vbs.runauto

vbs.runauto12th December 2011, 8:54 am

G'day, Nortons on my laptop is continually picking up vbs.runauto. My computer tech tells me this is serious.
Is it?

thanks for your help.

here are the logs

aswMBR first

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-12-12 18:44:50
-----------------------------
18:44:50.765 OS Version: Windows 5.1.2600 Service Pack 3
18:44:50.765 Number of processors: 2 586 0x170A
18:44:50.765 ComputerName: WORKSTATION-H UserName: BryanC
18:45:22.921 Initialize success
18:59:12.750 AVAST engine defs: 11121102
19:00:31.171 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
19:00:31.171 Disk 0 Vendor: ST950042 0002 Size: 476940MB BusType: 8
19:00:31.187 Disk 0 MBR read successfully
19:00:31.187 Disk 0 MBR scan
19:00:31.328 Disk 0 Windows XP default MBR code
19:00:31.343 Disk 0 scanning sectors +976752000
19:00:31.484 Disk 0 scanning C:\WINDOWS\system32\drivers
19:00:57.093 Service scanning
19:00:58.281 Modules scanning
19:01:14.125 Disk 0 trace - called modules:
19:01:14.156 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
19:01:14.171 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8afe5ab8]
19:01:14.171 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8b042028]
19:01:33.781 AVAST engine scan C:\WINDOWS
19:02:31.046 AVAST engine scan C:\WINDOWS\system32
19:07:31.671 AVAST engine scan C:\WINDOWS\system32\drivers
19:08:29.453 AVAST engine scan C:\Documents and Settings\BryanC
19:36:01.671 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\BryanC\Desktop\MBR.dat"
19:36:01.750 The log file has been saved successfully to "C:\Documents and Settings\BryanC\Desktop\aswMBR.txt"

Re: vbs.runauto12th December 2011, 8:57 am

now OTL part 1

OTL logfile created on: 12/12/2011 7:52:07 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\BryanC\My Documents\Downloads\geek
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

3.49 Gb Total Physical Memory | 2.16 Gb Available Physical Memory | 62.06% Memory free
5.32 Gb Paging File | 4.05 Gb Available in Paging File | 76.10% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 235.81 Gb Free Space | 50.63% Space Free | Partition Type: NTFS

Computer Name: WORKSTATION-H | User Name: BryanC | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/12 07:47:25 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\BryanC\My Documents\Downloads\geek\OTL.com
PRC - [2011/11/12 07:45:49 | 004,617,600 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
PRC - [2011/08/31 17:00:48 | 000,449,608 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011/08/20 23:04:24 | 001,664,744 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe
PRC - [2011/08/20 23:04:18 | 000,100,784 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\DWHWizrd.exe
PRC - [2011/08/20 23:04:16 | 000,137,224 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
PRC - [2011/08/12 10:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASCore.exe
PRC - [2011/08/12 08:54:14 | 006,198,168 | ---- | M] (Telstra) -- C:\Program Files\Telstra\Mobile Broadband Manager\TelstraUCM.exe
PRC - [2011/08/10 11:53:46 | 000,094,880 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2011/07/29 10:08:12 | 001,259,376 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2011/06/24 12:10:22 | 000,238,960 | ---- | M] (Sierra Wireless, Inc.) -- C:\Program Files\Sierra Wireless Inc\Common\SwiCardDetect.exe
PRC - [2010/09/22 18:11:26 | 000,640,440 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
PRC - [2010/01/15 23:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
PRC - [2008/12/21 12:48:50 | 000,200,704 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
PRC - [2008/11/18 20:19:28 | 000,483,420 | ---- | M] (IDT, Inc.) -- C:\Program Files\IDT\WDM\sttray.exe
PRC - [2008/11/18 20:19:28 | 000,241,746 | ---- | M] (IDT, Inc.) -- c:\Program Files\IDT\DellXPM09B_6124v037\WDM\stacsv.exe
PRC - [2008/09/16 20:03:50 | 000,050,472 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApMsgFwd.exe
PRC - [2008/08/28 15:20:22 | 000,049,250 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\hidfind.exe
PRC - [2008/08/27 11:37:10 | 000,471,040 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\AESTFltr.exe
PRC - [2008/07/10 20:42:14 | 000,819,200 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe
PRC - [2008/07/10 20:32:38 | 000,352,256 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Intel\WiFi\bin\WLKEEPER.exe
PRC - [2008/07/10 20:30:46 | 001,351,680 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
PRC - [2008/07/10 20:23:22 | 000,901,120 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
PRC - [2008/07/10 20:13:50 | 001,191,936 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
PRC - [2008/07/10 20:12:40 | 000,466,944 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
PRC - [2008/04/14 10:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/10/25 17:23:36 | 000,049,152 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApntEx.exe

========== Modules (No Company Name) ==========

MOD - [2011/12/11 21:38:14 | 000,052,736 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10007.dll
MOD - [2011/12/11 21:38:13 | 000,063,488 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
MOD - [2011/10/21 21:31:48 | 000,117,760 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
MOD - [2011/10/21 21:31:47 | 000,052,224 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
MOD - [2011/09/27 07:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 07:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/07/29 10:09:42 | 000,096,112 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll
MOD - [2011/07/29 10:08:12 | 001,259,376 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
MOD - [2011/03/17 00:11:16 | 004,297,568 | ---- | M] () -- C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
MOD - [2009/02/27 16:39:29 | 000,019,968 | ---- | M] () -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\AcroTray.DEU
MOD - [2009/02/27 16:32:27 | 000,020,480 | ---- | M] () -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\AcroTray.FRA
MOD - [2008/07/10 20:25:20 | 000,057,344 | ---- | M] () -- C:\Program Files\Common Files\Intel\WirelessCommon\CustomUIResource.dll
MOD - [2008/07/10 20:15:30 | 000,200,704 | ---- | M] () -- C:\Program Files\Intel\WiFi\bin\iWMSProv.dll

========== Win32 Services (SafeList) ==========

SRV - [2011/10/23 09:08:26 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/08/20 23:04:24 | 001,664,744 | ---- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe -- (SmcService)
SRV - [2011/08/20 23:04:24 | 000,280,496 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\snac.exe -- (SNAC)
SRV - [2011/08/20 23:04:16 | 000,137,224 | ---- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe -- (SepMasterService)
SRV - [2011/08/12 10:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2011/08/10 11:53:46 | 000,094,880 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2011/06/24 12:10:22 | 000,238,960 | ---- | M] (Sierra Wireless, Inc.) [Auto | Running] -- C:\Program Files\Sierra Wireless Inc\Common\SwiCardDetect.exe -- (SwiCardDetectSvc)
SRV - [2010/01/15 23:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2008/11/18 20:19:28 | 000,241,746 | ---- | M] (IDT, Inc.) [Auto | Running] -- c:\Program Files\IDT\DellXPM09B_6124v037\WDM\stacsv.exe -- (STacSV)
SRV - [2008/07/10 20:42:14 | 000,819,200 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng)
SRV - [2008/07/10 20:32:38 | 000,352,256 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\WLKEEPER.exe -- (WLANKEEPER) Intel(R)
SRV - [2008/07/10 20:23:22 | 000,901,120 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor)
SRV - [2008/07/10 20:12:40 | 000,466,944 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc)

========== Driver Services (SafeList) ==========

DRV - [2011/11/15 12:18:21 | 000,819,320 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20111124.011\BHDrvx86.sys -- (BHDrvx86)
DRV - [2011/11/10 09:12:21 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/11/10 09:12:21 | 000,106,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2011/11/09 10:31:17 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20111210.007\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/11/09 10:31:17 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20111210.007\NAVENG.SYS -- (NAVENG)
DRV - [2011/10/21 12:25:06 | 000,127,096 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/08/20 23:04:36 | 000,369,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\symtdi.sys -- (SYMTDI)
DRV - [2011/08/20 23:04:34 | 000,756,856 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\Drivers\SEP\0C01029F\136B.105\x86\SYMEFA.SYS -- (SymEFA)
DRV - [2011/08/20 23:04:34 | 000,516,216 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\srtsp.sys -- (SRTSP)
DRV - [2011/08/20 23:04:34 | 000,340,088 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\Drivers\SEP\0C01029F\136B.105\x86\SYMDS.SYS -- (SymDS)
DRV - [2011/08/20 23:04:34 | 000,136,312 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\Ironx86.sys -- (SymIRON)
DRV - [2011/08/20 23:04:34 | 000,050,168 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\srtspx.sys -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2011/07/23 03:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/13 08:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2011/07/10 10:30:34 | 000,215,552 | R--- | M] (Sierra Wireless Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\swg3kser00.sys -- (swg3kser00)
DRV - [2011/07/10 10:30:34 | 000,083,968 | R--- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\swiwdmbx.sys -- (swiwdmbx)
DRV - [2011/07/10 10:30:32 | 000,208,128 | R--- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\swnc8ua3.sys -- (SWNC8UA3) Sierra Wireless MUX NDIS Driver (UMTSA3)
DRV - [2011/07/10 10:30:24 | 000,007,680 | R--- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\massfilter.sys -- (massfilter)
DRV - [2010/10/14 17:51:01 | 000,132,480 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\isatmdm.sys -- (isatmdm)
DRV - [2010/10/14 17:51:01 | 000,121,984 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\isatobex.sys -- (isatobex) IsatPhone Pro 1.0 OBEX Drivers (WDM)
DRV - [2010/10/14 17:51:01 | 000,014,848 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\isatmdfl.sys -- (isatmdfl)
DRV - [2010/10/14 17:51:00 | 000,104,448 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\isatbus.sys -- (isatbus)
DRV - [2008/11/18 20:19:28 | 001,392,819 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2008/08/27 11:37:18 | 000,112,128 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AESTAud.sys -- (AESTAud)
DRV - [2008/07/24 18:42:48 | 000,170,032 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2008/06/26 06:15:34 | 003,630,080 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel(R)
DRV - [2008/06/25 10:46:58 | 000,985,728 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2008/06/25 10:46:18 | 000,210,688 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2008/06/25 10:46:14 | 000,731,264 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2008/04/18 15:48:50 | 000,011,904 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2008/04/04 13:40:50 | 000,244,368 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1y5132.sys -- (e1yexpress) Intel(R)
DRV - [2007/02/24 14:42:22 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2005/05/13 18:27:56 | 000,028,672 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbccid.sys -- (USBCCID)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_0
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ninemsn.com.au/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-au
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = C0 B5 74 15 8E 8F CC 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = nexus.*;nexus;10.10.10.1;
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.10.10.254:3128

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Secure Search"
FF - prefs.js..browser.startup.homepage: "www.redbubble.com/people/bcossart"
FF - prefs.js..keyword.URL: "http://au.search.yahoo.com/search?fr=mcafee&p="
FF - prefs.js..network.proxy.ftp: "10.10.10.254"
FF - prefs.js..network.proxy.ftp_port: 3128
FF - prefs.js..network.proxy.http: "10.10.10.254"
FF - prefs.js..network.proxy.http_port: 3128
FF - prefs.js..network.proxy.no_proxies_on: "nexus.*,nexus,10.10.10.1,localhost,127.0.0.1"
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "10.10.10.254"
FF - prefs.js..network.proxy.socks_port: 3128
FF - prefs.js..network.proxy.ssl: "10.10.10.254"
FF - prefs.js..network.proxy.ssl_port: 3128
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/SAFFPlugin: C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Acrobat: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2011/11/01 21:12:43 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files\McAfee\SiteAdvisor [2011/12/01 17:54:33 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/11/20 18:32:02 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/11/20 18:32:02 | 000,000,000 | ---D | M]

[2011/10/21 18:05:33 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\BryanC\Application Data\Mozilla\Extensions
[2011/10/21 18:05:14 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/12/01 17:54:33 | 000,000,000 | ---D | M] (McAfee SiteAdvisor) -- C:\PROGRAM FILES\MCAFEE\SITEADVISOR
[2011/11/09 20:01:45 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/09/29 12:30:22 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2011/09/29 12:16:42 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/09/29 12:30:22 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2011/09/29 12:30:22 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2011/12/01 20:44:08 | 000,002,027 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\McSiteAdvisor.xml
[2011/09/29 12:30:22 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

Re: vbs.runauto12th December 2011, 8:58 am

OTL part 2

O1 HOSTS File: ([2008/04/14 10:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (DivX Plus Web Player HTML5

Re: vbs.runauto12th December 2011, 8:59 am

OTL part 3

[2011/11/20 15:14:27 | 001,645,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\gdiplus.dll
[2011/11/20 15:14:27 | 000,704,512 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\ijl20.dll
[2011/11/20 15:14:27 | 000,598,016 | ---- | C] (AVTECH) -- C:\WINDOWS\System32\AVC_AP_MPEG4.dll
[2011/11/20 15:14:22 | 001,204,224 | ---- | C] (AVTECH) -- C:\WINDOWS\System32\AVC_JPEG.dll
[2011/11/20 15:14:22 | 000,905,216 | ---- | C] (AVTECH) -- C:\WINDOWS\System32\AVC_LIVE.dll
[2011/11/20 15:14:22 | 000,778,240 | ---- | C] (AVTECH) -- C:\WINDOWS\System32\AVC_PB.dll
[2011/11/20 15:14:22 | 000,598,016 | ---- | C] (AVTECH) -- C:\WINDOWS\System32\AVC_MPEG4.dll
[2011/11/20 15:14:22 | 000,225,280 | ---- | C] (AVTECH) -- C:\WINDOWS\System32\AVC_RTSP.dll
[2011/11/20 15:14:22 | 000,131,072 | ---- | C] (AV-TECH) -- C:\WINDOWS\System32\AVC_NATT.dll
[2011/11/20 14:14:58 | 000,121,984 | R--- | C] (MCCI) -- C:\WINDOWS\System32\drivers\isatobex.sys
[2011/11/20 14:14:19 | 000,132,480 | R--- | C] (MCCI) -- C:\WINDOWS\System32\drivers\isatmdm.sys
[2011/11/20 14:14:19 | 000,014,848 | R--- | C] (MCCI Corporation) -- C:\WINDOWS\System32\drivers\isatmdfl.sys
[2011/11/20 14:14:19 | 000,012,544 | R--- | C] (MCCI Corporation) -- C:\WINDOWS\System32\drivers\isatcmnt.sys
[2011/11/20 14:14:19 | 000,012,544 | R--- | C] (MCCI Corporation) -- C:\WINDOWS\System32\drivers\isatcm.sys
[2011/11/20 14:13:49 | 000,104,448 | R--- | C] (MCCI) -- C:\WINDOWS\System32\drivers\isatbus.sys
[2011/11/20 14:13:49 | 000,012,416 | R--- | C] (MCCI Corporation) -- C:\WINDOWS\System32\drivers\isatwhnt.sys
[2011/11/20 14:13:49 | 000,012,416 | R--- | C] (MCCI Corporation) -- C:\WINDOWS\System32\drivers\isatwh.sys
[2011/11/20 13:48:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\BryanC\Application Data\XCPCSync.OEM
[2011/11/20 13:48:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\IsatPhone Pro
[2011/11/20 13:48:37 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\XCPCSync.OEM
[2011/11/20 13:48:31 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0
[2011/11/20 13:45:58 | 000,000,000 | ---D | C] -- C:\Program Files\Inmarsat
[2011/11/19 09:43:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\BryanC\Local Settings\Application Data\Apple Computer
[2011/11/19 09:43:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\BryanC\Application Data\Apple Computer
[2011/11/19 09:43:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2011/11/19 09:43:35 | 000,106,928 | ---- | C] (GEAR Software Inc.) -- C:\WINDOWS\System32\GEARAspi.dll
[2011/11/19 09:42:42 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/11/19 09:42:39 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2011/11/19 09:42:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2011/11/19 09:42:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/11/19 09:42:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\BryanC\Local Settings\Application Data\Apple
[2011/11/19 09:42:07 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2011/11/19 09:42:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Apple Computer
[2011/11/19 09:41:54 | 004,517,664 | ---- | C] (Apple, Inc.) -- C:\WINDOWS\System32\usbaaplrc.dll
[2011/11/19 09:40:59 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple
[2011/11/19 09:40:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple
[2011/11/19 08:58:05 | 000,000,000 | ---D | C] -- C:\Program Files\uTorrent
[2011/11/19 08:57:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\BryanC\Local Settings\Application Data\uTorrent
[2011/11/19 08:57:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\BryanC\Application Data\uTorrent
[2011/11/13 18:37:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\BryanC\Application Data\Google
[2011/11/13 18:36:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Earth
[2010/10/14 17:51:30 | 000,151,552 | ---- | C] ( ) -- C:\WINDOWS\System32\STAPI.dll
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/12/12 07:40:01 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/12/12 05:31:00 | 000,000,512 | ---- | M] () -- C:\WINDOWS\tasks\SUPERAntiSpyware Scheduled Task 689b276f-f97f-4962-8275-d7a02d36e051.job
[2011/12/12 02:00:00 | 000,000,512 | ---- | M] () -- C:\WINDOWS\tasks\SUPERAntiSpyware Scheduled Task 3c597229-9f12-4f34-a86b-35b51967c483.job
[2011/12/11 21:10:08 | 000,071,390 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2011/12/11 21:10:03 | 000,184,802 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/12/11 21:09:59 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/12/11 21:09:57 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/12/11 20:57:24 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/09 09:20:00 | 000,000,580 | ---- | M] () -- C:\Documents and Settings\BryanC\Desktop\Shortcut to Connect to Small Business Server.lnk
[2011/12/09 08:40:07 | 000,019,092 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2011/12/09 08:40:04 | 000,000,744 | RHS- | M] () -- C:\Documents and Settings\BryanC\ntuser.pol
[2011/12/07 21:16:29 | 000,142,848 | ---- | M] () -- C:\Documents and Settings\BryanC\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/12/07 13:53:17 | 000,001,726 | ---- | M] () -- C:\Documents and Settings\BryanC\Desktop\Synergy (2).lnk
[2011/12/07 07:06:24 | 013,508,119 | ---- | M] () -- C:\Documents and Settings\BryanC\Application Data\SMRBackup210.dat
[2011/12/07 07:06:24 | 000,000,220 | ---- | M] () -- C:\boot.ini
[2011/12/06 09:02:44 | 000,001,716 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Synergy.lnk
[2011/12/05 09:00:06 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/12/04 19:07:46 | 000,483,214 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/12/04 19:07:46 | 000,085,324 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/12/02 07:26:56 | 000,001,055 | ---- | M] () -- C:\Documents and Settings\BryanC\Desktop\Norton Installation Files.lnk
[2011/12/01 07:29:25 | 000,001,164 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton Bootable Recovery Tool Wizard.LNK
[2011/11/30 20:52:47 | 000,001,619 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Scan Plus.lnk
[2011/11/30 20:52:47 | 000,001,611 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
[2011/11/28 20:55:09 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/11/28 19:06:03 | 000,000,946 | ---- | M] () -- C:\Documents and Settings\BryanC\Desktop\AVS4YOU Software Navigator.lnk
[2011/11/28 19:05:48 | 000,000,897 | ---- | M] () -- C:\Documents and Settings\BryanC\Desktop\AVS Video Converter 6.lnk
[2011/11/28 08:26:56 | 000,000,266 | ---- | M] () -- C:\Documents and Settings\BryanC\My Documents\NATT_DBG.dbg
[2011/11/26 08:13:18 | 000,001,878 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2011/11/23 11:10:00 | 000,000,773 | ---- | M] () -- C:\Documents and Settings\BryanC\Desktop\Hyspan_SpanTables_Mar05.lnk
[2011/11/22 22:57:17 | 000,001,826 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mobile Broadband Manager.lnk
[2011/11/21 16:02:06 | 000,001,742 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Acrobat 9 Pro Extended.lnk
[2011/11/20 18:31:49 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2011/11/20 15:15:08 | 000,000,718 | ---- | M] () -- C:\Documents and Settings\BryanC\Desktop\VideoViewer.lnk
[2011/11/20 15:14:32 | 000,017,408 | ---- | M] (Microsoft Corporation) -- C:\psapi.dll
[2011/11/20 14:13:22 | 000,016,654 | ---- | M] () -- C:\ads_err.adt
[2011/11/20 14:13:22 | 000,003,072 | ---- | M] () -- C:\ads_err.adi
[2011/11/20 13:48:57 | 000,002,048 | ---- | M] () -- C:\ads_err.adm
[2011/11/19 09:43:39 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/11/19 08:58:06 | 000,000,648 | ---- | M] () -- C:\Documents and Settings\BryanC\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
[2011/11/19 08:58:06 | 000,000,630 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\µTorrent.lnk
[2011/11/17 16:13:34 | 000,000,061 | ---- | M] () -- C:\WINDOWS\ccolwiz.ini
[2011/11/17 09:42:25 | 000,000,426 | ---- | M] () -- C:\WINDOWS\BRWMARK.INI
[2011/11/15 17:40:52 | 000,000,691 | ---- | M] () -- C:\Documents and Settings\BryanC\Desktop\Timesheets 2011.lnk
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/12/07 13:53:17 | 000,001,726 | ---- | C] () -- C:\Documents and Settings\BryanC\Desktop\Synergy (2).lnk
[2011/12/06 09:02:44 | 000,001,716 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Synergy.lnk
[2011/12/05 07:02:49 | 013,508,119 | ---- | C] () -- C:\Documents and Settings\BryanC\Application Data\SMRBackup210.dat
[2011/12/01 07:29:25 | 000,001,164 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Norton Bootable Recovery Tool Wizard.LNK
[2011/12/01 07:28:50 | 000,000,172 | ---- | C] () -- C:\WINDOWS\System32\drivers\NBRTWizard\0401000.00F\isolate.ini
[2011/12/01 07:13:21 | 000,001,055 | ---- | C] () -- C:\Documents and Settings\BryanC\Desktop\Norton Installation Files.lnk
[2011/11/28 20:46:35 | 000,001,619 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Scan Plus.lnk
[2011/11/28 20:46:35 | 000,001,611 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
[2011/11/28 19:06:03 | 000,000,946 | ---- | C] () -- C:\Documents and Settings\BryanC\Desktop\AVS4YOU Software Navigator.lnk
[2011/11/28 19:05:47 | 000,000,897 | ---- | C] () -- C:\Documents and Settings\BryanC\Desktop\AVS Video Converter 6.lnk
[2011/11/26 08:13:18 | 000,001,878 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2011/11/23 11:09:16 | 000,000,773 | ---- | C] () -- C:\Documents and Settings\BryanC\Desktop\Hyspan_SpanTables_Mar05.lnk
[2011/11/22 22:57:17 | 000,001,826 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mobile Broadband Manager.lnk
[2011/11/20 18:31:49 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2011/11/20 15:15:13 | 000,000,266 | ---- | C] () -- C:\Documents and Settings\BryanC\My Documents\NATT_DBG.dbg
[2011/11/20 15:15:08 | 000,000,718 | ---- | C] () -- C:\Documents and Settings\BryanC\Desktop\VideoViewer.lnk
[2011/11/20 15:14:27 | 000,794,624 | ---- | C] () -- C:\WINDOWS\System32\AVC_AP_H264.dll
[2011/11/20 15:14:22 | 000,794,624 | ---- | C] () -- C:\WINDOWS\System32\AVC_H264.dll
[2011/11/20 13:48:57 | 000,016,654 | ---- | C] () -- C:\ads_err.adt
[2011/11/20 13:48:57 | 000,003,072 | ---- | C] () -- C:\ads_err.adi
[2011/11/20 13:48:57 | 000,002,048 | ---- | C] () -- C:\ads_err.adm
[2011/11/19 09:43:39 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/11/19 09:42:12 | 000,000,284 | ---- | C] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/11/19 09:42:08 | 000,001,830 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Apple Software Update.lnk
[2011/11/19 08:58:06 | 000,000,648 | ---- | C] () -- C:\Documents and Settings\BryanC\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
[2011/11/19 08:58:06 | 000,000,630 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\µTorrent.lnk
[2011/11/17 09:35:01 | 000,000,061 | ---- | C] () -- C:\WINDOWS\ccolwiz.ini
[2011/11/15 17:40:34 | 000,000,691 | ---- | C] () -- C:\Documents and Settings\BryanC\Desktop\Timesheets 2011.lnk
[2011/11/15 16:35:24 | 000,001,413 | ---- | C] () -- C:\Documents and Settings\BryanC\Desktop\WIH Canberra - Shortcut.lnk
[2011/11/13 18:35:19 | 000,000,886 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/11/13 18:35:19 | 000,000,882 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/10/25 19:23:27 | 000,645,278 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-2822720404-3006480766-3358018635-1149-0.dat
[2011/10/25 19:23:27 | 000,357,566 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2011/10/24 18:27:45 | 000,142,848 | ---- | C] () -- C:\Documents and Settings\BryanC\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/10/23 22:53:47 | 000,782,336 | ---- | C] () -- C:\WINDOWS\System32\IlmImf.dll
[2011/10/23 22:53:47 | 000,446,464 | ---- | C] () -- C:\WINDOWS\System32\Photomatix_jpg.dll
[2011/10/23 22:53:47 | 000,353,280 | ---- | C] () -- C:\WINDOWS\System32\pmtf2.dll
[2011/10/23 22:53:47 | 000,266,240 | ---- | C] () -- C:\WINDOWS\System32\Photomatix25Lib.dll
[2011/10/23 22:53:47 | 000,249,856 | ---- | C] () -- C:\WINDOWS\System32\Photomatix25Lib2.dll
[2011/10/23 22:53:47 | 000,205,824 | ---- | C] () -- C:\WINDOWS\System32\pmtf1.dll
[2011/10/23 22:53:47 | 000,204,288 | ---- | C] () -- C:\WINDOWS\System32\pmtf3.dll
[2011/10/23 22:53:47 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\Photomatix25Lib3.dll
[2011/10/23 22:53:47 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\pmexr.dll
[2011/10/23 22:53:47 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\pmbm.dll
[2011/10/21 12:15:32 | 000,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2011/10/21 08:26:42 | 000,071,390 | ---- | C] () -- C:\WINDOWS\System32\nvModes.dat
[2011/10/21 08:26:00 | 001,630,208 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2011/10/21 08:25:59 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2011/10/21 08:25:59 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2011/10/21 08:25:58 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2011/10/21 08:25:56 | 001,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2011/10/21 08:25:55 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2011/10/21 08:25:51 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2011/10/21 08:25:49 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2011/10/20 22:17:13 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/10/20 22:16:16 | 001,568,672 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/10/20 12:42:21 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/10/20 12:38:22 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/05/26 21:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 21:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2008/04/14 10:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/14 10:00:00 | 000,483,214 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/14 10:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/14 10:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/14 10:00:00 | 000,085,324 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/14 10:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/14 10:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/14 10:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/14 10:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/14 10:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2005/04/15 14:52:33 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/04/15 14:52:33 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat

========== Custom Scans ==========

< %APPDATA%\Microsoft\*.* >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %USERPROFILE%\Desktop\*.exe >

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\winn32\*.* >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.exe >
[2011/11/09 20:01:45 | 000,125,912 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\crashreporter.exe
[2011/11/09 20:01:45 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
[2011/11/09 20:01:42 | 000,016,856 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
[2011/11/09 20:01:42 | 000,269,272 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\updater.exe

< %ProgramFiles%\TinyProxy. >

< %systemroot%\system32\*.* /lockedfiles >
[3 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.* /lockedfiles >

< %PROGRAMFILES%\*. >
[2011/10/26 07:21:36 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2011/11/19 09:42:07 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2011/11/28 19:06:02 | 000,000,000 | ---D | M] -- C:\Program Files\AVS4YOU
[2011/11/19 09:41:35 | 000,000,000 | ---D | M] -- C:\Program Files\Bonjour
[2011/12/01 17:54:20 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2011/10/20 12:38:21 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2011/10/21 08:31:33 | 000,000,000 | ---D | M] -- C:\Program Files\CONEXANT
[2011/10/20 12:57:26 | 000,000,000 | ---D | M] -- C:\Program Files\Dell
[2011/10/22 08:26:12 | 000,000,000 | ---D | M] -- C:\Program Files\DellTPad
[2011/11/01 21:12:47 | 000,000,000 | ---D | M] -- C:\Program Files\DivX
[2011/11/13 18:36:38 | 000,000,000 | ---D | M] -- C:\Program Files\Google
[2011/10/21 08:27:36 | 000,000,000 | ---D | M] -- C:\Program Files\IDT
[2011/11/20 13:45:58 | 000,000,000 | ---D | M] -- C:\Program Files\Inmarsat
[2011/10/29 10:38:42 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2011/10/21 08:33:40 | 000,000,000 | ---D | M] -- C:\Program Files\Intel
[2011/11/20 18:32:02 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2011/10/29 10:38:43 | 000,000,000 | ---D | M] -- C:\Program Files\InterVideo
[2011/11/19 09:42:42 | 000,000,000 | ---D | M] -- C:\Program Files\iPod
[2011/11/19 09:43:32 | 000,000,000 | ---D | M] -- C:\Program Files\iTunes
[2011/10/21 21:40:15 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/12/01 20:14:59 | 000,000,000 | ---D | M] -- C:\Program Files\McAfee
[2011/11/30 20:52:43 | 000,000,000 | ---D | M] -- C:\Program Files\McAfee Security Scan
[2011/10/20 14:40:55 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2011/10/21 14:05:45 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Analysis Services
[2011/10/20 12:41:01 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2011/10/21 14:08:20 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2011/10/24 15:12:33 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Silverlight
[2011/10/21 11:52:23 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Windows Small Business Server
[2011/10/21 14:36:00 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft.NET
[2011/10/20 14:27:43 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2011/11/09 20:02:18 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2011/10/21 20:32:43 | 000,000,000 | ---D | M] -- C:\Program Files\MSBuild
[2011/10/20 12:37:37 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2011/10/20 12:38:09 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2011/11/20 13:48:31 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2011/10/20 12:39:31 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2011/12/01 07:28:51 | 000,000,000 | ---D | M] -- C:\Program Files\Norton Bootable Recovery Tool Wizard
[2011/12/01 07:24:24 | 000,000,000 | ---D | M] -- C:\Program Files\NortonInstaller
[2011/10/20 12:38:16 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2011/10/20 14:27:54 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2011/10/23 23:10:35 | 000,000,000 | ---D | M] -- C:\Program Files\Photomatix
[2011/11/20 18:32:01 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2011/10/21 20:32:40 | 000,000,000 | ---D | M] -- C:\Program Files\Reference Assemblies
[2011/10/29 08:24:00 | 000,000,000 | ---D | M] -- C:\Program Files\Roxio
[2011/11/22 22:55:04 | 000,000,000 | ---D | M] -- C:\Program Files\Sierra Wireless Inc
[2011/11/26 08:13:18 | 000,000,000 | R--D | M] -- C:\Program Files\Skype
[2011/11/12 07:45:49 | 000,000,000 | ---D | M] -- C:\Program Files\SUPERAntiSpyware
[2011/10/21 13:57:52 | 000,000,000 | ---D | M] -- C:\Program Files\Symantec
[2011/11/10 16:35:41 | 000,000,000 | ---D | M] -- C:\Program Files\Tekla
[2011/11/10 16:39:42 | 000,000,000 | ---D | M] -- C:\Program Files\Tekla BIMsight
[2011/11/22 22:55:04 | 000,000,000 | ---D | M] -- C:\Program Files\Telstra
[2011/12/06 09:02:37 | 000,000,000 | ---D | M] -- C:\Program Files\Total Synergy
[2011/10/20 12:49:24 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2011/11/19 08:58:05 | 000,000,000 | ---D | M] -- C:\Program Files\uTorrent
[2011/11/28 08:26:54 | 000,000,000 | ---D | M] -- C:\Program Files\VideoViewer
[2011/10/21 20:30:23 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Desktop Search
[2011/10/21 20:29:42 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2
[2011/10/21 20:29:41 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2011/10/20 12:38:02 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2011/10/20 12:39:57 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2011/10/20 12:41:01 | 000,000,000 | ---D | M] -- C:\Program Files\xerox

Re: vbs.runauto12th December 2011, 9:00 am

OTL Part 4

< MD5 for: AGP440.SYS >
[2008/04/14 10:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2008/04/14 10:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 10:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: DISK.SYS >
[2008/04/14 10:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2008/04/14 10:00:00 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\drivers\disk.sys

< MD5 for: IASTOR.SYS >
[2008/07/21 03:44:44 | 000,324,120 | ---- | M] (Intel Corporation) MD5=707C1692214B1C290271067197F075F6 -- C:\WINDOWS\Dell\Intel\IaStor.sys
[2008/07/21 03:44:44 | 000,324,120 | ---- | M] (Intel Corporation) MD5=707C1692214B1C290271067197F075F6 -- C:\WINDOWS\system32\drivers\iaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/14 10:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 10:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-11-29 06:26:45

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/11/09 20:01:42 | 000,713,552 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/11/09 20:01:42 | 000,713,552 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/11/09 20:01:42 | 000,713,552 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/11/09 20:01:45 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/11/09 20:01:45 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/11/09 20:01:45 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/08/22 22:56:56 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/08/22 22:56:56 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/08/22 22:56:56 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 15:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2009/03/08 15:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/11/09 20:01:42 | 000,713,552 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/11/09 20:01:42 | 000,713,552 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/11/09 20:01:42 | 000,713,552 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/11/09 20:01:45 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/11/09 20:01:45 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/11/09 20:01:45 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/08/22 22:56:56 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/08/22 22:56:56 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/08/22 22:56:56 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 15:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2009/03/08 15:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< End of report >

Re: vbs.runauto12th December 2011, 9:03 am

Extras now.

OTL Extras logfile created on: 12/12/2011 7:52:11 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\BryanC\My Documents\Downloads\geek
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

3.49 Gb Total Physical Memory | 2.16 Gb Available Physical Memory | 62.06% Memory free
5.32 Gb Paging File | 4.05 Gb Available in Paging File | 76.10% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 235.81 Gb Free Space | 50.63% Space Free | Partition Type: NTFS

Computer Name: WORKSTATION-H | User Name: BryanC | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
"PolicyVersion" = 522

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall" = 1
"AllowLocalPolicyMerge" = 1
"AllowLocalIPsecPolicyMerge" = 1
"DefaultInboundAction" = 1
"DefaultOutboundAction" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications]
"Enabled" = 1
"AllowUserPrefMerge" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts]
"Enabled" = 1
"AllowUserPrefMerge" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List]
"135:TCP:*:Enabled:Offer Remote Assistance - Port" = 135:TCP:*:Enabled:Offer Remote Assistance - Port

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings]
"AllowOutboundDestinationUnreachable" = 0
"AllowOutboundSourceQuench" = 0
"AllowRedirect" = 0
"AllowInboundEchoRequest" = 1
"AllowInboundRouterRequest" = 0
"AllowOutboundTimeExceeded" = 0
"AllowOutboundParameterProblem" = 0
"AllowInboundTimestampRequest" = 0
"AllowInboundMaskRequest" = 0
"AllowOutboundPacketTooBig" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings]
"Enabled" = 1
"RemoteAddresses" = 10.10.10.3

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint]
"Enabled" = 1
"RemoteAddresses" = LocalSubnet

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop]
"Enabled" = 1
"RemoteAddresses" = *

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules]
"RemoteAdmin-RPCSS-In-TCP" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=RPC-EPMap|App=%SystemRoot%\system32\svchost.exe|Svc=RPCSS|Name=@FirewallAPI.dll,-29765|Desc=@FirewallAPI.dll,-29768|EmbedCtxt=@FirewallAPI.dll,-29752|
"RemoteAdmin-NP-In-TCP" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=445|App=System|Name=@FirewallAPI.dll,-29757|Desc=@FirewallAPI.dll,-29760|EmbedCtxt=@FirewallAPI.dll,-29752|
"RemoteAdmin-In-TCP" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=RPC|App=%SystemRoot%\system32\svchost.exe|Svc=*|Name=@FirewallAPI.dll,-29753|Desc=@FirewallAPI.dll,-29756|RMauth=O:LSD:(A;;CC;;;S-1-5-21-2822720404-3006480766-3358018635-2232)|EmbedCtxt=@FirewallAPI.dll,-29752|Security=Authenticate|Security2_9=An-NoEncap|

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications]
"AllowUserPrefMerge" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts]
"AllowUserPrefMerge" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"5985:TCP" = 5985:TCP:*:Disabled:Windows Remote Management
"80:TCP" = 80:TCP:*:Disabled:Windows Remote Management - Compatibility Mode (HTTP-In)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe" = C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe:*:Enabled:SMC Service -- (Symantec Corporation)
"C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE" = C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE:*:Enabled:SNAC Service
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email
"C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe" = C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe:*:Enabled:SMC Service -- (Symantec Corporation)
"C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\snac.exe" = C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\snac.exe:*:Enabled:SNAC Service -- (Symantec Corporation)
"C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE:*:Enabled:Microsoft OneNote -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\VideoViewer\VideoViewer.exe" = C:\Program Files\VideoViewer\VideoViewer.exe:*:Enabled:VideoViewer -- ()
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"C:\Program Files\VideoViewer\VideoViewer.exe" = C:\Program Files\VideoViewer\VideoViewer.exe:*:Enabled:VideoViewer -- ()
"C:\Program Files\Telstra\Mobile Broadband Manager\SwiApiMuxX.exe" = C:\Program Files\Telstra\Mobile Broadband Manager\SwiApiMuxX.exe:*:Enabled:SwiApiMuxX -- (Sierra Wireless, Inc.)
"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE:*:Enabled:Microsoft Outlook -- (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
"{04C286B2-8D7A-4285-AFCD-C22ABE1CE83F}" = Tekla Model Sharing Foundation, WebViewerXml plugin 1.8
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Creator Data
"{09760D42-E223-42AD-8C3E-55B47D0DDAC3}" = Roxio Creator DE 10.3
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Creator Tools
"{2220CF3A-EBD6-4070-94D0-0C7337B537A7}" = All Day Battery Life Configuration
"{23E5032B-56CA-4C19-A72E-B50161DB82CA}" = Shadow Copy Client
"{27F61E7D-8C8D-4C32-8CBF-7B1C56C76628}" = Mobile Broadband Manager
"{2934DCB0-F8EE-11E0-A4A5-B8AC6F97B88E}" = Google Earth Plug-in
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{2F056E04-DDCE-4E55-AF63-CDEA741C5521}" = Total Synergy Application Suite
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3127F76D-5335-4AC7-BD1E-2F5247A23C24}" = iTunes
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}" = McAfee SiteAdvisor
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3D7E3EC9-46CF-4359-9289-39CE01DFB82F}" = Adobe Photoshop CS3
"{42929F0F-CE14-47AF-9FC7-FF297A603021}" = Dell Resource CD
"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C83x/84x Media Driver Ver.3.53.02
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Creator Audio
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3
"{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8DFA9AE5-A5BD-4976-952F-75E95E72D6BD}" = Tekla Model Sharing Foundation, Clash Check 2.7
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{90140000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 14
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0015-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}_Office14.SingleImage_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-040C-0000-0000000FF1CE}_Office14.SingleImage_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.SingleImage_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-002C-0409-0000-0000000FF1CE}_Office14.SingleImage_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-003D-0000-0000-0000000FF1CE}" = Microsoft Office Single Image 2010
"{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}_Office14.SingleImage_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}_Office14.SingleImage_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{933B4015-4618-4716-A828-5289FC03165F}" = VC80CRTRedist - 8.0.50727.6195
"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
"{98E8A2EF-4EAE-43B8-A172-74842B764777}" = InterVideo WinDVD
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{A22E44CE-24D2-4332-9F83-4CFA173429F0}" = Tekla Model Sharing Foundation, DGN import plugin 1.8
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A3AEEA68-AC93-4F6F-8D2D-78BBF7E422B8}" = Symantec Endpoint Protection
"{A59CC3B2-CD2C-4A4F-820F-9D79CECA285C}" = Tekla Model Sharing Foundation, IFC import plugin 1.53
"{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-1033-F400-7761-000000000004}" = Adobe Acrobat 9 Pro Extended - English, Français, Deutsch
"{AC76BA86-1033-F400-7761-000000000004}_946" = Adobe Acrobat 9.4.6 - CPSID_83708
"{AC76BA86-1033-F400-7761-000000000004}{AC76BA86-1033-F400-7761-000000000004}" = Adobe Acrobat 9 Pro Extended - English, Français, Deutsch
"{AED53CDF-1046-4C6B-B5E2-C195125ECDA0}" = Intel(R) PROSet/Wireless WiFi Software
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Creator Copy
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BF8560CC-AA5E-4A0D-BDFE-18C92FCCFA68}" = Tekla Model Sharing Foundation, DWG import plugin 1.13
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C19B3EB6-B54C-3204-A4DF-88432E0C79F7}" = Microsoft ReportViewer 2010 Redistributable
"{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}" = Adobe ExtendScript Toolkit 2
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}" = Adobe Color Common Settings
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{E5264BC6-4C47-4ADF-B1E7-00369A999B1C}" = Tekla BIMsight
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Creator DE 10.3
"{FF11004C-F42A-4A31-9BCF-7F5C8FDBE53C}" = Adobe Setup
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe_719d6f144d0c086a0dfa7ff76bb9ac1" = Adobe Photoshop CS3
"AVS4YOU Software Navigator_is1" = AVS4YOU Software Navigator 1.3
"AVS4YOU Video Converter 6_is1" = AVS Video Converter 6
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F" = Conexant HDA D330 MDC V.92 Modem
"DivX Setup" = DivX Setup
"ie8" = Windows Internet Explorer 8
"IsatPhone Pro" = IsatPhone Pro USB driver
"IsatPhone Pro contact synchronisation tool" = IsatPhone Pro contact synchronisation tool
"IsatPhone Pro firmware upgrade tool" = IsatPhone Pro firmware upgrade tool
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"McAfee Security Scan" = McAfee Security Scan Plus
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Mobile Broadband Manager" = Telstra Mobile Broadband Manager
"Mozilla Firefox 8.0 (x86 en-GB)" = Mozilla Firefox 8.0 (x86 en-GB)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NBRTWizard" = Norton Bootable Recovery Tool Wizard
"NVIDIA Drivers" = NVIDIA Drivers
"Office14.SingleImage" = Microsoft Office Home and Business 2010
"Photomatix Pro_is1" = Photomatix Pro version 2.5
"Picasa 3" = Picasa 3
"ProInst" = Intel PROSet Wireless
"PROSet" = Intel(R) Network Connections Drivers
"uTorrent" = µTorrent
"Video Viewer" = Video Viewer
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/12/2011 4:53:03 PM | Computer Name = WORKSTATION-H | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!VBS.Runauto in File: C:\Documents and Settings\BryanC\Local
Settings\Temp\DWH11B7.tmp by: Auto-Protect scan. Action: Quarantine succeeded
: Access denied. Action Description: The file was quarantined successfully.

Error - 11/12/2011 4:54:04 PM | Computer Name = WORKSTATION-H | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!VBS.Runauto in File: C:\Documents and Settings\BryanC\Local
Settings\Temp\DWH11B9.tmp by: Auto-Protect scan. Action: Quarantine succeeded
: Access denied. Action Description: The file was quarantined successfully.

Error - 11/12/2011 4:55:05 PM | Computer Name = WORKSTATION-H | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!VBS.Runauto in File: C:\Documents and Settings\BryanC\Local
Settings\Temp\DWH11BB.tmp by: Auto-Protect scan. Action: Quarantine succeeded
: Access denied. Action Description: The file was quarantined successfully.

Error - 11/12/2011 4:56:06 PM | Computer Name = WORKSTATION-H | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!VBS.Runauto in File: C:\Documents and Settings\BryanC\Local
Settings\Temp\DWH11BD.tmp by: Auto-Protect scan. Action: Quarantine succeeded
: Access denied. Action Description: The file was quarantined successfully.

Error - 11/12/2011 4:57:09 PM | Computer Name = WORKSTATION-H | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!VBS.Runauto in File: C:\Documents and Settings\BryanC\Local
Settings\Temp\DWH11BF.tmp by: Auto-Protect scan. Action: Quarantine succeeded
: Access denied. Action Description: The file was quarantined successfully.

Error - 11/12/2011 4:58:13 PM | Computer Name = WORKSTATION-H | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!VBS.Runauto in File: C:\Documents and Settings\BryanC\Local
Settings\Temp\DWH11C.tmp by: Auto-Protect scan. Action: Quarantine succeeded :
Access denied. Action Description: The file was quarantined successfully.

Error - 11/12/2011 4:59:10 PM | Computer Name = WORKSTATION-H | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!VBS.Runauto in File: C:\Documents and Settings\BryanC\Local
Settings\Temp\DWH11E7.tmp by: Auto-Protect scan. Action: Quarantine succeeded
: Access denied. Action Description: The file was quarantined successfully.

Error - 11/12/2011 5:00:41 PM | Computer Name = WORKSTATION-H | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!VBS.Runauto in File: C:\Documents and Settings\BryanC\Local
Settings\Temp\DWH11C3.tmp by: Auto-Protect scan. Action: Quarantine succeeded
: Access denied. Action Description: The file was quarantined successfully.

Error - 11/12/2011 5:01:54 PM | Computer Name = WORKSTATION-H | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!VBS.Runauto in File: C:\Documents and Settings\BryanC\Local
Settings\Temp\DWH11C5.tmp by: Auto-Protect scan. Action: Quarantine succeeded
: Access denied. Action Description: The file was quarantined successfully.

Error - 11/12/2011 5:02:56 PM | Computer Name = WORKSTATION-H | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!VBS.Runauto in File: C:\Documents and Settings\BryanC\Local
Settings\Temp\DWH11C7.tmp by: Auto-Protect scan. Action: Quarantine succeeded
: Access denied. Action Description: The file was quarantined successfully.

[ System Events ]
Error - 8/12/2011 5:34:54 PM | Computer Name = WORKSTATION-H | Source = DCOM | ID = 10016
Description = The application-specific permission settings do not grant Local Activation
permission for the COM Server application with CLSID {BA126AD1-2166-11D1-B1D0-00805FC1270E}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 8/12/2011 5:34:55 PM | Computer Name = WORKSTATION-H | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 8/12/2011 5:34:55 PM | Computer Name = WORKSTATION-H | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 8/12/2011 5:34:55 PM | Computer Name = WORKSTATION-H | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 11/12/2011 5:57:28 AM | Computer Name = WORKSTATION-H | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain NORTHROP-CANB due to
the following: %%1311. Make sure that the computer is connected to the network and
try again. If the problem persists, please contact your domain administrator.

Error - 11/12/2011 5:57:37 AM | Computer Name = WORKSTATION-H | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 11/12/2011 5:57:37 AM | Computer Name = WORKSTATION-H | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 11/12/2011 5:57:37 AM | Computer Name = WORKSTATION-H | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 11/12/2011 5:57:37 AM | Computer Name = WORKSTATION-H | Source = DCOM | ID = 10016
Description = The application-specific permission settings do not grant Local Activation
permission for the COM Server application with CLSID {BA126AD1-2166-11D1-B1D0-00805FC1270E}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 11/12/2011 6:12:31 AM | Computer Name = WORKSTATION-H | Source = DCOM | ID = 10016
Description = The application-specific permission settings do not grant Local Activation
permission for the COM Server application with CLSID {BA126AD1-2166-11D1-B1D0-00805FC1270E}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

< End of report >

Re: vbs.runauto12th December 2011, 9:07 am

now security check

Results of screen317's Security Check version 0.99.28
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Symantec Endpoint Protection
McAfee Security Scan Plus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Adobe Flash Player 11.1.102.55
Mozilla Firefox (8.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
``````````End of Log````````````

Re: vbs.runauto14th December 2011, 10:29 pm

Hi,

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

When saving ComboFix rename it to Belahzur.exe to prevent it from being blocked by malware.

Refer to this image:

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

Close any open windows and double click Belahzur.exe to run it.

You will see the following image:

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:

vbs.runauto NSIS_extraction

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.

vbs.runauto RcAuto1

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

vbs.runauto Whatnext

Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Re: vbs.runauto15th December 2011, 7:38 pm

ComboFix 11-12-15.02 - BryanC 15/12/2011 22:26:05.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.3572.2101 [GMT 11:00]
Running from: c:\documents and settings\BryanC\Desktop\Belahzur.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\CSC\d6
.
.
((((((((((((((((((((((((( Files Created from 2011-11-15 to 2011-12-15 )))))))))))))))))))))))))))))))
.
.
2011-12-05 22:02 . 2011-12-05 22:02 -------- d-----w- c:\program files\Total Synergy
2011-12-01 06:54 . 2011-12-01 06:54 -------- d-----w- c:\program files\Common Files\McAfee
2011-12-01 06:54 . 2011-12-01 09:14 -------- d-----w- c:\program files\McAfee
2011-11-30 22:03 . 2010-09-22 07:47 112056 ----a-w- c:\windows\system32\acaptuser32.dll
2011-11-30 20:28 . 2011-11-30 20:28 -------- d-----w- c:\windows\system32\drivers\NBRTWizard
2011-11-30 20:28 . 2011-11-30 20:28 -------- d-----w- c:\program files\Norton Bootable Recovery Tool Wizard
2011-11-30 20:24 . 2011-11-30 20:24 -------- d-----w- c:\program files\NortonInstaller
2011-11-28 09:46 . 2011-11-30 09:52 -------- d-----w- c:\program files\McAfee Security Scan
2011-11-28 08:05 . 2011-11-28 08:05 -------- d-----w- c:\program files\Common Files\AVSMedia
2011-11-28 08:05 . 2011-11-28 08:06 -------- d-----w- c:\program files\AVS4YOU
2011-11-28 08:05 . 2007-02-27 07:36 974848 ----a-w- c:\windows\system32\mfc70.dll
2011-11-28 08:05 . 2007-02-27 07:36 487424 ----a-w- c:\windows\system32\msvcp70.dll
2011-11-28 08:05 . 2007-02-27 07:36 344064 ----a-w- c:\windows\system32\msvcr70.dll
2011-11-28 08:05 . 2007-02-27 07:36 24576 ----a-w- c:\windows\system32\msxml3a.dll
2011-11-23 13:54 . 2011-11-23 13:55 -------- d-----w- C:\D
2011-11-22 19:55 . 2008-04-13 18:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-11-22 19:55 . 2001-08-17 11:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-11-22 19:54 . 2008-04-13 13:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-11-22 19:54 . 2008-04-13 13:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-11-22 11:57 . 2011-11-22 11:57 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Sierra Wireless
2011-11-22 11:57 . 2011-07-09 23:30 105856 ----a-r- c:\windows\system32\drivers\ZTEusbser6k.sys
2011-11-22 11:57 . 2011-07-09 23:30 105856 ----a-r- c:\windows\system32\drivers\ZTEusbnmea.sys
2011-11-22 11:57 . 2011-07-09 23:30 7680 ----a-r- c:\windows\system32\drivers\massfilter.sys
2011-11-22 11:57 . 2011-07-09 23:30 114688 ----a-r- c:\windows\system32\drivers\ZTEusbnet.sys
2011-11-22 11:57 . 2011-07-09 23:30 105856 ----a-r- c:\windows\system32\drivers\ZTEusbmdm6k.sys
2011-11-22 11:57 . 2011-07-09 23:30 215552 ----a-r- c:\windows\system32\drivers\swg3kser00.sys
2011-11-22 11:56 . 2011-07-09 23:30 208128 ----a-r- c:\windows\system32\drivers\swnc8ua3.sys
2011-11-22 11:56 . 2011-07-09 23:30 83968 ----a-r- c:\windows\system32\drivers\swiwdmbx.sys
2011-11-22 11:55 . 2011-11-22 11:55 -------- d-----w- c:\program files\Telstra
2011-11-22 11:51 . 2011-11-22 11:55 -------- d-----w- c:\program files\Sierra Wireless Inc
2011-11-21 20:29 . 2011-12-06 10:37 -------- d-----w- C:\temppicture
2011-11-21 20:26 . 2011-11-27 21:26 -------- d-----w- C:\tempvideo
2011-11-21 04:57 . 2011-12-01 00:51 -------- d-----w- C:\_AcroTemp
2011-11-20 04:14 . 2011-11-27 21:26 -------- d-----w- c:\program files\VideoViewer
2011-11-20 04:14 . 2011-11-20 04:14 17408 ----a-w- C:\psapi.dll
2011-11-20 04:14 . 2009-02-12 04:54 598016 ------w- c:\windows\system32\AVC_AP_MPEG4.dll
2011-11-20 04:14 . 2009-02-09 03:34 794624 ------w- c:\windows\system32\AVC_AP_H264.dll
2011-11-20 04:14 . 2006-09-06 08:37 704512 ------w- c:\windows\system32\ijl20.dll
2011-11-20 04:14 . 2004-05-04 00:53 1645320 ------w- c:\windows\system32\gdiplus.dll
2011-11-20 04:14 . 2009-04-16 10:32 905216 ------w- c:\windows\system32\AVC_LIVE.dll
2011-11-20 04:14 . 2009-04-16 10:32 778240 ------w- c:\windows\system32\AVC_PB.dll
2011-11-20 04:14 . 2009-04-14 06:06 225280 ------w- c:\windows\system32\AVC_RTSP.dll
2011-11-20 04:14 . 2009-04-08 05:08 131072 ------w- c:\windows\system32\AVC_NATT.dll
2011-11-20 04:14 . 2009-04-02 09:55 1204224 ------w- c:\windows\system32\AVC_JPEG.dll
2011-11-20 04:14 . 2009-02-12 00:42 598016 ------w- c:\windows\system32\AVC_MPEG4.dll
2011-11-20 04:14 . 2009-02-09 23:03 794624 ------w- c:\windows\system32\AVC_H264.dll
2011-11-20 03:14 . 2010-10-14 06:51 121984 ----a-r- c:\windows\system32\drivers\isatobex.sys
2011-11-20 03:14 . 2010-10-14 06:51 14848 ----a-r- c:\windows\system32\drivers\isatmdfl.sys
2011-11-20 03:14 . 2010-10-14 06:51 132480 ----a-r- c:\windows\system32\drivers\isatmdm.sys
2011-11-20 03:14 . 2010-10-14 06:51 12544 ----a-r- c:\windows\system32\drivers\isatcmnt.sys
2011-11-20 03:14 . 2010-10-14 06:51 12544 ----a-r- c:\windows\system32\drivers\isatcm.sys
2011-11-20 03:13 . 2010-10-14 06:51 12416 ----a-r- c:\windows\system32\drivers\isatwhnt.sys
2011-11-20 03:13 . 2010-10-14 06:51 12416 ----a-r- c:\windows\system32\drivers\isatwh.sys
2011-11-20 03:13 . 2010-10-14 06:51 104448 ----a-r- c:\windows\system32\drivers\isatbus.sys
2011-11-20 02:48 . 2011-11-20 02:48 -------- d-----w- c:\program files\Common Files\XCPCSync.OEM
2011-11-20 02:48 . 2011-11-20 02:48 -------- d-----w- c:\program files\MSXML 4.0
2011-11-20 02:45 . 2011-11-20 02:45 -------- d-----w- c:\program files\Inmarsat
2011-11-18 22:43 . 2010-08-27 06:38 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2011-11-18 22:43 . 2009-06-12 10:18 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-11-18 22:42 . 2011-11-18 22:42 -------- d-----w- c:\program files\iPod
2011-11-18 22:42 . 2011-11-18 22:43 -------- d-----w- c:\program files\iTunes
2011-11-18 22:42 . 2011-11-18 22:42 -------- d-----w- c:\program files\Apple Software Update
2011-11-18 22:41 . 2011-08-02 06:38 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-11-18 22:41 . 2011-08-02 06:38 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-11-18 22:40 . 2011-11-18 22:42 -------- d-----w- c:\program files\Common Files\Apple
2011-11-18 21:58 . 2011-11-18 21:58 -------- d-----w- c:\program files\uTorrent
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-28 09:55 . 2011-10-29 11:29 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:25 . 2008-04-13 23:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2008-04-13 23:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2008-04-13 23:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2008-04-13 23:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2008-04-13 23:00 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2008-04-13 23:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2008-04-13 23:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2008-04-13 23:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-24 03:29 . 2011-10-24 03:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 03:29 . 2011-10-24 03:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-21 01:26 . 2011-10-21 01:26 32208 ----a-w- c:\windows\system32\drivers\WGX.SYS
2011-10-21 01:26 . 2010-01-19 11:21 240048 ----a-w- c:\windows\system32\SymVPN.dll
2011-10-21 01:25 . 2011-10-21 01:17 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-10-21 01:25 . 2011-10-21 01:17 127096 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-10-18 11:13 . 2008-04-13 23:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2011-10-20 01:38 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2008-04-13 23:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 01:41 . 2011-09-26 01:41 611328 ------w- c:\windows\system32\uiautomationcore.dll
2011-09-26 01:41 . 2008-04-13 23:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 01:41 . 2008-04-13 23:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-11-09 09:01 . 2011-10-21 07:05 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-11-11 4617600]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-12 17351304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-31 13537280]
"nwiz"="nwiz.exe" [2008-07-31 1630208]
"NVHotkey"="nvHotkey.dll" [2008-07-31 90112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-31 86016]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-11-18 483420]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-08-27 471040]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-07-10 1351680]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-07-10 1191936]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-12-21 200704]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-09-07 40376]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-26 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-12 421736]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-29 937920]
"BigPondWirelessBroadbandCM"="c:\program files\Telstra\Mobile Broadband Manager\TelstraUCM.exe" [2011-08-11 6198168]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\VideoViewer\\VideoViewer.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Telstra\\Mobile Broadband Manager\\SwiApiMuxX.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\SEP\0C01029F\136B.105\x86\SymDS.sys [20/08/2011 11:04 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\SEP\0C01029F\136B.105\x86\SymEFA.sys [20/08/2011 11:04 PM 756856]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20111124.011\BHDrvx86.sys [30/11/2011 10:31 AM 819320]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/07/2011 3:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [13/07/2011 8:55 AM 67664]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\SEP\0C01029F\136B.105\x86\Ironx86.sys [20/08/2011 11:04 PM 136312]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [12/08/2011 10:38 AM 116608]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [21/10/2011 9:40 PM 366152]
R2 SepMasterService;Symantec Endpoint Protection;c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe [20/08/2011 11:04 PM 137224]
R2 SwiCardDetectSvc;Sierra Wireless Card Detection Service;c:\program files\Sierra Wireless Inc\Common\SwiCardDetect.exe [24/06/2011 12:10 PM 238960]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [21/10/2011 8:27 AM 112128]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [20/10/2011 12:59 PM 244368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/11/2011 9:12 AM 106104]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [21/10/2011 9:40 PM 22216]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [9/01/2010 9:37 PM 4640000]
S0 cerc6;cerc6; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [13/11/2011 6:35 PM 136176]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [1/12/2011 5:54 PM 94880]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [13/11/2011 6:35 PM 136176]
S3 isatbus;IsatPhone Pro Composite Device;c:\windows\system32\drivers\isatbus.sys [20/11/2011 2:13 PM 104448]
S3 isatmdfl;IsatPhone Pro 1.0 Modem Filter;c:\windows\system32\drivers\isatmdfl.sys [20/11/2011 2:14 PM 14848]
S3 isatmdm;IsatPhone Pro 1.0 Serial Interface Drivers;c:\windows\system32\drivers\isatmdm.sys [20/11/2011 2:14 PM 132480]
S3 isatobex;IsatPhone Pro 1.0 OBEX Drivers (WDM);c:\windows\system32\drivers\isatobex.sys [20/11/2011 2:14 PM 121984]
S3 massfilter;LTE Device Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [22/11/2011 10:57 PM 7680]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 11:49 PM 227232]
S3 swg3kser00;Sierra Wireless QMI USB Device for Legacy Serial Communication;c:\windows\system32\drivers\swg3kser00.sys [22/11/2011 10:57 PM 215552]
S3 swiwdmbx;Sierra Wireless USB Bus Service;c:\windows\system32\drivers\swiwdmbx.sys [22/11/2011 10:56 PM 83968]
S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [22/11/2011 10:56 PM 208128]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [14/04/2008 10:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 06:57]
.
2011-12-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-13 07:35]
.
2011-12-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-13 07:35]
.
2011-12-14 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 3c597229-9f12-4f34-a86b-35b51967c483.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
2011-12-15 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 689b276f-f97f-4962-8275-d7a02d36e051.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_0
uInternet Settings,ProxyServer = 10.10.10.254:3128
uInternet Settings,ProxyOverride = nexus.*;nexus;10.10.10.1;
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\BryanC\Application Data\Mozilla\Firefox\Profiles\yxodf8xy.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - www.redbubble.com/people/bcossart
FF - prefs.js: keyword.URL - hxxp://au.search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.ftp - 10.10.10.254
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.http - 10.10.10.254
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 10.10.10.254
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 10.10.10.254
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Notify-SEP - c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\WinLogoutNotifier.dll
SafeBoot-ccEvtMgr
SafeBoot-ccSetMgr
SafeBoot-Symantec Antivirus
SafeBoot-Symantec Antvirus
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-15 22:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SepMasterService]
"ImagePath"="\"c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe\" /s \"Symantec Endpoint Protection\" /m \"c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\sms.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SmcService]
"ImagePath"="\"c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Symantec\Symantec Endpoint Protection\CurrentVersion]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,4f,00,46,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(960)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\netprovcredman.dll
.
- - - - - - - > 'explorer.exe'(6120)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\sitead~1\saHook.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-12-15 22:36:14
ComboFix-quarantined-files.txt 2011-12-15 11:36
.
Pre-Run: 251,661,316,096 bytes free
Post-Run: 252,269,502,464 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /bootlog
.
- - End Of File - - F97DF27360EE057BC096DA5BD783B779

Re: vbs.runauto17th December 2011, 10:44 pm

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

Check (tick) this box: YES, I accept the Terms of Use.
Click on the Start button next to it.
When prompted to run ActiveX. click Yes.
You will be asked to install an ActiveX. Click Install.
Once installed, the scanner will be initialized.
After the scanner is initialized, click Start.
Check (tick) Remove found threats box.
Check (tick) Scan unwanted applications.
Click on Scan.
It will start scanning. Please be patient.
Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.

Re: vbs.runauto18th December 2011, 2:01 am

It didn't find anything.

Nortons is still finding it as wee speak.

# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=0e2461d534e0f84dbc9755fbd712aff8
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-12-18 01:52:37
# local_time=2011-12-18 12:52:37 (+1000, AUS Eastern Daylight Time)
# country="Australia"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 1522 1522 0 0
# scanned=171081
# found=0
# cleaned=0
# scan_time=7813

Re: vbs.runauto18th December 2011, 3:39 am

This is the log form Nortons. Does that help?

Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: VBS.Runauto
File: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\SRTSP\Quarantine\APQ4E6.tmp
Location: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\SRTSP\Quarantine
Computer: WORKSTATION-H
User: SYSTEM
Action taken: Pending Side Effects Analysis : Access denied
Date found: Sunday, 18 December 2011 1:02:05 PM

Re: vbs.runauto18th December 2011, 6:46 am

These logs are popping up contantly. I close it and then another one pops up almost immediately.

see ya

Re: vbs.runauto20th December 2011, 11:17 pm

LOL, Norton is detecting it's own quarantine! fail!

Navigate to this folder: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\SRTSP\Quarantine

Delete everything inside it, let me know if the popups still happen now.

Re: vbs.runauto21st December 2011, 12:29 am

yeah I tried that once but I can't get access to the folder. It says acess denied.

Re: vbs.runauto21st December 2011, 4:32 am

I have just added that folder as an "exception" in the symantec setup I'll see what happens.

Re: vbs.runauto21st December 2011, 8:39 pm

this the nortons log this morning. popped up at 3.59 am, we after I changed the exceptions :-(

Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: VBS.Runauto
File: C:\Documents and Settings\BryanC\Local Settings\temp\DWH1170.tmp
Location: C:\Documents and Settings\BryanC\Local Settings\temp
Computer: WORKSTATION-H
User: BryanC
Action taken: Pending Side Effects Analysis : Access denied
Date found: Thursday, 22 December 2011 3:59:13 AM

Re: vbs.runauto22nd December 2011, 7:48 pm

Had a good day yesterday but it came back overnight. Norton log below:

Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: VBS.Runauto
File: C:\Documents and Settings\BryanC\Local Settings\temp\DWH11A7.tmp
Location: C:\Documents and Settings\BryanC\Local Settings\temp
Computer: WORKSTATION-H
User: BryanC
Action taken: Pending Side Effects Analysis : Access denied
Date found: Friday, 23 December 2011 3:56:49 AM

Re: vbs.runauto22nd December 2011, 7:51 pm

there were actually actually hundreds of these discovered. each the same location with a different DWH*** file name.

any clues?

Re: vbs.runauto22nd December 2011, 7:57 pm

Found this on the web. Any help?

http://www.symantec.com/connect/forums/generic-trojan-dwhtmp-temp-folder

Re: vbs.runauto23rd December 2011, 12:18 am

Hello.
Do you know this IP? it could be malicious: 10.10.10.254

Re: vbs.runauto23rd December 2011, 4:18 am

no not really, but how would I know. Could it be something to do with my work network? Is it active at home?
How can I tell when its active.

Re: vbs.runauto24th December 2011, 4:04 pm

I tried a trace on the IP and it doesn't trace back to anything, so we can remove it safely.

Please download the current version of HijackThis from HERE

Double click and run the installer.
It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
After installing, you should get the user agreement, press accept and Hijack This will run.
Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.

Re: vbs.runauto24th December 2011, 7:47 pm

I will do that, but it is ineteresting that I rebooted in safe mode and disconnected form the net. I navigated to the directory where all the DWH files were and deleted them by highlighting them form latest to oldest so they could reproduce while I was deleting them ( beats me if that makes any sense?) I haven't had a virus report all day or overnight. I did get one straight after the "fix" and it highlighte diferent files.

anyway here goes.

Re: vbs.runauto24th December 2011, 8:11 pm

Here's the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:48:07 AM, on 25/12/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\dellxpm09b_6124v037\wdm\stacsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sierra Wireless Inc\Common\SwiCardDetect.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Telstra\Mobile Broadband Manager\TelstraUCM.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
c:\PROGRA~1\mcafee\SITEAD~1\saui.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.10.254:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = nexus.*;nexus;10.10.10.1;
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Increase performance and video formats for your HTML5

Re: vbs.runauto25th December 2011, 8:44 pm

It came back this morning :-(

Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: VBS.Runauto
File: C:\Documents and Settings\BryanC\Local Settings\temp\DWH84B8.tmp
Location: Quarantine
Computer: WORKSTATION-H
User: BryanC
Action taken: Quarantine succeeded : Access denied
Date found: Monday, 26 December 2011 3:58:44 AM

Re: vbs.runauto30th December 2011, 1:43 am

Hello.

Open HijackThis.
Choose "Do a system scan only"
Check the boxes in front of these lines:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.10.254:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = nexus.*;nexus;10.10.10.1;
Press "Fix Checked"
Close Hijack This.

Reboot normally.
How is the machine running now?

Re: vbs.runauto31st December 2011, 7:24 am

before I do this, Nexus is our office intranet that operates when I'm at work.
Will that be affected?

Re: vbs.runauto3rd January 2012, 1:11 am

Ahh yeah it might be, okay don't do that.

What issues currently still exist?

Re: vbs.runauto3rd January 2012, 6:36 am

same issues. Still get the nortons pop ups. though maybe not as often I'll send the log from the next one if you wish.

Re: vbs.runauto5th January 2012, 8:11 pm

I take it back, they are just as often. That is almost continuous. I delete the Nortons message and another one appears within seconds.

here's the latest.
Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: VBS.Runauto
File: C:\Documents and Settings\BryanC\Local Settings\temp\DWH996C.tmp
Location: Quarantine
Computer: WORKSTATION-H
User: BryanC
Action taken: Quarantine succeeded : Access denied
Date found: Friday, 6 January 2012 7:00:21 AM

Re: vbs.runauto14th January 2012, 11:21 pm

Sorry I should have sent log much sooner. They are still happening constantly.
Here's the latest log. Same as the rest :-(

Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: VBS.Runauto
File: C:\Documents and Settings\BryanC\Local Settings\temp\DWHE517.tmp
Location: Quarantine
Computer: WORKSTATION-H
User: BryanC
Action taken: Quarantine succeeded : Access denied
Date found: Sunday, 15 January 2012 10:21:23 AM

Re: vbs.runauto24th January 2012, 7:43 pm

does this one have you stumped :-)

Re: vbs.runauto25th January 2012, 6:30 pm

Yes :/ everything looks fine, not sure what's causing it, not sure where the autorun is coming from, everything looks fine.

Are you using any external hardware?

Re: vbs.runauto30th January 2012, 1:24 am

I use external hard drives reasonably regulary. I plug a phone in to charge. I use usb sticks and cards. It has a couple of card readers I have added to existing slots in teh side.

VBS Runauto is supposed to be a virus that attaches itself to cards isn't it.

I once tried clening the computer then not using the cards for a while, but it came back anyway.

Re: vbs.runauto31st January 2012, 1:24 am

Yeah it is.

The machine is clean, but some of the externel hardware is infected.

Open My Computer.
Go to Tools > Folder Options.
Select the View tab.
Scroll down to Hidden files and folders.
Select Show hidden files and folders.
Uncheck (untick) Hide extensions of known file types.
Uncheck (untick) Hide protected operating system files (Recommended).
Click Yes when prompted.
Click OK.
Close My Computer.

Plug in any/all external hardware and look through the root of the drive for an autorun folder, or an autorun.inf/autorun.ini/autorun.pnf file, or any weirdly named files, could be cmd/bat files, if so, delete them - they are all malicious.

Re: vbs.runauto4th February 2012, 8:50 pm

I can't find anything.
I have removed the two card readers and the other thing I connect most often is my phone.

If you could confirm that the laptop is clean and I keep all external hardware away from it we could check to see if the bug is on the laptop or an accessary couldn't we.

I did that last time and the bug came back before I reconnected anything.

What do you think?

Re: vbs.runauto4th February 2012, 8:52 pm

The only thing hard to keep out of this test would be the office network :-(

Re: vbs.runauto11th February 2012, 12:08 am

Hmmm, not sure.

Might be best to format the externel hardware, take off anything you want and format them just to be sure.

Re: vbs.runauto11th February 2012, 1:15 am

Thankyou, done that.

can we run a scan to see if the computer is clean, then not connect any external hardware to see if it stays that way?

Re: vbs.runauto12th February 2012, 1:13 am

I found this on a Toshiba Thumb Drive. It's called autorun.inf but it looks OK to me.

It does go away with a format.

"[AutoRun]
open=LaunchU3.exe -a
icon=LaunchU3.exe,0

[Definitions]
Launchpad=LaunchPad.exe
Vtype=1

[CopyFiles]
FileNumber=1
File1=LaunchPad.zip
[Update]
URL=http://www.toshiba.co.jp/p-media/english/u3/update/"

Re: vbs.runauto27th February 2012, 7:25 pm

Hello, I've been away for two weeks so no activity on my computer :-)

Just got back saw the error message again.

In the post above I meant "It does NOT go away with a format"

do you think doing a scan once more to confirm the compter is clean and then keeping all accessories away from it to see if the message comes back would confirm the bug is on the computer and not an external drive?

see ya

vbs.runauto

descriptionvbs.runauto12th December 2011, 8:54 am

descriptionRe: vbs.runauto12th December 2011, 8:57 am

descriptionRe: vbs.runauto12th December 2011, 8:58 am

descriptionRe: vbs.runauto12th December 2011, 8:59 am

descriptionRe: vbs.runauto12th December 2011, 9:00 am

descriptionRe: vbs.runauto12th December 2011, 9:03 am

descriptionRe: vbs.runauto12th December 2011, 9:07 am

descriptionRe: vbs.runauto14th December 2011, 10:29 pm

descriptionRe: vbs.runauto15th December 2011, 7:38 pm

descriptionRe: vbs.runauto17th December 2011, 10:44 pm

descriptionRe: vbs.runauto18th December 2011, 2:01 am

descriptionRe: vbs.runauto18th December 2011, 3:39 am

descriptionRe: vbs.runauto18th December 2011, 6:46 am

descriptionRe: vbs.runauto20th December 2011, 11:17 pm

descriptionRe: vbs.runauto21st December 2011, 12:29 am

descriptionRe: vbs.runauto21st December 2011, 4:32 am

descriptionRe: vbs.runauto21st December 2011, 8:39 pm

descriptionRe: vbs.runauto22nd December 2011, 7:48 pm

descriptionRe: vbs.runauto22nd December 2011, 7:51 pm

descriptionRe: vbs.runauto22nd December 2011, 7:57 pm

descriptionRe: vbs.runauto23rd December 2011, 12:18 am

descriptionRe: vbs.runauto23rd December 2011, 4:18 am

descriptionRe: vbs.runauto24th December 2011, 4:04 pm

descriptionRe: vbs.runauto24th December 2011, 7:47 pm

descriptionRe: vbs.runauto24th December 2011, 8:11 pm

descriptionRe: vbs.runauto25th December 2011, 8:44 pm

descriptionRe: vbs.runauto30th December 2011, 1:43 am

descriptionRe: vbs.runauto31st December 2011, 7:24 am

descriptionRe: vbs.runauto3rd January 2012, 1:11 am

descriptionRe: vbs.runauto3rd January 2012, 6:36 am

descriptionRe: vbs.runauto5th January 2012, 8:11 pm

descriptionRe: vbs.runauto14th January 2012, 11:21 pm

descriptionRe: vbs.runauto24th January 2012, 7:43 pm

descriptionRe: vbs.runauto25th January 2012, 6:30 pm

descriptionRe: vbs.runauto30th January 2012, 1:24 am

descriptionRe: vbs.runauto31st January 2012, 1:24 am

descriptionRe: vbs.runauto4th February 2012, 8:50 pm

descriptionRe: vbs.runauto4th February 2012, 8:52 pm

descriptionRe: vbs.runauto11th February 2012, 12:08 am

descriptionRe: vbs.runauto11th February 2012, 1:15 am

descriptionRe: vbs.runauto12th February 2012, 1:13 am

descriptionRe: vbs.runauto27th February 2012, 7:25 pm

descriptionRe: vbs.runauto

vbs.runauto12th December 2011, 8:54 am

Re: vbs.runauto12th December 2011, 8:57 am

Re: vbs.runauto12th December 2011, 8:58 am

Re: vbs.runauto12th December 2011, 8:59 am

Re: vbs.runauto12th December 2011, 9:00 am

Re: vbs.runauto12th December 2011, 9:03 am

Re: vbs.runauto12th December 2011, 9:07 am

Re: vbs.runauto14th December 2011, 10:29 pm

Re: vbs.runauto15th December 2011, 7:38 pm

Re: vbs.runauto17th December 2011, 10:44 pm

Re: vbs.runauto18th December 2011, 2:01 am

Re: vbs.runauto18th December 2011, 3:39 am

Re: vbs.runauto18th December 2011, 6:46 am

Re: vbs.runauto20th December 2011, 11:17 pm

Re: vbs.runauto21st December 2011, 12:29 am

Re: vbs.runauto21st December 2011, 4:32 am

Re: vbs.runauto21st December 2011, 8:39 pm

Re: vbs.runauto22nd December 2011, 7:48 pm

Re: vbs.runauto22nd December 2011, 7:51 pm

Re: vbs.runauto22nd December 2011, 7:57 pm

Re: vbs.runauto23rd December 2011, 12:18 am

Re: vbs.runauto23rd December 2011, 4:18 am

Re: vbs.runauto24th December 2011, 4:04 pm

Re: vbs.runauto24th December 2011, 7:47 pm

Re: vbs.runauto24th December 2011, 8:11 pm

Re: vbs.runauto25th December 2011, 8:44 pm

Re: vbs.runauto30th December 2011, 1:43 am

Re: vbs.runauto31st December 2011, 7:24 am

Re: vbs.runauto3rd January 2012, 1:11 am

Re: vbs.runauto3rd January 2012, 6:36 am

Re: vbs.runauto5th January 2012, 8:11 pm

Re: vbs.runauto14th January 2012, 11:21 pm

Re: vbs.runauto24th January 2012, 7:43 pm

Re: vbs.runauto25th January 2012, 6:30 pm

Re: vbs.runauto30th January 2012, 1:24 am

Re: vbs.runauto31st January 2012, 1:24 am

Re: vbs.runauto4th February 2012, 8:50 pm

Re: vbs.runauto4th February 2012, 8:52 pm

Re: vbs.runauto11th February 2012, 12:08 am

Re: vbs.runauto11th February 2012, 1:15 am

Re: vbs.runauto12th February 2012, 1:13 am

Re: vbs.runauto27th February 2012, 7:25 pm

Re: vbs.runauto