\Prince2\VISASURE\VisaSure.exe **INFECTED** Win32:Ramon
23:26:23.921 AVAST engine scan C:\Documents and Settings\All Users
23:26:35.203 File: C:\Documents and Settings\All Users\Application Data\DivX\Setup\RunAsUser\RUNASUSERPROCESS.dll **INFECTED** Win32:Ramon
23:28:26.328 Scan finished successfully
23:28:56.156 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\James Ewing\Desktop\MBR.dat"
23:28:56.171 The log file has been saved successfully to "C:\Documents and Settings\James Ewing\Desktop\aswMBR.txt"

-------------------------------------------

OTL.txt

OTL logfile created on: 04/07/2012 23:30:34 - Run 1
OTL by OldTimer - Version 3.2.53.1 Folder = C:\Documents and Settings\James Ewing\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.45 Gb Available Physical Memory | 72.75% Memory free
3.85 Gb Paging File | 3.53 Gb Available in Paging File | 91.76% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.14 Gb Total Space | 46.62 Gb Free Space | 50.05% Space Free | Partition Type: NTFS
Drive D: | 85.25 Gb Total Space | 56.08 Gb Free Space | 65.78% Space Free | Partition Type: NTFS
Drive F: | 393.41 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: GROOVYCAT | User Name: James Ewing | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/07/04 23:01:57 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\James Ewing\Desktop\OTL.exe
PRC - [2012/01/17 23:15:44 | 000,331,608 | ---- | M] () -- C:\Program Files\Expat Shield\bin\openvpnas.exe
PRC - [2012/01/05 01:02:02 | 000,329,544 | ---- | M] () -- C:\Program Files\Expat Shield\bin\hsswd.exe
PRC - [2012/01/05 01:01:58 | 000,363,336 | ---- | M] (AnchorFree Inc.) -- C:\Program Files\Expat Shield\HssWPR\hsssrv.exe
PRC - [2010/09/07 18:12:02 | 002,838,912 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/09/07 18:11:59 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2008/07/04 18:58:06 | 000,333,120 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
PRC - [2008/04/14 02:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/04/13 14:36:36 | 000,176,128 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
PRC - [2006/03/07 19:46:06 | 000,290,816 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
PRC - [2006/02/03 00:19:10 | 001,753,088 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
PRC - [2006/01/27 20:17:50 | 000,221,184 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
PRC - [2006/01/23 23:47:32 | 000,073,728 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
PRC - [2004/11/17 13:47:16 | 000,118,784 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2004/08/19 02:40:08 | 000,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
PRC - [2004/02/20 15:12:34 | 000,032,768 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\ISB Utility\ISBMgr.exe
PRC - [2002/03/14 17:46:58 | 000,045,056 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\ico.exe

========== Modules (No Company Name) ==========

MOD - [2012/07/04 12:33:59 | 001,781,248 | ---- | M] () -- C:\Program Files\Alwil Software\Avast5\defs\12070400\algo.dll
MOD - [2012/01/17 23:15:44 | 000,331,608 | ---- | M] () -- C:\Program Files\Expat Shield\bin\openvpnas.exe
MOD - [2012/01/05 01:02:02 | 000,329,544 | ---- | M] () -- C:\Program Files\Expat Shield\bin\hsswd.exe
MOD - [2011/03/01 00:37:32 | 000,180,624 | ---- | M] () -- C:\WINDOWS\system32\Primomonnt.dll
MOD - [2010/09/07 18:13:40 | 000,142,872 | ---- | M] () -- C:\Program Files\Alwil Software\Avast5\aswDld.dll
MOD - [2009/03/30 04:34:30 | 000,280,143 | ---- | M] () -- C:\Program Files\Expat Shield\bin\libidn-11.dll
MOD - [2009/03/27 22:02:24 | 000,332,254 | ---- | M] () -- C:\Program Files\Expat Shield\bin\libssl32.dll
MOD - [2009/03/27 22:02:22 | 001,554,920 | ---- | M] () -- C:\Program Files\Expat Shield\bin\libeay32.dll
MOD - [2007/09/20 20:34:58 | 000,129,024 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2005/11/28 12:59:16 | 000,876,544 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\Libeay32.dll
MOD - [2005/11/28 12:59:16 | 000,208,965 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\iWMSProv.dll
MOD - [2005/11/28 12:59:16 | 000,053,322 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\IntStngs.dll
MOD - [2005/07/22 23:30:20 | 000,065,536 | ---- | M] () -- C:\WINDOWS\system32\TosCommAPI.dll
MOD - [2005/05/20 18:42:20 | 000,010,752 | ---- | M] () -- C:\Program Files\Sony\VAIO Event Service\VESBasePS.dll
MOD - [2004/07/20 19:04:02 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\TosBtHcrpAPI.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe -- (RoxLiveShare9)
SRV - File not found [Auto | Stopped] -- -- (KService)
SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus(R)
SRV - [2012/01/17 23:22:02 | 000,077,520 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Expat Shield\bin\EXPATTrayService.exe -- (ExpatTrayService)
SRV - [2012/01/17 23:15:44 | 000,331,608 | ---- | M] () [Auto | Running] -- C:\Program Files\Expat Shield\bin\openvpnas.exe -- (ExpatShieldService)
SRV - [2012/01/05 01:02:02 | 000,329,544 | ---- | M] () [Auto | Running] -- C:\Program Files\Expat Shield\bin\hsswd.exe -- (ExpatWd)
SRV - [2012/01/05 01:01:58 | 000,363,336 | ---- | M] (AnchorFree Inc.) [Auto | Running] -- C:\Program Files\Expat Shield\HssWPR\hsssrv.exe -- (ExpatSrv)
SRV - [2010/09/07 18:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/09/07 18:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/09/07 18:11:59 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2007/10/29 15:27:04 | 000,587,096 | ---- | M] (Lavasoft AB) [On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe -- (aawservice)
SRV - [2006/04/27 19:35:16 | 000,053,337 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe -- (MSCSPTISRV)
SRV - [2006/04/27 19:27:06 | 000,049,241 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe -- (PACSPTISVR)
SRV - [2006/04/27 19:16:28 | 000,069,718 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)
SRV - [2006/04/13 14:36:36 | 000,176,128 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe -- (VAIO Event Service)
SRV - [2005/01/04 12:09:36 | 000,398,336 | ---- | M] (Sony Corporation) [Auto | Stopped] -- C:\Program Files\Sony\VAIO Cooperated Initialisation\VCI_svc.exe -- (VCI)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (RimUsb)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (mcdbus)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\DOCUME~1\JAMESE~1\LOCALS~1\Temp\aswMBR.sys -- (aswMBR)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (adiusbaw)
DRV - File not found [Kernel | Auto | Stopped] -- -- (ADILOADER) General Purpose USB Driver (adildr.sys)
DRV - [2012/01/05 01:01:56 | 000,037,376 | ---- | M] (AnchorFree Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HssDrv.sys -- (HssDrv)
DRV - [2012/01/05 01:01:54 | 000,032,768 | ---- | M] (AnchorFree Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\taphss.sys -- (taphss)
DRV - [2010/09/07 17:52:25 | 000,046,672 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/09/07 17:52:03 | 000,165,584 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/09/07 17:47:46 | 000,023,376 | ---- | M] (AVAST Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/09/07 17:47:19 | 000,100,176 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/09/07 17:47:07 | 000,017,744 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/09/07 17:46:51 | 000,028,880 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/03/15 12:25:46 | 000,056,268 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2008/09/18 20:57:34 | 000,035,328 | ---- | M] (THOMSON Telecom Belgium) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\stppp.sys -- (stppp)
DRV - [2008/09/18 20:57:34 | 000,030,464 | ---- | M] (THOMSON Telecom Belgium) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\st330.sys -- (ST330)
DRV - [2008/09/18 20:57:34 | 000,012,672 | ---- | M] (THOMSON Telecom Belgium) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\stbus.sys -- (STBUS)
DRV - [2008/01/18 11:00:00 | 000,385,072 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2006/05/26 00:59:12 | 001,177,032 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/03/06 11:39:00 | 000,030,080 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SonyImgF.sys -- (SonyImgF)
DRV - [2006/02/21 11:32:32 | 000,226,304 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ti21sony.sys -- (ti21sony)
DRV - [2006/02/08 19:33:34 | 000,062,848 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfhid.sys -- (Tosrfhid)
DRV - [2006/02/03 01:16:08 | 000,108,928 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfbd.sys -- (Tosrfbd)
DRV - [2006/01/31 20:35:28 | 000,039,808 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfusb.sys -- (Tosrfusb)
DRV - [2005/12/29 11:42:00 | 000,234,496 | ---- | M] (Vimicro Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbvm321.sys -- (usbvm321)
DRV - [2005/12/14 19:07:24 | 000,037,632 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfbnp.sys -- (Tosrfbnp)
DRV - [2005/12/05 01:55:30 | 001,428,096 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w39n51.sys -- (w39n51) Intel(R)
DRV - [2005/11/28 13:09:26 | 000,013,568 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2005/11/24 15:37:36 | 000,047,104 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosporte.sys -- (tosporte)
DRV - [2005/11/11 17:09:52 | 000,052,864 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfsnd.sys -- (TosRfSnd) Bluetooth Audio Device (WDM)
DRV - [2005/10/18 09:53:24 | 000,998,656 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/10/18 09:52:34 | 000,202,112 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2005/10/18 09:52:30 | 000,721,280 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/09/21 02:04:56 | 000,067,456 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SI3132.sys -- (SI3132)
DRV - [2005/09/20 08:18:20 | 000,005,248 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SiRemFil.sys -- (SiRemFil)
DRV - [2005/08/01 18:45:08 | 000,064,896 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tosrfcom.sys -- (Tosrfcom)
DRV - [2005/07/11 20:58:56 | 000,003,712 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\toshidpt.sys -- (toshidpt)
DRV - [2005/01/06 15:42:42 | 000,018,612 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfnds.sys -- (tosrfnds)
DRV - [2004/11/22 06:31:10 | 000,108,767 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2004/11/01 05:21:32 | 000,010,368 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SiWinAcc.sys -- (SiFilter)
DRV - [2000/12/05 17:18:02 | 000,003,952 | ---- | M] (Sony Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\DMICall.sys -- (DMICall)
DRV - [2000/11/09 12:15:08 | 000,048,896 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SonyNC.sys -- (SNC)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...putEncoding}&oe={outputEncoding}&sourceid=ie7

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.club-vaio.com/en/

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.club-vaio.com/en/

IE - HKU\S-1-5-21-556486716-130466698-4027895535-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-556486716-130466698-4027895535-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-556486716-130466698-4027895535-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://www.techspot.com/community/topics/infected-with-vdpoxdbw-exe-ninjafdd-exe.182499/
IE - HKU\S-1-5-21-556486716-130466698-4027895535-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-556486716-130466698-4027895535-1006\..\SearchScopes,DefaultScope = {BD289AEE-1E05-4A50-AF0C-537A2AAFEFFD}
IE - HKU\S-1-5-21-556486716-130466698-4027895535-1006\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-556486716-130466698-4027895535-1006\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...putEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKU\S-1-5-21-556486716-130466698-4027895535-1006\..\SearchScopes\{BD289AEE-1E05-4A50-AF0C-537A2AAFEFFD}: "URL" = http://www.google.com/search?q={sea...&oe={outputEncoding}&sourceid=ie7&rlz=1I7SNYK
IE - HKU\S-1-5-21-556486716-130466698-4027895535-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-556486716-130466698-4027895535-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1.6.2.63
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca}:1.4.4.1
FF - prefs.js..extensions.enabledItems: {23fcfd51-4958-4f00-80a3-ae97e717ed8b}:2.1.2.145
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 8118
FF - prefs.js..network.proxy.no_proxies_on: "127.0.0.1"
FF - prefs.js..network.proxy.socks: "127.0.0.1"
FF - prefs.js..network.proxy.socks_port: 9050
FF - prefs.js..network.proxy.socks_remote_dns: true
FF - prefs.js..network.proxy.ssl: "127.0.0.1"
FF - prefs.js..network.proxy.ssl_port: 8118
FF - prefs.js..network.proxy.type: 1

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.3088: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.2.3146: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.11.3006: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2008/02/23 22:46:10 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2012/05/06 21:18:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/10/01 18:21:40 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/02/12 14:37:09 | 000,000,000 | ---D | M]

[2009/04/05 16:19:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\James Ewing\Application Data\Mozilla\Extensions
[2012/06/24 15:48:33 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\James Ewing\Application Data\Mozilla\Firefox\Profiles\gorv87un.default\extensions
[2010/04/28 19:02:14 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\James Ewing\Application Data\Mozilla\Firefox\Profiles\gorv87un.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/12/09 20:44:45 | 000,000,000 | ---D | M] (Torbutton) -- C:\Documents and Settings\James Ewing\Application Data\Mozilla\Firefox\Profiles\gorv87un.default\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
[2010/05/19 15:23:27 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus(R))) -- C:\Documents and Settings\James Ewing\Application Data\Mozilla\Firefox\Profiles\gorv87un.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2012/06/24 22:55:24 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/06/24 22:55:24 | 000,000,000 | ---D | M] (Expat Shield Helper (Please allow this installation)) -- C:\Program Files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com
[2012/05/06 21:18:04 | 000,000,000 | ---D | M] (DivX Plus Web Player HTML5 <video&gt

-- C:\PROGRAM FILES\DIVX\DIVX PLUS WEB PLAYER\FIREFOX\DIVXHTML5
[2009/01/13 20:20:52 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2008/01/04 17:36:50 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2008/01/04 17:36:50 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2008/09/22 21:14:04 | 000,000,759 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2008/01/04 17:36:50 | 000,000,831 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2012/07/04 21:57:07 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
O2 - BHO: (Expat Shield Class) - {3706EE7C-3CAD-445D-8A43-03EBC3B75908} - C:\Program Files\Expat Shield\HssIE\ExpatIE.dll (AnchorFree Inc.)
O3 - HKU\S-1-5-21-556486716-130466698-4027895535-1006\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKU\S-1-5-21-556486716-130466698-4027895535-1006\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe (Sony Corporation)
O4 - HKLM..\Run: [Mouse Suite 98 Daemon] C:\WINDOWS\System32\ico.exe (Primax Electronics Ltd.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe (Sony Corporation)
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe (BillP Studios)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk = C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TOSHIBA CORPORATION.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-556486716-130466698-4027895535-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-556486716-130466698-4027895535-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-556486716-130466698-4027895535-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-556486716-130466698-4027895535-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\.DEFAULT\..Trusted Domains: sony-europe.com ([] in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: sony-europe.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: sonystyle-europe.com ([] in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: sonystyle-europe.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: vaio-link.com ([] in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: vaio-link.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: sony-europe.com ([] in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: sony-europe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: sonystyle-europe.com ([] in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: sonystyle-europe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: vaio-link.com ([] in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: vaio-link.com ([]* in Trusted sites)
O16 - DPF: {00000055-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/fhg.CAB (Reg Error: Key error.)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab (Reg Error: Key error.)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} http://www.eset.eu/buxus/docs/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://go.divx.com/plugin/DivXBrowserPlugin.cab (DivXBrowserPlugin Object)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1194716112250 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{324C06D2-5BF0-40FE-8FC3-90CAB2BAB7E8}: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\VESWinlogon: DllName - (VESWinlogon.dll) - C:\WINDOWS\System32\VESWinlogon.dll (Sony Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\James Ewing\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\James Ewing\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/07/25 18:47:54 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (lsdelete)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/07/04 23:01:45 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\James Ewing\Desktop\OTL.exe
[2012/07/04 23:01:23 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\James Ewing\Desktop\aswMBR.exe
[2012/07/04 22:30:00 | 010,063,000 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\James Ewing\Desktop\mbam-setup-1.61.0.1400.exe
[2012/07/04 22:29:13 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/07/04 21:48:24 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/07/04 20:52:28 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/07/04 20:52:28 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/07/04 20:52:28 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/07/04 20:52:28 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/07/04 20:52:10 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/07/04 20:46:30 | 004,566,110 | R--- | C] (Swearware) -- C:\Documents and Settings\James Ewing\Desktop\ComboFix.exe
[2012/07/03 20:15:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\James Ewing\Local Settings\Application Data\nwbyndug
[2012/06/24 22:55:56 | 000,000,000 | ---D | C] -- C:\Expat Shield
[2012/06/24 22:55:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Expat Shield
[2012/06/24 22:55:24 | 000,000,000 | ---D | C] -- C:\Program Files\Expat Shield
[2012/06/24 09:20:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\James Ewing\Local Settings\Application Data\Opera
[2012/06/24 09:20:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\James Ewing\Application Data\Opera
[2012/06/24 09:20:24 | 000,000,000 | ---D | C] -- C:\Program Files\Opera
[2009/07/03 18:35:12 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\James Ewing\Application Data\pcouffin.sys
[2008/10/20 22:55:14 | 000,253,952 | ---- | C] (My Search) -- C:\Program Files\Uninstall My Search Bar.dll
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/07/04 23:28:56 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\James Ewing\Desktop\MBR.dat
[2012/07/04 23:01:57 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\James Ewing\Desktop\OTL.exe
[2012/07/04 23:01:23 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\James Ewing\Desktop\aswMBR.exe
[2012/07/04 22:44:45 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/07/04 22:44:24 | 000,050,868 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2012/07/04 22:44:07 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/07/04 22:44:01 | 2145,570,816 | -HS- | M] () -- C:\hiberfil.sys
[2012/07/04 22:30:00 | 010,063,000 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\James Ewing\Desktop\mbam-setup-1.61.0.1400.exe
[2012/07/04 21:57:07 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/07/04 21:48:30 | 000,000,325 | RHS- | M] () -- C:\boot.ini
[2012/07/04 20:46:30 | 004,566,110 | R--- | M] (Swearware) -- C:\Documents and Settings\James Ewing\Desktop\ComboFix.exe
[2012/06/26 18:16:53 | 000,000,209 | ---- | M] () -- C:\Boot.bak
[2012/06/24 09:20:32 | 000,001,514 | ---- | M] () -- C:\Documents and Settings\James Ewing\Application Data\Microsoft\Internet Explorer\Quick Launch\Opera.lnk
[2012/06/14 18:43:48 | 000,303,656 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/06/13 23:45:05 | 000,462,640 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/06/13 23:45:05 | 000,080,234 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/06/13 23:38:51 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/07/04 23:28:56 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\James Ewing\Desktop\MBR.dat
[2012/07/04 21:48:30 | 000,000,209 | ---- | C] () -- C:\Boot.bak
[2012/07/04 21:48:26 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/07/04 20:52:28 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/07/04 20:52:28 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/07/04 20:52:28 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/07/04 20:52:28 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/07/04 20:52:28 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/06/24 09:20:32 | 000,001,514 | ---- | C] () -- C:\Documents and Settings\James Ewing\Application Data\Microsoft\Internet Explorer\Quick Launch\Opera.lnk
[2012/06/24 09:20:32 | 000,001,502 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Opera.lnk
[2012/02/14 20:27:53 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/12/14 23:50:43 | 000,180,624 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2011/11/04 21:20:52 | 076,004,920 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\lifosemiadna.dat
[2011/02/10 06:03:48 | 000,000,314 | ---- | C] () -- C:\WINDOWS\primopdf.ini
[2009/07/03 18:35:12 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\James Ewing\Application Data\pcouffin.cat
[2009/07/03 18:35:12 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\James Ewing\Application Data\pcouffin.inf
[2009/05/25 18:07:04 | 000,000,256 | ---- | C] () -- C:\Documents and Settings\James Ewing\pool.bin
[2008/04/29 21:52:38 | 000,000,167 | ---- | C] () -- C:\Documents and Settings\James Ewing\udownload.dat
[2007/12/06 22:49:20 | 000,000,134 | ---- | C] () -- C:\Documents and Settings\James Ewing\Local Settings\Application Data\fusioncache.dat
[2007/11/09 21:08:50 | 000,121,856 | ---- | C] () -- C:\Documents and Settings\James Ewing\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== LOP Check ==========

[2010/11/19 19:31:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/11/11 20:17:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund
[2008/03/14 21:02:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Channel4
[2007/11/11 00:47:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\espionServerData
[2008/08/26 10:27:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FreeRIP
[2008/10/21 23:27:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kontiki
[2007/11/25 18:22:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Translution Limited
[2009/07/03 19:24:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\vsosdk
[2011/02/21 22:43:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/12/01 21:37:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2007/11/28 23:38:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\.ABC
[2011/02/27 14:37:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\AE69276CA26488C5D9F978A96C0EF48E
[2009/11/11 20:17:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\Broderbund
[2012/05/06 21:19:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\DDMSettings
[2007/11/09 20:07:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\InterVideo
[2007/11/11 00:32:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\Leadertech
[2009/10/19 22:06:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\MSNInstaller
[2011/12/13 21:18:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\Obzy
[2012/06/24 09:20:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\Opera
[2009/02/19 01:18:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\Red Kawa
[2007/11/09 21:10:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\sony
[2008/02/21 00:10:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\Translution
[2008/02/27 01:36:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\Uniblue
[2012/02/28 00:15:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\uTorrent
[2009/07/03 20:13:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\Vso
[2008/07/15 11:40:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\WinPatrol
[2011/12/14 19:53:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James Ewing\Application Data\Yluhe
[2008/01/29 23:24:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\sony

========== Purity Check ==========

< End of report >

--------------------------------------

extras.txt to follow in another post

groovycat · Jul 4, 2012

Extras.txt

Extras.txt

OTL Extras logfile created on: 04/07/2012 23:30:34 - Run 1
OTL by OldTimer - Version 3.2.53.1 Folder = C:\Documents and Settings\James Ewing\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.45 Gb Available Physical Memory | 72.75% Memory free
3.85 Gb Paging File | 3.53 Gb Available in Paging File | 91.76% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.14 Gb Total Space | 46.62 Gb Free Space | 50.05% Space Free | Partition Type: NTFS
Drive D: | 85.25 Gb Total Space | 56.08 Gb Free Space | 65.78% Space Free | Partition Type: NTFS
Drive F: | 393.41 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: GROOVYCAT | User Name: James Ewing | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = Opera.HTML] -- C:\Program Files\Opera\Opera.exe (Opera Software)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-556486716-130466698-4027895535-1006\SOFTWARE\Classes\<extension>]
.html [@ = Opera.HTML] -- C:\Program Files\Opera\Opera.exe (Opera Software)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
https [open] -- "C:\Program Files\Opera\Opera.exe" "%1" (Opera Software)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet

isabled

xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet

isabled

xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet

isabled

xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet

isabled

xpsp2res.dll,-22002
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled

xpsp2res.dll,-22008
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled

xpsp2res.dll,-22007

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- ()
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.)
"C:\Program Files\Sony\Click to DVD 2\CtoDvd.exe" = C:\Program Files\Sony\Click to DVD 2\CtoDvd.exe:*:Enabled:Click to DVD -- (Sony Corporation)
"C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe" = C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe:*:Enabled:Opera Internet Browser - Plugin wrapper -- (Opera Software)
"C:\Program Files\Opera\opera.exe" = C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01FDC9FC-4D4F-4DB0-ACD1-D3E8E1D52902}" = Sony MP4 Shared Library
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio DigitalMedia Data
"{0ECB59D5-A3FC-4D61-AD3B-6CE679B3F852}" = Java DB 10.2.2.0
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{1417F599-1DBD-4499-9375-B2813E9F890C}" = VAIO Camera Utility
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2063C2E8-3812-4BBD-9998-6610F80C1DD4}" = VAIO Media AC3 Decoder 1.0
"{23BE930B-6AC4-4D0D-B5C3-03062A2BF2A3}" = OpenMG AAC Add-on Module 1.0.00
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 14
"{27337663-2619-11D4-99DC-0000F49094C7}" = Memory Stick Formatter
"{2A0F3EF9-68EE-49E9-A05B-ED5B82DF63E5}" = Wireless Switch Setting Utility
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{32A3A4F4-B792-11D6-A78A-00B0D0160030}" = Java(TM) SE Development Kit 6 Update 3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3633BA28-67CE-4AC8-A677-3406CA84C3D8}" = OpenMG Secure Module 4.5.01
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = Browser Address Error Redirector
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{4AE3A0CB-87B0-4F51-BECD-3D1F8DFDD62F}" = SAGEM F@st 800-840
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{58F9D852-9443-4955-A1ED-12C9E0504DD0}" = Mavis Beacon Teaches Typing Platinum 20
"{59452470-A902-477F-9338-9B88101681BD}" = Setting Utility Series
"{5958CAC6-373E-402F-84FE-0A699AA920B9}" = LAN Setting Utility
"{5BF5F9C5-E95B-4AFA-94BE-F2A9CA73B61D}" = Apple Mobile Device Support
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{61D6E4FB-1A62-4EB1-BE56-929B00C155CF}" = Wireless LAN Starter
"{668B1BD6-4593-4959-970E-249AFFE6F35C}" = VOR
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{83CDA18E-0BF3-4ACA-872C-B4CDABF2360E}" = VAIO Update 4
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8EDBA74D-0686-4C99-BFDD-F894678E5102}" = Adobe Common File Installer
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PRJPRO_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PRJPRO_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PRJPRO_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-003B-0000-0000-0000000FF1CE}" = Microsoft Office Project Professional 2007
"{90120000-003B-0000-0000-0000000FF1CE}_PRJPRO_{8446EB22-A746-46DC-B1BD-E0DFA1F3CDDA}" = Microsoft Office Project 2007 Service Pack 3 (SP3)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PRJPRO_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00B4-0409-0000-0000000FF1CE}" = Microsoft Office Project MUI (English) 2007
"{90120000-00B4-0409-0000-0000000FF1CE}_PRJPRO_{F3CD3F3F-726C-4414-A1FE-5CD0968313EA}" = Microsoft Office Project 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PRJPRO_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{933B4015-4618-4716-A828-5289FC03165F}" = VC80CRTRedist - 8.0.50727.6195
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{9E319E96-ED8E-4B01-9775-C521A1869A25}" = VAIO Power Management
"{9E407618-D9CD-4F39-9490-9ED45294073D}" = Click to DVD 2.0.03 Menu Data
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A947C2B3-7445-42C4-9063-EE704CACCB22}" = VAIO Hardware Diagnostics
"{AAD47011-8518-4608-9656-951DA35B587B}" = iTunes
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio DigitalMedia Audio
"{AC76BA86-7AD7-1033-7B44-A95000000001}" = Adobe Reader 9.5.0
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio DigitalMedia Copy
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{BB406CEB-6207-4512-9BB2-89950DC9D6B6}_is1" = ConvertXtoDVD 2.2.3.258h
"{BE56FEF0-1A0F-4719-B3AD-34B5087AFA6D}" = Sony Video Shared Library
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C27BF761-C499-488D-A964-A3718BC6EC3E}" = DSD Direct
"{C89EB8CD-675F-44F4-9729-4C9A8FAC2D4F}" = DSD Playback Plug-in 1.0
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware 2007
"{E809063C-51A3-4269-8984-D1EB742F2151}" = Click to DVD 2.5.30
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{EF3D45BB-2260-4008-88EA-492E7744A9DF}" = Sony Utilities DLL
"{EFB21DE7-8C19-4A88-BB28-A766E16493BC}" = Adobe Photoshop CS
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F0D85ADD-DD61-4B43-87A0-6DA52A211A8B}" = VAIO Event Service
"{F8131A35-47FD-27AD-116D-0E79AF5DE5EE}" = Acrobat.com
"{FC37C108-821D-4EDE-8F40-D5B497586805}" = VAIO Control Center
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"avast5" = avast! Free Antivirus
"CCleaner" = CCleaner
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_20030003" = HDAUDIO SoftV92 Data Fax Modem with SmartCP
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"DivX Setup" = DivX Setup
"ExpatShield" = Expat Shield 2.25
"Guitar Pro 5_is1" = Guitar Pro 5.2
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{23BE930B-6AC4-4D0D-B5C3-03062A2BF2A3}" = OpenMG AAC Add-on Module 1.0.00
"InstallShield_{3633BA28-67CE-4AC8-A677-3406CA84C3D8}" = OpenMG Secure Module 4.5.01
"InstallShield_{668B1BD6-4593-4959-970E-249AFFE6F35C}" = VAIO Online Registration (English)
"IrfanView" = IrfanView (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MouseSuite98" = Sony USB Mouse
"Mozilla Firefox (3.0.19)" = Mozilla Firefox (3.0.19)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"OpenMG HotFix4.5-06-05-10-01" = OpenMG Limited Patch 4.5-06-05-12-01
"Opera 12.00.1467" = Opera 12.00
"Opera Multimedia (ECDL 4.0 XP)" = Opera Multimedia (ECDL 4.0 XP)
"Polipo" = Polipo 1.0.4.1
"PowerISO" = PowerISO
"PrimoPDF" = PrimoPDF -- brought to you by Nitro PDF Software
"PRJPRO" = Microsoft Office Project Professional 2007
"ProInst" = Intel(R) PROSet/Wireless Software
"PROSet" = Intel(R) PRO Network Connections Drivers
"RealPlayer 6.0" = RealPlayer
"Revo Uninstaller" = Revo Uninstaller 1.75
"Tor" = Tor 0.2.2.34
"Vidalia" = Vidalia 0.2.15
"Videora iPod Converter" = Videora iPod Converter 4.06
"VLC media player" = VideoLAN VLC media player 0.8.6d
"WGA" = Windows Genuine Advantage Validation Tool
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinHTTrack Website Copier_is1" = WinHTTrack Website Copier 3.43-9C
"WinPatrol" = WinPatrol 2008
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-556486716-130466698-4027895535-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = µTorrent

========== Last 20 Event Log Errors ==========

[ Antivirus Events ]
Error - 04/05/2009 10:43:09 | Computer Name = GROOVYCAT | Source = avast! | ID = 33554522
Description =

Error - 04/05/2009 10:43:10 | Computer Name = GROOVYCAT | Source = avast! | ID = 33554522
Description =

Error - 04/05/2009 10:43:11 | Computer Name = GROOVYCAT | Source = avast! | ID = 33554522
Description =

Error - 04/05/2009 10:43:11 | Computer Name = GROOVYCAT | Source = avast! | ID = 33554522
Description =

Error - 04/05/2009 10:43:12 | Computer Name = GROOVYCAT | Source = avast! | ID = 33554522
Description =

Error - 04/05/2009 10:43:14 | Computer Name = GROOVYCAT | Source = avast! | ID = 33554522
Description =

Error - 04/05/2009 10:43:14 | Computer Name = GROOVYCAT | Source = avast! | ID = 33554522
Description =

Error - 04/05/2009 10:43:15 | Computer Name = GROOVYCAT | Source = avast! | ID = 33554522
Description =

Error - 04/05/2009 10:43:16 | Computer Name = GROOVYCAT | Source = avast! | ID = 33554522
Description =

Error - 21/11/2009 05:07:46 | Computer Name = GROOVYCAT | Source = avast! | ID = 33554522
Description =

[ Application Events ]
Error - 26/06/2012 16:02:16 | Computer Name = GROOVYCAT | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 474797

Error - 26/06/2012 17:35:56 | Computer Name = GROOVYCAT | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 26/06/2012 17:35:56 | Computer Name = GROOVYCAT | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 2109

Error - 26/06/2012 17:35:56 | Computer Name = GROOVYCAT | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 2109

Error - 26/06/2012 17:35:58 | Computer Name = GROOVYCAT | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 26/06/2012 17:35:58 | Computer Name = GROOVYCAT | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 4062

Error - 26/06/2012 17:35:58 | Computer Name = GROOVYCAT | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 4062

Error - 03/07/2012 14:31:04 | Computer Name = GROOVYCAT | Source = Bonjour Service | ID = 100
Description = DNS Message from Â«ZERO ADDRESSÂ»:0 to Â«ZERO ADDRESSÂ»:0 length 0
too short

Error - 04/07/2012 14:41:37 | Computer Name = GROOVYCAT | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 04/07/2012 17:13:05 | Computer Name = GROOVYCAT | Source = Application Error | ID = 1000
Description = Faulting application aswmbr.exe, version 0.9.9.1665, faulting module
aswmbr.exe, version 0.9.9.1665, fault address 0x00005b96.

[ System Events ]
Error - 04/07/2012 16:01:38 | Computer Name = GROOVYCAT | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service ehSched with
arguments "-Service" in order to run the server: {4B635ECB-0887-4015-8CA6-D621362F98D1}

Error - 04/07/2012 16:31:37 | Computer Name = GROOVYCAT | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service ehSched with
arguments "-Service" in order to run the server: {4B635ECB-0887-4015-8CA6-D621362F98D1}

Error - 04/07/2012 16:44:40 | Computer Name = GROOVYCAT | Source = Service Control Manager | ID = 7000
Description = The General Purpose USB Driver (adildr.sys) service failed to start
due to the following error: %%2

Error - 04/07/2012 16:44:40 | Computer Name = GROOVYCAT | Source = Service Control Manager | ID = 7000
Description = The KService service failed to start due to the following error: %%3

Error - 04/07/2012 16:44:49 | Computer Name = GROOVYCAT | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service ehSched with
arguments "-Service" in order to run the server: {4B635ECB-0887-4015-8CA6-D621362F98D1}

Error - 04/07/2012 16:45:49 | Computer Name = GROOVYCAT | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service ehSched with
arguments "-Service" in order to run the server: {4B635ECB-0887-4015-8CA6-D621362F98D1}

Error - 04/07/2012 16:46:49 | Computer Name = GROOVYCAT | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service ehSched with
arguments "-Service" in order to run the server: {4B635ECB-0887-4015-8CA6-D621362F98D1}

Error - 04/07/2012 16:47:49 | Computer Name = GROOVYCAT | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service ehSched with
arguments "-Service" in order to run the server: {4B635ECB-0887-4015-8CA6-D621362F98D1}

Error - 04/07/2012 16:48:49 | Computer Name = GROOVYCAT | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service ehSched with
arguments "-Service" in order to run the server: {4B635ECB-0887-4015-8CA6-D621362F98D1}

Error - 04/07/2012 17:18:49 | Computer Name = GROOVYCAT | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service ehSched with
arguments "-Service" in order to run the server: {4B635ECB-0887-4015-8CA6-D621362F98D1}

[ Translog Events ]
Error - 22/12/2007 15:49:28 | Computer Name = GROOVYCAT | Source = TranslutionPro | ID = 0
Description = ClassName: Connect Method: WordApplication_WindowActivate Message: System.Runtime.InteropServices.COMException
(0x800A01A8): Exception from HRESULT: 0x800A01A8 at Microsoft.Office.Core.CommandBar.set_Enabled(Boolean
pvarfEnabled) at Translution.TransClient.Addin.Word.Connect.WordApplication_WindowActivate(Document
Document, Window Window)

Error - 22/12/2007 15:49:48 | Computer Name = GROOVYCAT | Source = TranslutionPro | ID = 0
Description = ClassName: Connect Method: WordApplication_WindowActivate Message: System.Runtime.InteropServices.COMException
(0x800A01A8): Exception from HRESULT: 0x800A01A8 at Microsoft.Office.Core.CommandBar.set_Enabled(Boolean
pvarfEnabled) at Translution.TransClient.Addin.Word.Connect.WordApplication_WindowActivate(Document
Document, Window Window)

Error - 22/12/2007 15:50:11 | Computer Name = GROOVYCAT | Source = TranslutionPro | ID = 0
Description = ClassName: Connect Method: WordApplication_WindowActivate Message: System.Runtime.InteropServices.COMException
(0x800A01A8): Exception from HRESULT: 0x800A01A8 at Microsoft.Office.Core.CommandBar.set_Enabled(Boolean
pvarfEnabled) at Translution.TransClient.Addin.Word.Connect.WordApplication_WindowActivate(Document
Document, Window Window)

Error - 22/12/2007 15:50:34 | Computer Name = GROOVYCAT | Source = TranslutionPro | ID = 0
Description = ClassName: Connect Method: WordApplication_WindowActivate Message: System.Runtime.InteropServices.COMException
(0x800A01A8): Exception from HRESULT: 0x800A01A8 at Microsoft.Office.Core.CommandBar.set_Enabled(Boolean
pvarfEnabled) at Translution.TransClient.Addin.Word.Connect.WordApplication_WindowActivate(Document
Document, Window Window)

Error - 25/12/2007 08:01:04 | Computer Name = GROOVYCAT | Source = TranslutionPro | ID = 0
Description = ClassName: Connect Method: WordApplication_WindowActivate Message: System.Runtime.InteropServices.COMException
(0x800A01A8): Exception from HRESULT: 0x800A01A8 at Microsoft.Office.Core.CommandBar.set_Enabled(Boolean
pvarfEnabled) at Translution.TransClient.Addin.Word.Connect.WordApplication_WindowActivate(Document
Document, Window Window)

Error - 25/12/2007 08:01:16 | Computer Name = GROOVYCAT | Source = TranslutionPro | ID = 0
Description = ClassName: Connect Method: WordApplication_WindowActivate Message: System.Runtime.InteropServices.COMException
(0x800A01A8): Exception from HRESULT: 0x800A01A8 at Microsoft.Office.Core.CommandBar.set_Enabled(Boolean
pvarfEnabled) at Translution.TransClient.Addin.Word.Connect.WordApplication_WindowActivate(Document
Document, Window Window)

Error - 27/12/2007 11:28:11 | Computer Name = GROOVYCAT | Source = TranslutionPro | ID = 0
Description = ClassName: Connect Method: WordApplication_WindowActivate Message: System.Runtime.InteropServices.COMException
(0x800A01A8): Exception from HRESULT: 0x800A01A8 at Microsoft.Office.Core.CommandBar.set_Enabled(Boolean
pvarfEnabled) at Translution.TransClient.Addin.Word.Connect.WordApplication_WindowActivate(Document
Document, Window Window)

Error - 27/12/2007 12:00:03 | Computer Name = GROOVYCAT | Source = TranslutionPro | ID = 0
Description = ClassName: Connect Method: WordApplication_WindowActivate Message: System.Runtime.InteropServices.COMException
(0x800A01A8): Exception from HRESULT: 0x800A01A8 at Microsoft.Office.Core.CommandBar.set_Enabled(Boolean
pvarfEnabled) at Translution.TransClient.Addin.Word.Connect.WordApplication_WindowActivate(Document
Document, Window Window)

Error - 30/12/2007 15:22:48 | Computer Name = GROOVYCAT | Source = TranslutionPro | ID = 0
Description = ClassName: Connect Method: WordApplication_WindowActivate Message: System.Runtime.InteropServices.COMException
(0x800A01A8): Exception from HRESULT: 0x800A01A8 at Microsoft.Office.Core.CommandBar.set_Enabled(Boolean
pvarfEnabled) at Translution.TransClient.Addin.Word.Connect.WordApplication_WindowActivate(Document
Document, Window Window)

< End of report >

Broni · Jul 4, 2012

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
NOTE. Make sure to reverse the above changes, when done with this step.
Upload following files to http://www.virustotal.com/ for security check:
- C:\Documents and Settings\James Ewing\Application Data\sony\myclubvaio\tools\PcName.exe
If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

groovycat · Jul 5, 2012

SHA256: 72f98e179b64a667a4ee621a29327e357802017f634e04871f931f69aa7f352a
SHA1: 5df298dd43a7944d0604a0f701040aa6f14d0354
MD5: b5542b0f06a84979c5e3faaff0529cae
File size: 489.0 KB ( 500736 bytes )
File name: C:\Documents and Settings\James Ewing\Application Data\sony\myclubvaio\tools\PcName.exe
File type: Win32 EXE
Detection ratio: 27 / 42
Analysis date: 2012-07-05 15:55:27 UTC ( 0 minutes ago )
AntivirusResultUpdate
AhnLab-V3 Win32/Ramnit.Q 20120705
AntiVir - 20120705
Antiy-AVL - 20120705
Avast Win32:Ramon 20120705
AVG Win32/Cryptor 20120705
BitDefender Win32.Ramnit.Y 20120705
ByteHero Trojan.Win32.Heur.Gen 20120613
CAT-QuickHeal - 20120705
ClamAV - 20120705
Commtouch W32/Ramnit.Q 20120705
Comodo - 20120705
DrWeb Win32.Rmnet.16 20120705
Emsisoft Virus.Win32.Ramnit!IK 20120705
eSafe - 20120704
F-Prot W32/Ramnit.Q 20120705
F-Secure Win32.Ramnit.Y 20120705
Fortinet - 20120705
GData Win32.Ramnit.Y 20120705
Ikarus Virus.Win32.Ramnit 20120705
Jiangmin Win32/PatchFile.jr 20120705
K7AntiVirus Riskware 20120704
Kaspersky Virus.Win32.Nimnul.e 20120705
McAfee W32/Ramnit.I 20120705
McAfee-GW-Edition W32/Ramnit.I 20120705
Microsoft Virus:Win32/Ramnit.Z 20120705
NOD32 a variant of Win32/Ramnit.T 20120705
Norman W32/Nimnul.CY 20120705
nProtect Win32.Ramnit.Y 20120705
Panda - 20120705
PCTools - 20120705
Rising - 20120705
Sophos W32/Ramnit-BD 20120705
SUPERAntiSpyware - 20120705
Symantec - 20120705
TheHacker - 20120704
TotalDefense Win32/Ramnit.D!Dropper 20120705
TrendMicro PE_RAMNIT.EVL 20120705
TrendMicro-HouseCall PE_RAMNIT.EVL 20120705
VBA32 Virus.Nimnul.E 20120705
VIPRE Virus.Win32.Nimnul.ea (v) 20120705
ViRobot - 20120705
VirusBuster - 20120704

Broni · Jul 5, 2012

I'm afraid I have very bad news.

You're infected with Ramnit file infector virus.

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.

With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.

groovycat · Jul 6, 2012

I feared as much when I saw the results! Many thanks for the information.

If you don't mind, I have a couple of questions:
1. Since the Ramnit virus infects .exe/.dll/.html files, can I safely copy documents/photos/music (or any files without those extensions) from my machine before formatting?
2. If I do copy some files, is there a foolproof way of determining that the ramnit virus has not been transferred before copying them to a clean machine?
3. Just out of interest, was the file 'C:\Documents and Settings\James Ewing\Application Data\sony\myclubvaio\tools\PcName.exe' a legitimate file that was corrupted, or a file installed by the virus?

Many thanks for your help!
James.

Broni · Jul 6, 2012

PcName.exe seems to be a legit file but to say for sure you'd have to scan it (http://www.virustotal.com/).

Now, you can safe any file you want but...
1. Make sure you won't connect the device you're saving your date to to any other healthy computer.
2. After Windows reinstallation...
Install Panda USB Vaccine, or BitDefender’s USB Immunizer on clean computer to protect it from any infected USB device.
Then you'll be safe to connect your external device and scan it with your AV program.

groovycat · Jul 10, 2012

Thanks again, Broni.
In the next couple of days I hope to complete the migration of files and the reinstall of an OS. I've been considering my options and, again, I have a few questions:
1.I have a legitimate copy of XP, but don't have the disk, so was wondering if I can run the formatting and install from the Windows I386 folder?
2. Can this specific folder be scanned to ensure 100% that there is no virus?
3. Would it be better to copy the folder to a CD/USB and run the formatting/install from there or can it be done from the HD?
4. I have the Windows product key on a sticker on my computer, but do I need any other information from my machine before performing the formatting/install?

Many thanks,
James.

Broni · Jul 10, 2012

I suggest you ask those questions in Windows forum.

groovycat · Jul 11, 2012

Ok, have done. For anyone following this thread, here is the link:
https://www.techspot.com/community/topics/install-of-windows-from-i386.182811/
Broni, many thanks for your help.

Broni · Jul 11, 2012

You're very welcome

[Not curable - Ramnit] Infected with vdpoxdbw.exe ninjafdd.exe

Posts: 18 +0

Posts: 56,041 +516

Posts: 18 +0

Posts: 56,041 +516

Posts: 18 +0

Posts: 56,041 +516

Posts: 18 +0

Posts: 56,041 +516

Posts: 18 +0

Posts: 18 +0

Posts: 56,041 +516

Posts: 18 +0

Posts: 56,041 +516

Posts: 18 +0

Posts: 56,041 +516

Posts: 18 +0

Posts: 56,041 +516

Posts: 18 +0

Posts: 56,041 +516

Similar threads