[Not curable - Ramnit] My XP Laptop is infected with the win32/zbot.g

[51mog]

My XP Laptop is infected with the win32/zbot.g & vbs generic virus.

Windows and Office (and other apps) are becoming unusable. I cannot run Windows Live Mail, Messenger or download the GMER and Office keeps trying to reinstall.

This is what I managed so far ......

Step 1: Already have AVG 2011 installed and running. Autodetect and AV Scan has identified about 1,500 infected files which it has healed or vaulted, but is still finding them.

Step 2: Downloaded and ran Malwarebytes' Anti-Malware. See log below:-

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7469

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

15/08/2011 14:24:22
mbam-log-2011-08-15 (14-24-21).txt

Scan type: Quick scan
Objects scanned: 224577
Time elapsed: 43 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549B5CA7-4A86-11D7-A4DF-000874180BB3} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Step 3:

Cannot display web page to download and install GMER. Thinks there is a Firewall issue but never had this problem before.

Step 4:

DDS not started.

Step 5:

Logs as I ahve been able to get.

Step 6:

Here you go - hope you can help or do you think I would be better off re-formatting and reloading all the software from scratch? Would it be safe to copy data files from the infected laptop on to another machine or would I just be infecting another machine?

Thanks

 

[Broni]

Welcome aboard

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running tools or applying updates other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

==============================================================

Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
• Tick the box next to YES, I accept the Terms of Use
• Click Start
• IMPORTANT! UN-check Remove found threats
• Accept any security warnings from your browser.
• Check Scan archives
• Click Start
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push List of found threats
• Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

 

[51mog]

Can't download ESET

Hi Broni

I can't download (connect to) ESET although I can get to other web sites including TechSpot.

What should I do next?

Here is the log file from the connectivity diagnostics.

Last diagnostic run time: 08/15/11 23:08:09 HTTP, HTTPS, FTP Diagnostic
HTTP, HTTPS, FTP connectivity

warn FTP (Passive): Error 12029 connecting to ftp.microsoft.com: A connection with the server could not be established
warn HTTPS: Error 12029 connecting to www.microsoft.com: A connection with the server could not be established
warn FTP (Active): Error 12029 connecting to ftp.microsoft.com: A connection with the server could not be established
warn HTTP: Error 12029 connecting to www.microsoft.com: A connection with the server could not be established
warn HTTPS: Error 12029 connecting to www.passport.net: A connection with the server could not be established
info HTTP: Successfully connected to www.hotmail.com.
error Could not make an HTTPS connection.
error Could not make an FTP connection.
info Redirecting user to support call



DNS Client Diagnostic
DNS - Not a home user scenario

info Using Web Proxy: no
info Resolving name ok for (www.microsoft.com): yes
No DNS servers

DNS failure




Gateway Diagnostic
Gateway

info The following proxy configuration is being used by IE: Automatically Detect Settings:Enabled Automatic Configuration Script: Proxy Server: Proxy Bypass list:
info Could not get proxy settings via the Automatic Proxy Configuration mechanism
info This computer has the following default gateway entry(ies): 192.168.1.1
info This computer has the following IP address(es): 192.168.1.9
info The default gateway is in the same subnet as this computer
info The default gateway entry is a valid unicast address
info The default gateway address was resolved via ARP in 1 try(ies)
info The default gateway was reached via ICMP Ping in 1 try(ies)
info TCP port 80 on host 127.0.0.1 was successfully reached
info The Internet host www.microsoft.com was successfully reached
info The default gateway is OK



IP Layer Diagnostic
Corrupted IP routing table

info The default route is valid
info The loopback route is valid
info The local host route is valid
info The local subnet route is valid
Invalid ARP cache entries

action The ARP cache has been flushed



IP Configuration Diagnostic
Invalid IP address

info Valid IP address detected: 192.168.1.9



Wireless Diagnostic
Wireless - Service disabled

Wireless - User SSID

action User input required: Specify network name or SSID
Wireless - First time setup

info The Wireless Network name (SSID) to which the user would like to connect = Conservatory2.
Wireless - Radio off

info Valid IP address detected: 192.168.1.9
Wireless - Out of range

Wireless - Hardware issue

Wireless - Novice user

Wireless - Ad-hoc network

Wireless - Less preferred

Wireless - 802.1x enabled

Wireless - Configuration mismatch

Wireless - Low SNR




WinSock Diagnostic
WinSock status

info IrDA protocol is not found in Winsock catalog.
info All base service provider entries are present in the Winsock catalog.
info The Winsock Service provider chains are valid.
info Provider entry MSAFD Tcpip [TCP/IP] passed the loopback communication test.
info Provider entry MSAFD Tcpip [UDP/IP] passed the loopback communication test.
info Provider entry RSVP UDP Service Provider passed the loopback communication test.
info Provider entry RSVP TCP Service Provider passed the loopback communication test.
info Connectivity is valid for all Winsock service providers.



Network Adapter Diagnostic
Network location detection

info Using home Internet connection
Network adapter identification

info Network connection: Name=Local Area Connection, Device=SiS 900-Based PCI Fast Ethernet Adapter, MediaType=LAN, SubMediaType=LAN
info Network connection: Name=Wireless Network Connection, Device=PRISM 802.11g Adapter (3886), MediaType=LAN, SubMediaType=WIRELESS
info Network connection: Name=1394 Connection, Device=1394 Net Adapter, MediaType=LAN, SubMediaType=1394
info Both Ethernet and Wireless connections available, prompting user for selection
action User input required: Select network connection
info Wireless connection selected
Network adapter status

info Network connection status: Connected



HTTP, HTTPS, FTP Diagnostic
HTTP, HTTPS, FTP connectivity

warn FTP (Passive): Error 12029 connecting to ftp.microsoft.com: A connection with the server could not be established
warn HTTP: Error 12029 connecting to www.microsoft.com: A connection with the server could not be established
warn FTP (Active): Error 12029 connecting to ftp.microsoft.com: A connection with the server could not be established
warn HTTPS: Error 12029 connecting to www.microsoft.com: A connection with the server could not be established
info HTTP: Successfully connected to www.hotmail.com.
warn HTTPS: Error 12029 connecting to www.passport.net: A connection with the server could not be established
error Could not make an HTTPS connection.
error Could not make an FTP connection.

 

[Broni]

Use working computer to download following tool and move it to "bad" computer using USB flash drive...

Please click HERE to download Kaspersky Virus Removal Tool.

• Double click on the file you just downloaded and let it install.
• It will install to your desktop (be patient; it may take a while).
• Accept license agreement and click "Start" button.
• Click on Settings button
  
  • In Scan scope leave pre-checked items as they're and also checkmark My Computer
  • In Actions checkmark Select action: (disinfect; delete if disinfection fails) instead of preselected Prompt on detection
• Click on Automatic Scan tab and then click on Start scanning button.
• Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
• When the scan is done NO log will be produced.
• Click on Report button
  
  then on Automatic Scan report tab.
• Right click anywhere within right pane, click Select All then right click again and click Copy.
• This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
• You can save this on the desktop.
• Post the contents of the document in your next reply.

 

[51mog]

Kaspersky Virus Removal Tool

Hi Broni

Followed your instructions but Kaspersky wanted to do a removal and restart before completion so I did a log/report prior to removal (File 1) and one after restart (File 2).

I then reran Kaspersky which completed sucessfully and did another log/report (File 3) which is 35Mb. These are too big to include in TechSpot OpenBoards replies due to 50,000 character limit. Is there another way I can send these to you?

What next?

Thanks.

 

[Broni]

Upload the file(s) here: http://www.filedropper.com/
Post download link (copy URL: link):

 

[51mog]

Kaspersky Files

Broni

Here you go.

<a href=http://www.filedropper.com/kaspersky1><img src=http://www.filedropper.com/download_button.png width=127 height=145 border=0/></a><br /><div style=font-size:9px;font-family:Arial, Helvetica, sans-serif;width:127px;font-color:#44a854;> <a href=http://www.filedropper.com >file storage online</a></div>

<a href=http://www.filedropper.com/kaspersky2><img src=http://www.filedropper.com/download_button.png width=127 height=145 border=0/></a><br /><div style=font-size:9px;font-family:Arial, Helvetica, sans-serif;width:127px;font-color:#44a854;> <a href=http://www.filedropper.com >share files free</a></div>

<a href=http://www.filedropper.com/kaspersky3><img src=http://www.filedropper.com/download_button.png width=127 height=145 border=0/></a><br /><div style=font-size:9px;font-family:Arial, Helvetica, sans-serif;width:127px;font-color:#44a854;> <a href=http://www.filedropper.com >online backup storage</a></div>

Thanks

 

[Broni]

I'm afraid I have very bad news.

You're infected with Ramnit file infector virus.

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.

• Understanding virus names
• Threat aliases for Win32/Ramnit.A

With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

• When should I re-format? How should I reinstall?
• Where to draw the line? When to recommend a format and reinstall?

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.

 

[51mog]

Has it infected my 'good' computer?

Hi Broni

Thanks for the news - although bad.

Funny AVG is not now reporting any malicious files on the laptop. What is the best way to reformat and reload from scratch?

My concern now is, as I've been transfering info for this clean up exercise on a USB stick between the laptop and my 'good' PC, - does that mean the PC is now infected? Nothing has been picked up - can I check? I have Skybot on my PC so I will do a Search and let you know the outcome.

 

[51mog]

Spybot Report

Broni

Here is Spybot report from my 'good' PC - it looks OK.

I havn't corrected the 8 issues listed below because they are non-threatening.

1. MyWay.MyWebSearch: [SBI $9185AE0B] Class ID (Registry key, nothing done)
2. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481}
   
3. MyWay.MyWebSearch: [SBI $798DEFC6] Class ID (Registry key, nothing done)
4. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7}
   
5. MyWay.MyWebSearch: [SBI $17EB816E] Class ID (Registry key, nothing done)
6. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907}
   
7. MyWay.MyWebSearch: [SBI $E6CF97BD] Class ID (Registry key, nothing done)
8. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127}
   
9. MyWay.MyWebSearch: [SBI $84A88F8E] Class ID (Registry key, nothing done)
10. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7}
    
11. MyWay.MyWebSearch: [SBI $2E0CB34B] Class ID (Registry key, nothing done)
12. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA}
    
13. Right Media: Tracking cookie (Internet Explorer: Frank) (Cookie, nothing done)
14. 
    
15. DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-08-29 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-07-28 advcheck.dll (1.6.3.17)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi (*)
2011-06-28 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2011-03-29 Includes\Hijackers.sbi (*)
2011-05-16 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-04-05 Includes\Malware.sbi (*)
2011-08-16 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-05-24 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2011-02-24 Includes\Security.sbi (*)
2011-05-03 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-06-14 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2011-06-20 Includes\Trojans.sbi (*)
2011-08-01 Includes\TrojansC-02.sbi (*)
2011-08-09 Includes\TrojansC-03.sbi (*)
2011-08-15 Includes\TrojansC-04.sbi (*)
2011-08-16 Includes\TrojansC-05.sbi (*)
2011-08-08 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll



--- System information ---
Windows Vista (Build: 6002) Service Pack 2 (6.0.6002)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB941833)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB954430)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB973688)


--- Startup entries list ---
Located: HK_LM:Run,
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, Adobe ARM
command: "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
file: C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
size: 937920
MD5: 47C1DE0A890613FFCFF1D67648EEDF90

Located: HK_LM:Run, ApnUpdater
command: "C:\Program Files\Ask.com\Updater\Updater.exe"
file: C:\Program Files\Ask.com\Updater\Updater.exe
size: 399312
MD5: BB6F29A0F374D0BFC5DE0B5C633AA439

Located: HK_LM:Run, AVG_TRAY
command: C:\Program Files\AVG\AVG10\avgtray.exe
file: C:\Program Files\AVG\AVG10\avgtray.exe
size: 2334560
MD5: 140F771CADA8724200434C39918F2EA0

Located: HK_LM:Run, DivX Download Manager
command: "C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe" start
file: C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe
size: 63360
MD5: 57D8C4ED26DFD7EF0E2CB196FB8BFB54

Located: HK_LM:Run, DivXUpdate
command: "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
file: C:\Program Files\DivX\DivX Update\DivXUpdate.exe
size: 1230704
MD5: CB7CA3DC268CA9D3FC1349A60EA48211

Located: HK_LM:Run, GrooveMonitor
command: "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
file: C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
size: 31072
MD5: 644795F6985C740F5E36E9336B837D0B

Located: HK_LM:Run, iTunesHelper
command: "C:\Program Files\iTunes\iTunesHelper.exe"
file: C:\Program Files\iTunes\iTunesHelper.exe
size: 421736
MD5: FDE6DA67628FB7B763336B6952CF6C3C

Located: HK_LM:Run, MDS_Menu
command: "C:\Program Files\Olympus\ib\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Olympus\ib" UpdateWithCreateOnce "Software\OLYMPUS\ib\1.0"
file: C:\Program Files\Olympus\ib\MUITransfer\MUIStartMenu.exe
size: 220336
MD5: 891ABF0AB508C4C746D97F2331569E53

Located: HK_LM:Run, Olympus ib
command: "C:\Program Files\Olympus\ib\olycamdetect.exe" /Startup
file: C:\Program Files\Olympus\ib\olycamdetect.exe
size: 93360
MD5: BF0595533F66EBAAF4ED2DB0E3201FE9

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\QTTask.exe" -atboottime
file: C:\Program Files\QuickTime\QTTask.exe
size: 421888
MD5: 0AEE5668EB59912F32FF245BFA72465F

Located: HK_LM:Run, RtHDVCpl
command: RtHDVCpl.exe
file: C:\Windows\RtHDVCpl.exe
size: 6139904
MD5: E6CB83FF2C098C6FFCF2D43A4AAC9B54

Located: HK_LM:Run, Skytel
command: Skytel.exe
file: C:\Windows\Skytel.exe
size: 1826816
MD5: C8612E58FB7FCFA5EEA4E39F7B8CBC17

Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
file: C:\Program Files\Common Files\Java\Java Update\jusched.exe
size: 249064
MD5: 2E5212A0BFB98FE0167C92C76C87AFE3

Located: HK_LM:Run, Windows Defender
command: %ProgramFiles%\Windows Defender\MSASCui.exe -hide
file: C:\Program Files\Windows Defender\MSASCui.exe
size: 1008184
MD5: 0D392EDE3B97E0B3131B2F63EF1DB94E

Located: HK_LM:Run, Windows Mobile-based device management
command: %windir%\WindowsMobile\wmdcBase.exe
file: C:\Windows\WindowsMobile\wmdcBase.exe
size: 648072
MD5: 96B3C4E20F02CA16AA1E3E425BFFCC8B

Located: HK_LM:Run, Wireless Manager
command: "C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe" startup
file: C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe
size: 585728
MD5: 1D1D81A45ECAD70BADA52DE8FB332961

Located: HK_CU:Run, Sidebar
where: S-1-5-19...
command: %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem
file: C:\Program Files\Windows Sidebar\Sidebar.exe
size: 1233920
MD5: 9E35FF7F943AE0FB89192BFE058B7FD4

Located: HK_CU:Run, WindowsWelcomeCenter
where: S-1-5-19...
command: rundll32.exe oobefldr.dll,ShowWelcomeCenter
file: C:\Windows\system32\oobefldr.dll
size: 2153472
MD5: 16FC5B430123238E522B18E63C257AF8

Located: HK_CU:Run, Sidebar
where: S-1-5-20...
command: %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem
file: C:\Program Files\Windows Sidebar\Sidebar.exe
size: 1233920
MD5: 9E35FF7F943AE0FB89192BFE058B7FD4

Located: HK_CU:Run, WindowsWelcomeCenter
where: S-1-5-20...
command: rundll32.exe oobefldr.dll,ShowWelcomeCenter
file: C:\Windows\system32\oobefldr.dll
size: 2153472
MD5: 16FC5B430123238E522B18E63C257AF8

Located: HK_CU:Run, ehTray.exe
where: S-1-5-21-1078631305-1000495755-1001525788-1006...
command: C:\Windows\ehome\ehTray.exe
file: C:\Windows\ehome\ehTray.exe
size: 125952
MD5: BF08674925F151BD4537B89A493E3E0C

Located: HK_CU:Run, msnmsgr
where: S-1-5-21-1078631305-1000495755-1001525788-1006...
command: "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
file: C:\Program Files\Windows Live\Messenger\msnmsgr.exe
size: 4240760
MD5: 6F0DAB13529BCB7C0F8A3082A8B1CDE9

Located: HK_CU:Run, Olympus ib
where: S-1-5-21-1078631305-1000495755-1001525788-1006...
command: "C:\Program Files\Olympus\ib\olycamdetect.exe" /Startup
file: C:\Program Files\Olympus\ib\olycamdetect.exe
size: 93360
MD5: BF0595533F66EBAAF4ED2DB0E3201FE9

Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-1078631305-1000495755-1001525788-1006...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2260480
MD5: 390679F7A217A5E73D756276C40AE887

Located: HK_CU:Run, swg
where: S-1-5-21-1078631305-1000495755-1001525788-1006...
command: "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
file: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 39408
MD5: 5D61BE7DB55B026A5D61A3EED09D0EAD

Located: HK_CU:Run, TomTomHOME.exe
where: S-1-5-21-1078631305-1000495755-1001525788-1006...
command: "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe" -s
file: C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
size: 247728
MD5: 9AF1C70202FB6A84F177D497D75BC5FC

Located: HK_CU:Run, Sidebar
where: S-1-5-21-1078631305-1000495755-1001525788-1007...
command: %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem
file: C:\Program Files\Windows Sidebar\Sidebar.exe
size: 1233920
MD5: 9E35FF7F943AE0FB89192BFE058B7FD4

Located: HK_CU:Run, WindowsWelcomeCenter
where: S-1-5-21-1078631305-1000495755-1001525788-1007...
command: rundll32.exe oobefldr.dll,ShowWelcomeCenter
file: C:\Windows\system32\oobefldr.dll
size: 2153472
MD5: 16FC5B430123238E522B18E63C257AF8

Located: Startup (user), OneNote 2007 Screen Clipper and Launcher.lnk
where: C:\Users\Frank\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup...
command: C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
file: C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
size: 97680
MD5: 32C26797AB646074A2BB562F9D10ADB5



--- Browser helper object list ---
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} (AcroIEHelperStub)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: AcroIEHelperStub
CLSID name: Adobe PDF Link Helper
Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelperShim.dll
Short name: ACROIE~2.DLL
Date (created): 06/06/2011 12:55:30
Date (last access): 25/06/2011 23:57:34
Date (last write): 06/06/2011 12:55:30
Filesize: 63912
Attributes: archive
MD5: D2ADA8AF0EE98F3F76536015D74EE4BF
CRC32: DB9EE21C
Version: 10.1.0.534

{326E768D-4182-46FD-9C16-1449A49795F4} (Increase performance and video formats for your HTML5 <video>)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: Increase performance and video formats for your HTML5 <video>
CLSID name: DivX Plus Web Player HTML5 <video>
Path: C:\Program Files\DivX\DivX Plus Web Player\
Long name: npdivx32.dll
Short name:
Date (created): 08/12/2010 22:15:44
Date (last access): 30/01/2011 15:03:18
Date (last write): 08/12/2010 22:15:44
Filesize: 3123072
Attributes: archive
MD5: ABB7A668B5D11BFF77DD00CC2B6C8DB0
CRC32: E10E3B63
Version: 2.1.0.900

{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} (WormRadar.com IESiteBlocker.NavFilter)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: WormRadar.com IESiteBlocker.NavFilter
CLSID name: AVG Safe Search
Path: C:\Program Files\AVG\AVG10\
Long name: avgssie.dll
Short name:
Date (created): 05/08/2011 13:20:30
Date (last access): 09/08/2011 17:22:10
Date (last write): 05/08/2011 13:20:30
Filesize: 2274144
Attributes: archive
MD5: 4109B81AEDEED60102542554F4E69F10
CRC32: 0E9B870A
Version: 10.0.0.1392

{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDHelper.dll
info link: http://www.safer-networking.org/
info source: Safer-Networking Ltd.
Path: C:\Program Files\Spybot - Search & Destroy\
Long name: SDHelper.dll
Short name:
Date (created): 29/08/2009 13:45:30
Date (last access): 29/08/2009 13:45:30
Date (last write): 26/01/2009 15:31:02
Filesize: 1879896
Attributes: archive
MD5: 022C2F6DCCDFA0AD73024D254E62AFAC
CRC32: 5BA24007
Version: 1.6.2.14

{593DDEC6-7468-4cdd-90E1-42DADAA222E9} (Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites
CLSID name: DivX HiQ
Path: C:\Program Files\DivX\DivX Plus Web Player\
Long name: npdivx32.dll
Short name:
Date (created): 08/12/2010 22:15:44
Date (last access): 30/01/2011 15:03:18
Date (last write): 08/12/2010 22:15:44
Filesize: 3123072
Attributes: archive
MD5: ABB7A668B5D11BFF77DD00CC2B6C8DB0
CRC32: E10E3B63
Version: 2.1.0.900

{6EBF7485-159F-4bff-A14F-B9E3AAC4465B} (Search Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: Search Helper
CLSID name: Search Helper
Path: C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\
Long name: SEPsearchhelperie.dll
Short name: SEPSEA~1.DLL
Date (created): 22/09/2010 13:03:38
Date (last access): 18/02/2011 08:15:58
Date (last write): 22/09/2010 13:03:38
Filesize: 191792
Attributes: archive
MD5: A4AD1AA4C57409480C1D84BBCA6BECF0
CRC32: 3A7EBABF
Version: 3.0.133.0

{72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Groove GFS Browser Helper
Path: C:\Program Files\Microsoft Office\Office12\
Long name: GrooveShellExtensions.dll
Short name: GRA8E1~1.DLL
Date (created): 12/02/2009 15:19:32
Date (last access): 31/05/2009 21:44:48
Date (last write): 12/02/2009 15:19:32
Filesize: 2217848
Attributes: archive
MD5: A6B5A41C0ED007AB6C43CAD899E533D8
CRC32: BA078F79
Version: 12.0.6421.1000

{9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live ID Sign-in Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Windows Live ID Sign-in Helper
Path: C:\Program Files\Common Files\Microsoft Shared\Windows Live\
Long name: WindowsLiveLogin.dll
Short name: WINDOW~1.DLL
Date (created): 21/09/2010 15:08:38
Date (last access): 18/02/2011 08:16:52
Date (last write): 21/09/2010 15:08:38
Filesize: 439168
Attributes: archive
MD5: 6BF01E200063D7274F3AF06D226671F5
CRC32: C8953126
Version: 7.250.4225.0

{A3BC75A2-1F87-4686-AA43-5347D756017C} (AVG Security Toolbar BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: AVG Security Toolbar BHO
Path: C:\Program Files\AVG\AVG10\Toolbar\
Long name: IEToolbar.dll
Short name: IETOOL~1.DLL
Date (created): 02/05/2011 11:04:22
Date (last access): 02/05/2011 11:04:22
Date (last write): 18/03/2011 08:11:00
Filesize: 2471240
Attributes: archive
MD5: 312D3F5C306752E88A069D0B73E40A6E
CRC32: 597DB5BA
Version: 6.103.18.1

{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Helper
description: Google toolbar
classification: Open for discussion
known filename: googletoolbar.dll
info link: http://toolbar.google.com/
info source: TonyKlein
Path: C:\Program Files\Google\Google Toolbar\
Long name: GoogleToolbar_32.dll
Short name: GOOGLE~1.DLL
Date (created): 13/02/2011 16:55:08
Date (last access): 13/02/2011 16:55:08
Date (last write): 18/08/2011 11:08:18
Filesize: 305328
Attributes: archive
MD5: C097DF5CD7DCB95E0D95644A993AC7EC
CRC32: 314C3B1A
Version: 7.1.2003.1856

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Notifier BHO
Path: C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\
Long name: swg.dll
Short name:
Date (created): 21/04/2011 16:50:02
Date (last access): 21/04/2011 16:50:02
Date (last write): 21/04/2011 16:50:02
Filesize: 1007160
Attributes: archive
MD5: A953E104137DF406B70477D60BC29008
CRC32: AEE12701
Version: 5.7.6406.1642

{D4027C7F-154A-4066-A1AD-4243D8127440} (Ask Toolbar BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: Ask Toolbar BHO
CLSID name: Ask Toolbar
Path: C:\Program Files\Ask.com\
Long name: GenericAskToolbar.dll
Short name: GENERI~1.DLL
Date (created): 07/07/2011 17:53:52
Date (last access): 09/08/2011 22:32:04
Date (last write): 07/07/2011 17:53:52
Filesize: 1491920
Attributes: archive
MD5: 9344E83E306D4B6947D69D4A6EC99021
CRC32: E54DA9DB
Version: 5.12.3.17451

{DBC80044-A445-435b-BC74-9C25C1C588A9} (Java(tm) Plug-In 2 SSV Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Java(tm) Plug-In 2 SSV Helper
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2ssv.dll
Short name:
Date (created): 04/08/2011 22:44:16
Date (last access): 09/08/2011 22:30:24
Date (last write): 04/08/2011 22:44:16
Filesize: 42272
Attributes: archive
MD5: E7D55E121FF1951CB86C7E0DC6A33877
CRC32: 0EA0302A
Version: 6.0.260.3



--- ActiveX list ---
{05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool)
DPF name:
CLSID name: Office Genuine Advantage Validation Tool
Installer: C:\Windows\Downloaded Program Files\OGAControl.inf
Codebase: http://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
Path: C:\Windows\system32\
Long name: OGACheckControl.dll
Short name: OGACHE~1.DLL
Date (created): 03/08/2009 15:07:42
Date (last access): 30/08/2009 22:36:16
Date (last write): 03/08/2009 15:07:42
Filesize: 403816
Attributes: archive
MD5: 10C03F5479E6BD73C9CB3DFDE9FA4C2E
CRC32: C60BD332
Version: 2.0.48.0

{0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control)
DPF name:
CLSID name: Microsoft Data Collection Control
Installer:
Codebase: https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
Path: C:\Windows\Downloaded Program Files\
Long name: MSDcode.dll
Short name:
Date (created): 21/09/2007 16:58:48
Date (last access): 21/09/2007 16:58:48
Date (last write): 21/09/2007 16:58:48
Filesize: 394320
Attributes: archive
MD5: 88FFA5217EDA703394E51C14A0BD5506
CRC32: A6B74A27
Version: 2.6.1.19

{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
DPF name:
CLSID name: Windows Genuine Advantage Validation Tool
Installer: C:\Windows\Downloaded Program Files\LegitCheckControl.inf
Codebase: http://download.microsoft.com/downl...-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
description:
classification: Legitimate
known filename: LegitCheckControl.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\Windows\system32\
Long name: LegitCheckControl.DLL
Short name: LEGITC~1.DLL
Date (created): 20/03/2008 19:06:36
Date (last access): 20/03/2008 19:06:36
Date (last write): 20/03/2008 19:06:36
Filesize: 1480232
Attributes: archive
MD5: E058C4821D48E0A67F6069CB50818D44
CRC32: 3513AE02
Version: 1.7.69.2

{3BB1D69B-A780-4BE1-876E-F3D488877135} (SentinelProxy Class)
DPF name:
CLSID name: SentinelProxy Class
Installer: C:\Windows\Downloaded Program Files\VE3DInstall.inf
Codebase: http://download.microsoft.com/download/3/B/E/3BE57995-8452-41F1-8297-DD75EF049853/VirtualEarth3D.cab
Path: C:\Program Files\Virtual Earth 3D\
Long name: SentinelVirtualEarth3DProxy.dll
Short name: SENTIN~2.DLL
Date (created): 29/08/2008 16:03:40
Date (last access): 27/09/2008 09:03:56
Date (last write): 29/08/2008 16:03:40
Filesize: 97288
Attributes: archive
MD5: 9F376B1D921CDD5FFAA47A98BD152C31
CRC32: A3AE3D98
Version: 3.0.0.0

{4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool)
DPF name:
CLSID name: MSN Photo Upload Tool
Installer: C:\Windows\Downloaded Program Files\MSNPUpld.inf
Codebase: http://gfx2.hotmail.com/mail/w3/resources/VistaMSNPUplden-gb.cab
description:
classification: Legitimate
known filename: MsnPUpld.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Windows\Downloaded Program Files\
Long name: MsnPUpld.dll
Short name:
Date (created): 20/11/2006 12:04:16
Date (last access): 20/11/2006 12:04:16
Date (last write): 20/11/2006 12:04:16
Filesize: 543544
Attributes: archive
MD5: A0F541D9D2CACEEC7A4A378CD0C31626
CRC32: 035C591F
Version: 10.0.914.0

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_26
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2iexp.dll
Short name:
Date (created): 05/03/2009 19:14:52
Date (last access): 04/05/2011 05:54:22
Date (last write): 04/05/2011 04:52:24
Filesize: 112416
Attributes: archive
MD5: 8ED8B29AC7412F8A1608BAC047E5F78D
CRC32: 18200451
Version: 6.0.260.3

{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:
Installer: C:\Windows\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.

{C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class)
DPF name:
CLSID name: EPUImageControl Class
Installer: C:\Windows\Downloaded Program Files\EPUWALcontrol.inf
Codebase: http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
Path: C:\Windows\Downloaded Program Files\
Long name: EPUWALcontrol.dll
Short name: EPUWAL~1.DLL
Date (created): 04/02/2010 12:55:38
Date (last access): 04/02/2010 12:55:38
Date (last write): 04/02/2010 12:55:38
Filesize: 3171608
Attributes: archive
MD5: C7103946ED86FAC01E23C457EDD7F719
CRC32: 65FF7081
Version: 1.0.31.0

{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2iexp.dll
Short name:
Date (created): 05/03/2009 19:14:52
Date (last access): 04/05/2011 05:54:22
Date (last write): 04/05/2011 04:52:24
Filesize: 112416
Attributes: archive
MD5: 8ED8B29AC7412F8A1608BAC047E5F78D
CRC32: 18200451
Version: 6.0.260.3

{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_26
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2iexp.dll
Short name:
Date (created): 05/03/2009 19:14:52
Date (last access): 04/05/2011 05:54:22
Date (last write): 04/05/2011 04:52:24
Filesize: 112416
Attributes: archive
MD5: 8ED8B29AC7412F8A1608BAC047E5F78D
CRC32: 18200451
Version: 6.0.260.3

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_26
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_26.dll
Short name: NPJPI1~1.DLL
Date (created): 04/05/2011 02:25:52
Date (last access): 04/05/2011 05:54:32
Date (last write): 04/05/2011 04:52:30
Filesize: 141088
Attributes: archive
MD5: 9210B3BC2BC4FF4F4281F7D7C294233A
CRC32: B23F2824
Version: 6.0.260.3

{E2883E8F-472F-4FB0-9522-AC9BF37916A7} ()
DPF name:
CLSID name:
Installer: C:\Windows\Downloaded Program Files\gp.inf
Codebase: http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab



--- Process list ---
PID: 3624 (1448) C:\Windows\system32\Dwm.exe
size: 81920
MD5: 01DD1004181FD46ECDC3628228EB269D
PID: 3720 (3596) C:\Windows\Explorer.EXE
size: 2926592
MD5: D07D4C3038F3578FFCE1C0237F2A1253
PID: 3780 (1460) C:\Windows\system32\taskeng.exe
size: 171520
MD5: 3D50C4B10352367D5CB20ED1F50F8DA2
PID: 3632 (3720) C:\Windows\RtHDVCpl.exe
size: 6139904
MD5: E6CB83FF2C098C6FFCF2D43A4AAC9B54
PID: 3856 (3720) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
size: 31072
MD5: 644795F6985C740F5E36E9336B837D0B
PID: 3920 (3720) C:\Windows\WindowsMobile\wmdcBase.exe
size: 648072
MD5: 96B3C4E20F02CA16AA1E3E425BFFCC8B
PID: 3932 (2016) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
size: 373864
MD5: 04DB1E60FBFB9A77AF16238A209C2CDD
PID: 3988 (3720) C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe
size: 585728
MD5: 1D1D81A45ECAD70BADA52DE8FB332961
PID: 3252 (3720) C:\Program Files\Olympus\ib\olycamdetect.exe
size: 93360
MD5: BF0595533F66EBAAF4ED2DB0E3201FE9
PID: 1420 (3720) C:\Program Files\AVG\AVG10\avgtray.exe
size: 2334560
MD5: 140F771CADA8724200434C39918F2EA0
PID: 3692 (3720) C:\Program Files\DivX\DivX Update\DivXUpdate.exe
size: 1230704
MD5: CB7CA3DC268CA9D3FC1349A60EA48211
PID: 1856 (3720) C:\Program Files\DivX\DivX Plus Web Player\DDMService.exe
size: 63360
MD5: 57D8C4ED26DFD7EF0E2CB196FB8BFB54
PID: 1372 (3720) C:\Program Files\Common Files\Java\Java Update\jusched.exe
size: 249064
MD5: 2E5212A0BFB98FE0167C92C76C87AFE3
PID: 3832 (3720) C:\Program Files\iTunes\iTunesHelper.exe
size: 421736
MD5: FDE6DA67628FB7B763336B6952CF6C3C
PID: 4012 (3720) C:\Program Files\Ask.com\Updater\Updater.exe
size: 399312
MD5: BB6F29A0F374D0BFC5DE0B5C633AA439
PID: 4000 (3720) C:\Program Files\Windows Live\Messenger\msnmsgr.exe
size: 4240760
MD5: 6F0DAB13529BCB7C0F8A3082A8B1CDE9
PID: 3696 (3720) C:\Windows\ehome\ehtray.exe
size: 125952
MD5: BF08674925F151BD4537B89A493E3E0C
PID: 4056 (3720) C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
size: 247728
MD5: 9AF1C70202FB6A84F177D497D75BC5FC
PID: 3612 (3720) C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 39408
MD5: 5D61BE7DB55B026A5D61A3EED09D0EAD
PID: 4164 (1208) C:\Windows\ehome\ehmsas.exe
size: 37376
MD5: 0F4195B9B348DE5CF9B822F81704B20E
PID: 4496 (1208) C:\Windows\system32\wbem\unsecapp.exe
size: 37888
MD5: 8274C87726D4561EE8750D883764ACC1
PID: 5800 (1420) C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
size: 1148256
MD5: 350A0C2CC411A6B0982604C8893C3E93
PID: 6048 (1208) C:\Program Files\Windows Live\Contacts\wlcomm.exe
size: 25456
MD5: E9450C5EDC1168557F4E0971C94E98A2
PID: 27432 (20236) C:\Program Files\Windows Media Player\wmplayer.exe
size: 168960
MD5: 2D821AFA5A1A9CA7F9F997A1AAD09E72
PID: 24184 (23524) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2260480
MD5: 390679F7A217A5E73D756276C40AE887
PID: 12648 (28568) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5365592
MD5: 0477C2F9171599CA5BC3307FDFBA8D89
PID: 0 ( 0) [System Process]
PID: 4 ( 0) System
PID: 468 ( 4) smss.exe
size: 64000
PID: 500 ( 492) avgchsvx.exe
PID: 736 ( 724) csrss.exe
size: 6144
PID: 804 ( 796) csrss.exe
size: 6144
PID: 812 ( 724) wininit.exe
size: 96768
PID: 852 ( 812) services.exe
size: 279552
PID: 872 ( 812) lsass.exe
size: 9728
PID: 880 ( 812) lsm.exe
size: 229888
PID: 1052 ( 796) winlogon.exe
size: 314368
PID: 1208 ( 852) svchost.exe
size: 21504
PID: 1256 ( 852) nvvsvc.exe
size: 615528
PID: 1288 ( 852) svchost.exe
size: 21504
PID: 1424 ( 852) svchost.exe
size: 21504
PID: 1448 ( 852) svchost.exe
size: 21504
PID: 1460 ( 852) svchost.exe
size: 21504
PID: 1536 (1424) audiodg.exe
size: 88576
PID: 1560 ( 852) svchost.exe
size: 21504
PID: 1576 ( 852) SLsvc.exe
size: 3408896
PID: 1620 ( 852) svchost.exe
size: 21504
PID: 1736 ( 852) svchost.exe
size: 21504
PID: 2016 (1256) NvXDSync.exe
PID: 2028 (1256) nvvsvc.exe
size: 615528
PID: 300 ( 852) spoolsv.exe
size: 128000
PID: 380 ( 852) svchost.exe
size: 21504
PID: 908 ( 852) armsvc.exe
PID: 2000 ( 852) AffinegyService.exe
PID: 1196 ( 852) AppleMobileDeviceService.exe
PID: 976 ( 852) avgwdsvc.exe
PID: 280 ( 852) mDNSResponder.exe
PID: 324 ( 852) MsDepSvc.exe
PID: 2220 ( 976) avgnsx.exe
PID: 2412 ( 852) NBService.exe
PID: 2452 ( 852) IoctlSvc.exe
size: 81920
PID: 2464 ( 852) svchost.exe
size: 21504
PID: 2476 ( 852) SeaPort.exe
PID: 2544 ( 852) svchost.exe
size: 21504
PID: 2636 ( 852) TomTomHOMEService.exe
PID: 2668 ( 852) svchost.exe
size: 21504
PID: 2712 ( 852) WLIDSVC.EXE
PID: 2768 ( 852) SearchIndexer.exe
size: 441344
PID: 2848 ( 852) SDWinSec.exe
size: 1153368
MD5: 794D4B48DFB6E999537C7C3947863463
PID: 2924 (2712) WLIDSVCM.EXE
PID: 3136 ( 852) AVGIDSAgent.exe
PID: 3672 (1460) taskeng.exe
size: 171520
PID: 3808 ( 852) svchost.exe
size: 21504
PID: 4552 (1208) WmiPrvSE.exe
PID: 5656 ( 852) iPodService.exe
PID: 6128 ( 852) svchost.exe
size: 21504
PID: 4504 ( 852) daemonu.exe
PID: 1976 ( 544) avgrsx.exe
PID: 5156 (1976) avgcsrvx.exe
PID: 20760 (1448) WUDFHost.exe
size: 142336
PID: 6908 (1460) C:\Windows\system32\taskeng.exe
size: 171520
MD5: 3D50C4B10352367D5CB20ED1F50F8DA2
PID: 8072 (1208) C:\Program Files\Internet Explorer\iexplore.exe
size: 638232
MD5: 04D1DC458C723B291179F8449ACC281D
PID: 9236 (8072) C:\Program Files\Internet Explorer\iexplore.exe
size: 638232
MD5: 04D1DC458C723B291179F8449ACC281D
PID: 9072 (8072) C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
size: 307376
MD5: 745EE2C6FB0B43C9F00E017F5E5D7317
PID: 6324 (1208) C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
size: 316208
MD5: 99B6CE3840F5AD5C4B13B666249AA467
PID: 7072 (2768) C:\Windows\system32\SearchProtocolHost.exe
size: 185344
MD5: B5EF1DA337DB9859709A387638AC5E07
PID: 11524 (2768) C:\Windows\system32\SearchFilterHost.exe
size: 87552
MD5: C9EE7FF225EAC1CB9C78C413667CDB80
PID: 24760 (1208) C:\Windows\system32\Macromed\Flash\FlashUtil10v_ActiveX.exe
size: 243360
MD5: 461A87D7A4304BDA228CF1DBB86D3CE9
PID: 27960 (8072) C:\Program Files\Internet Explorer\iexplore.exe
size: 638232
MD5: 04D1DC458C723B291179F8449ACC281D


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 19/08/2011 02:08:09

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\Windows\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://uk.msn.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://uk.msn.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\Windows\System32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: MSAFD Tcpip [TCP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 4: MSAFD Tcpip [UDP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 5: MSAFD Tcpip [RAW/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 6: RSVP TCPv6 Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 7: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 8: RSVP UDPv6 Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 9: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2C94CCD2-DB6E-4F0C-8C72-E19588AD5921}] SEQPACKET 10
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2C94CCD2-DB6E-4F0C-8C72-E19588AD5921}] DATAGRAM 10
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{3A614E2F-54E5-4782-94CD-AF56D92F7FE9}] SEQPACKET 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{3A614E2F-54E5-4782-94CD-AF56D92F7FE9}] DATAGRAM 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5E1593D2-3C1F-4CE6-AB3B-E6F50CF17F9E}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5E1593D2-3C1F-4CE6-AB3B-E6F50CF17F9E}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F70DBDC8-EC6D-4885-B8B4-C85EA7C7AA45}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F70DBDC8-EC6D-4885-B8B4-C85EA7C7AA45}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CEF22028-4AE6-44A3-8F9C-C54093F42D6E}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CEF22028-4AE6-44A3-8F9C-C54093F42D6E}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{7FB883A9-3DBE-486E-AEB2-94214FF70B45}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{7FB883A9-3DBE-486E-AEB2-94214FF70B45}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 22: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{5E1593D2-3C1F-4CE6-AB3B-E6F50CF17F9E}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 23: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{5E1593D2-3C1F-4CE6-AB3B-E6F50CF17F9E}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 24: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{4C38A2CD-B762-4ED9-A708-F5AD779566C1}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 25: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{4C38A2CD-B762-4ED9-A708-F5AD779566C1}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 26: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{BBEBA68A-F18B-4589-866F-7FCD54DA89E0}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 27: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{BBEBA68A-F18B-4589-866F-7FCD54DA89E0}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 28: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{CEF22028-4AE6-44A3-8F9C-C54093F42D6E}] SEQPACKET 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 29: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{CEF22028-4AE6-44A3-8F9C-C54093F42D6E}] DATAGRAM 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Network Location Awareness Legacy (NLAv1) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename:
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Namespace Provider 1: E-mail Naming Shim Provider
GUID: {964ACBA2-B2BC-40EB-8C6A-A6DB40161CAE}
Filename:

Namespace Provider 2: PNRP Cloud Namespace Provider
GUID: {03FE89CE-766D-4976-B9C1-BB9BC42C7B4D}
Filename:

Namespace Provider 3: PNRP Name Namespace Provider
GUID: {03FE89CD-766D-4976-B9C1-BB9BC42C7B4D}
Filename:

Namespace Provider 4: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename:
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 5: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 6: mdnsNSP
GUID: {B600E6E9-553B-4A19-8696-335E5C896153}
Filename: C:\Program Files\Bonjour\mdnsNSP.dll
Description: Apple Rendezvous protocol
DB filename: %ProgramFiles%\Rendezvous\bin\mdnsNSP.dll
DB protocol: mdnsNSP

 

[Broni]

Funny AVG is not now reporting any malicious files on the laptop

It will, sooner, or later. Those patched files will replicate.

As for your other computer I suggest you start new topic about it.
We better check.