Tidserv Activity 2

Hello,
I have been struggling for the last three days to remove a tidserv trojan from my XP desktop.
I was "assisted" by Symantec's Indian subcontractors over a number of hours with no good result. Previously, I had applied Symantec's FixTDSS.exe and Kaspersky's TDSSKiller.exe to no avail - neither of them could find tidserv even though then (and now) I have a persistent little Norton popup box telling me "Threat requiring manual removal detected: System Infected: Tidserv Activity 2.”
I also have another persistent popup informing me that Malwarebytes has successfully blocked an (outgoing) attempt to connect with (one of several) potentially malicious websites.
I was unable to attach the requested log files in the usual manner or paste them in here so I had to upload them to my website cliveburton.com – please look for them there.
I certainly hope you can help me get rid of this nasty trojan which Norton Internet Security let through onto my system and they were of no use whatsoever in removing it.
I certainly do not want to go through the agony of reverting my system to factory state (as Symantec suggested) then spending many hours reinstating all my many applications from scratch (rather than from a backup image potentially still infected).
Any help you can give will be greatly appreciated!
Best regards
Clive Burton (PhD- physics)

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*****************************************************************

I was unable to attach the requested log files in the usual manner or paste them in here so I had to upload them to my website cliveburton.com – please look for them there.

What happens when you try to paste the logs? You may have to break the logs up into two or more posts.

SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
********************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
*********************************************
Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.
* Save both reports to your desktop.
* The instructions here ask you to attach the Attach.txt.



1) DDS.txt
2) Attach.txt
Instead of attaching, please copy/past both logs into your Thread

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copying and pasting it into the reply.

•Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE .Then post your DDS logs. (DDS.txt and Attach.txt )

Hello Dave
Thank you so much for your offer of assistance.
Well - I succeeded in installing and running Superantispyware but am afraid I can't do much with the results because everything I now go to do on the infected computer (my desktop) doesn't work anymore.
I consistently get messages saying that this that or the other .dll or .ime object "is not a valid Windows image" or that there is not enough system resource to carry out the task.
I am seeing a lot of what I class as memory leaks – screen images overlaying one another with transparent windows in them.
When I go to check on free space on the C drive (I believe there is well over 10 Gb) I see that used space and the free space are both reported as zero.
I can’t take any more pictures of my desktop because Jing isn’t working anymore.
I have to leave for an appointment in ten minutes so I’ll have to be quick here.
Please have a look at www.cliveburton.com/Tidserv Trojan Removal
This contains all the logs and some images of the Superantispy runs I did. I haven’t attempted to fix anything thus far.
I can’t do any better with sending you information at the moment.
Whenever I try to paste text logs here or attach files here I run into problems.
The files bring up an “invalid file” message and the pastes just don’t happen – this is from my laptop which appears to be working just fine.
I would like to run chkdsk on my desktop C drive but will await your instructions.
gottago
Best regards
Clive

I would like to run chkdsk on my desktop C drive but will await your instructions.

Go ahead and run chkdsk, if you can.
BTW, that link doesn't work.

Go to this link to create a Rescue CD or to this site to create a Rescue USB. Carefully follow all the instructions for whichever method you choose.

Dave
Thank you for your reply - sorry - the link didn't copy properly - please go to:-
http://www.cliveburton.com/Tidserv%20Trojan%20Removal/
I will do the other things you suggested.
Best regards
Clive

Hi Dave
I had a lot of trouble with blue screens of death and have been unable to run chkdsk so far - however DrWeb LiveCD is running through all my HDDs and has so far identified two trojans though their names are hardly readable - look like TrojanSlgger2.8966 (the 9 could be a 5 but I don't think so) - it's in an exe file the name of which I cannot read. The other is Trojan.NulDrop3.17529 in SkypeSecrets.exe
DrWeb has been going for 13 hours so far and has only gone through 518344 files so there is a loooong way to go.
Suggestions please.
I'm thinking I may have to delete the boot partition and start again.
I've got an old copy of Ghost that I believe works on XP. Is that a good way of deleting and reinstating the boot partition without affecting the secondary partition. Will that really clobber a boot sector trojan?
Bset regards
Clive

Here's another boot disk that you may have better more luck.

We are going to be using a Windows Recovery Environment to help disinfect the system so it may boot again.

Download the OTLPE Standard REATOGO Windows Recovery Environment.

• Place a blank CD-R disc in to your CD burning drive.
  
• Download OTLPEStd.exe and double-click on it to burn to a CD using an ISO Burner. One can be found here.
  
• Reboot your system using the boot CD you just created.
  
• Note : If you do not know how to set your computer to boot from CD follow the steps here
  
• Your system should now display a REATOGO-X-PE desktop.
  
• Double-click on the OTLPE icon.
  
• When asked "Do you wish to load the remote registry", select Yes
  
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  
• OTL should now start. Change the following settings
  
• Change Drivers to Non-Microsoft
  
• Press Run Scan to start the scan.
  
• When finished, the file will be saved in drive C:\_OTL\MovedFiles
  
• Copy this file to your USB drive if you do not have internet connection on this system
  
• Please post the contents of the OTL.txt file in your reply.
  

Hello Dave
Thanks for the added instructions which I will follow "just to be sure to be sure" as the Irish say.
However, running DrWeb_LiveCD seems to have had a good effect. I have not seen a blue screen of death since doing that nor have I seen a Norton box yabbering about Tidserv - wheee!!! I guess my main concern now is how do I tell whether I have really got rid of Tidserv since nothing I ever used actually found it under that name. ????
Malwarebytes is still preventing dial-home activity to at least three potentially malicious sites - any suggestion as to what to do about that?
Best regards
Clive

MBAM is still preventing dial-home activity to at least three potentially malicious sites - any suggestion as to what to do about that?

That's good. It's doing its job. Please run the SAS, MBAM and DDS scans and post the logs here.

Hi Dave - Here's the result of running OTLPE
I hope you can make sense of it - it's gobbledeygook to me.
The system continues to run OK with no blue screens or Tidserv warnings - only the Malwarebytes warnings about dialouts
================================================
OTL logfile created on: 12/17/2011 2:46:36 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,024.00 Mb Total Physical Memory | 771.00 Mb Available Physical Memory | 75.00% Memory free
907.00 Mb Paging File | 845.00 Mb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 322.27 Gb Total Space | 44.68 Gb Free Space | 13.87% Space Free | Partition Type: NTFS
Drive D: | 14.16 Gb Total Space | 1.52 Gb Free Space | 10.73% Space Free | Partition Type: FAT32
Drive E: | 698.64 Gb Total Space | 80.63 Gb Free Space | 11.54% Space Free | Partition Type: NTFS
Drive F: | 143.49 Gb Total Space | 11.61 Gb Free Space | 8.09% Space Free | Partition Type: NTFS
Drive G: | 97.62 Gb Total Space | 0.88 Gb Free Space | 0.90% Space Free | Partition Type: NTFS
Drive X: | 284.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 90 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto] -- -- (Secunia Update Agent)
SRV - File not found [Auto] -- -- (Secunia PSI Agent)
SRV - File not found [On_Demand] -- -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - File not found [Auto] -- -- (MySQL)
SRV - File not found [Auto] -- -- (MBAMService)
SRV - File not found [On_Demand] -- -- (CoordinatorServiceHost)
SRV - File not found [Auto] -- -- (btwdins)
SRV - File not found [On_Demand] -- -- (AppMgmt)
SRV - File not found [Auto] -- -- (Apache2.2)
SRV - [2011/08/11 18:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2011/08/10 15:52:54 | 000,138,760 | R--- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Norton Internet Security\Engine\19.2.0.10\ccSvcHst.exe -- (NIS)
SRV - [2011/07/07 21:31:08 | 000,195,336 | ---- | M] (Microsoft Corporation.) [On_Demand] -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
SRV - [2011/06/15 19:33:20 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE -- (BBUpdate)
SRV - [2011/06/08 15:02:00 | 000,633,856 | ---- | M] (Nokia) [On_Demand] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2011/04/01 22:17:08 | 000,067,400 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe -- (MsDepSvc)
SRV - [2010/08/23 23:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) [Auto] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2010/08/13 01:40:24 | 000,867,080 | ---- | M] (Acresso Software Inc.) [On_Demand] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/08/10 19:28:11 | 000,079,360 | ---- | M] (SolidWorks) [On_Demand] -- C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe -- (SolidWorks Licensing Service)
SRV - [2009/12/16 18:44:36 | 003,750,400 | ---- | M] (SafeNet Inc.) [Auto] -- C:\WINDOWS\System32\hasplms.exe -- (hasplms)
SRV - [2009/09/26 01:32:18 | 000,189,736 | ---- | M] (Seagate Technology LLC) [Auto] -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe -- (FreeAgentGoNext Service)
SRV - [2009/07/07 16:48:44 | 000,647,216 | ---- | M] (Cisco Systems, Inc.) [Auto] -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe -- (nmservice)
SRV - [2007/02/08 20:38:52 | 000,056,344 | ---- | M] (Memeo) [Disabled] -- C:\Program Files\Memeo\AutoBackup\MemeoService.exe -- (BMUService)
SRV - [2005/09/23 09:01:16 | 002,799,808 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe -- (msvsmon80)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | Boot] -- -- (iycct)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2011/12/15 07:31:05 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.1.3\Definitions\VirusDefs\20111216.034\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/12/15 07:31:04 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/12/15 07:31:04 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.1.3\Definitions\VirusDefs\20111216.034\NAVENG.SYS -- (NAVENG)
DRV - [2011/12/12 17:55:45 | 000,083,064 | ---- | M] (Symantec Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\SMR210.SYS -- (SMR210)
DRV - [2011/12/08 17:01:21 | 000,127,096 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/12/07 18:43:12 | 000,356,280 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.1.3\Definitions\IPSDefs\20111216.001\IDSXpx86.sys -- (IDSxpx86)
DRV - [2011/11/24 02:08:44 | 000,819,320 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.1.3\Definitions\BASHDefs\20111210.003\BHDrvx86.sys -- (BHDrvx86)
DRV - [2011/11/09 12:29:26 | 000,106,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2011/09/26 19:38:08 | 000,897,656 | ---- | M] (Symantec Corporation) [File_System | Boot] -- C:\WINDOWS\system32\drivers\NIS\1302000.00A\symefa.sys -- (SymEFA)
DRV - [2011/08/31 20:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/08/08 18:38:11 | 000,132,744 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\NIS\1302000.00A\ccSetx86.sys -- (ccSet_NIS)
DRV - [2011/08/02 21:22:10 | 000,566,904 | ---- | M] (Symantec Corporation) [File_System | System] -- C:\WINDOWS\System32\Drivers\NIS\1302000.00A\SRTSP.SYS -- (SRTSP)
DRV - [2011/08/02 21:22:10 | 000,031,864 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\NIS\1302000.00A\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2011/07/25 21:18:39 | 000,387,192 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\WINDOWS\System32\Drivers\NIS\1302000.00A\SYMTDI.SYS -- (SYMTDI)
DRV - [2011/07/25 21:18:35 | 000,340,088 | R--- | M] (Symantec Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\NIS\1302000.00A\symds.sys -- (SymDS)
DRV - [2011/07/25 21:15:51 | 000,149,624 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\NIS\1302000.00A\Ironx86.SYS -- (SymIRON)
DRV - [2011/07/22 11:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/12 16:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2011/06/25 19:56:44 | 000,028,256 | ---- | M] (Applian Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\appliand.sys -- (appliandMP)
DRV - [2011/06/25 19:56:44 | 000,028,256 | ---- | M] (Applian Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\appliand.sys -- (appliand)
DRV - [2010/10/29 16:42:01 | 000,245,888 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\XHASP.sys -- (XHASP)
DRV - [2010/10/27 20:58:40 | 000,047,616 | ---- | M] (Aladdin Knowledge Systems) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\Haspnt.sys -- (Haspnt)
DRV - [2010/09/01 03:30:58 | 000,015,544 | ---- | M] (Secunia) [File_System | On_Demand] -- C:\WINDOWS\system32\drivers\psi_mf.sys -- (PSI)
DRV - [2010/08/12 11:44:03 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2009/12/09 23:27:18 | 000,588,800 | ---- | M] (SafeNet Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\hardlock.sys -- (hardlock)
DRV - [2009/10/20 13:19:44 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2009/08/20 09:01:50 | 000,356,864 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\aksfridge.sys -- (aksfridge)
DRV - [2009/07/07 16:48:44 | 000,026,672 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\purendis.sys -- (purendis)
DRV - [2009/07/07 16:48:44 | 000,025,392 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\pnarp.sys -- (pnarp)
DRV - [2009/06/22 11:06:32 | 000,016,384 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\aksusb.sys -- (aksusb)
DRV - [2009/03/13 12:55:26 | 000,238,208 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\akshasp.sys -- (akshasp)
DRV - [2008/08/26 12:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2008/04/13 14:21:00 | 000,162,816 | ---- | M] () [Kernel | System] -- C:\WINDOWS\system32\drivers\netbt.sys -- (NetBT)
DRV - [2007/07/23 16:12:44 | 000,046,336 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\akshhl.sys -- (akshhl)
DRV - [2004/10/07 13:21:22 | 000,015,360 | ---- | M] (Maxtor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mxopswd.sys -- (MXOPSWD)
DRV - [2004/08/04 00:31:32 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/10/09 23:23:48 | 000,032,640 | R--- | M] (Cypress Semiconductor) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\MXOFX.SYS -- (MXOFX) USB Storage Adapter FX (MXO)
DRV - [2003/07/01 14:29:10 | 000,022,183 | ---- | M] () [Kernel | Auto] -- C:\WINDOWS\system32\drivers\btserial.sys -- (BTSERIAL)
DRV - [2003/07/01 14:28:46 | 000,222,876 | ---- | M] (WIDCOMM, Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\btslbcsp.sys -- (BTSLBCSP)
DRV - [2003/07/01 14:25:56 | 001,257,418 | ---- | M] (WIDCOMM, Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2003/03/13 16:23:28 | 000,019,712 | ---- | M] (Maxtor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mxofwfp.sys -- (MaxtorFrontPanel1)
DRV - [2003/03/06 16:48:08 | 000,003,840 | ---- | M] () [Kernel | System] -- C:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt)
DRV - [2002/09/19 21:19:56 | 000,205,056 | ---- | M] (YAMAHA CORPORATION) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\yacxgc.sys -- (WDM_YAMAHAAC97)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Clive_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://mirostart.com/?cfg=2-365-0-QcG4
IE - HKU\Clive_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.google.com/
IE - HKU\Clive_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Clive_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\LocalService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\NetworkService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/wpi,version=1.4: C:\Program Files\Microsoft\Web Platform Installer\\npwpidetector.dll ()
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Clive\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Clive\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.1.3\IPSFFPlgn\ [2011/12/11 17:15:38 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.1.3\coFFPlgn\ [2011/12/17 16:03:37 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\bkmrksync@nokia.com: C:\Program Files\Nokia\Nokia PC Suite 7\bkmrksync\ [2011/01/28 16:42:06 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/11/28 11:31:23 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
FF - HKEY_LOCAL_MACHINE\software\mozilla\SeaMonkey 2.4\extensions\\Components: C:\Program Files\SeaMonkey\components [2011/10/29 21:23:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\SeaMonkey 2.4\extensions\\Plugins: C:\Program Files\SeaMonkey\plugins [2011/10/29 21:23:35 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\{CCB7D94B-CA92-4E3F-B79D-ADE0F07ADC74}: C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Thunderbird Connector\ThunderbirdExtension\ [2011/10/12 12:04:12 | 000,000,000 | ---D | M]

[2010/10/01 18:13:32 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Clive\Application Data\Mozilla\Extensions
[2010/10/01 18:13:32 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Clive\Application Data\Mozilla\Extensions\{92650c4d-4b8e-4d2a-b7eb-24ecf4f6b63a}
[2009/09/21 18:30:22 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Clive\Application Data\Mozilla\Extensions\{ea278cf8-93cd-484f-b951-57360482d33a}
[2011/12/17 13:38:32 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Clive\Application Data\Mozilla\Firefox\Profiles\pfrurtul.default\extensions
[2010/10/03 12:50:58 | 000,000,000 | ---D | M] (Link Evaluator) -- C:\Documents and Settings\Clive\Application Data\Mozilla\Firefox\Profiles\pfrurtul.default\extensions\{2d4271b9-cc9f-4f37-8b1e-340293eacd5c}
[2011/12/17 13:38:32 | 000,000,000 | ---D | M] (SeoQuake) -- C:\Documents and Settings\Clive\Application Data\Mozilla\Firefox\Profiles\pfrurtul.default\extensions\{317B5128-0B0B-49b2-B2DB-1E7560E16C74}
[2011/11/09 19:28:10 | 000,000,000 | ---D | M] ("OutWit Kernel") -- C:\Documents and Settings\Clive\Application Data\Mozilla\Firefox\Profiles\pfrurtul.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}
[2011/12/07 12:51:25 | 000,000,000 | ---D | M] (ViralinBox) -- C:\Documents and Settings\Clive\Application Data\Mozilla\Firefox\Profiles\pfrurtul.default\extensions\{8e319c1c-b993-4bf3-9aab-b4455476652e}
[2011/04/03 09:27:12 | 000,000,000 | ---D | M] (Web Enhancements) -- C:\Documents and Settings\Clive\Application Data\Mozilla\Firefox\Profiles\pfrurtul.default\extensions\{A5DCA3F5-ED5A-4ed3-9671-DBB0C68FA469}
[2011/10/03 17:01:41 | 000,000,000 | ---D | M] (Page Speed) -- C:\Documents and Settings\Clive\Application Data\Mozilla\Firefox\Profiles\pfrurtul.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}
[2011/01/06 17:54:46 | 000,000,000 | ---D | M] ("PPC Web Spy Toolbar") -- C:\Documents and Settings\Clive\Application Data\Mozilla\Firefox\Profiles\pfrurtul.default\extensions\{ec9CEB59-8266-438b-91D9-82F56D595E15}
[2011/11/09 19:27:55 | 000,000,000 | ---D | M] ("Outwit Docs") -- C:\Documents and Settings\Clive\Application Data\Mozilla\Firefox\Profiles\pfrurtul.default\extensions\outwit-docs@outwit.com
[2010/10/25 20:38:09 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Clive\Application Data\Mozilla\SeaMonkey\Profiles\jhviz8a6.default\extensions
[2010/10/15 11:49:15 | 000,000,000 | ---D | M] (ChatZilla) -- C:\Documents and Settings\Clive\Application Data\Mozilla\SeaMonkey\Profiles\jhviz8a6.default\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
[2010/10/15 11:49:16 | 000,000,000 | ---D | M] (JavaScript Debugger) -- C:\Documents and Settings\Clive\Application Data\Mozilla\SeaMonkey\Profiles\jhviz8a6.default\extensions\{f13b157f-b174-47e7-a34d-4815ddfdfeb8}
[2010/10/15 11:49:15 | 000,000,000 | ---D | M] (DOM Inspector) -- C:\Documents and Settings\Clive\Application Data\Mozilla\SeaMonkey\Profiles\jhviz8a6.default\extensions\inspector@mozilla.org
[2011/11/28 00:48:37 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/11/04 13:08:10 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2011/11/05 02:10:40 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/11/04 22:44:20 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2011/11/04 22:32:18 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/11/04 22:44:20 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2011/11/04 22:44:20 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2011/11/04 22:44:20 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

Hosts file not found
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (FlpLauncher Class) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - File not found
O2 - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\19.2.0.10\coieplg.dll (Symantec Corporation)
O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\19.2.0.10\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll ()
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - File not found
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\19.2.0.10\coieplg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll ()
O3 - HKU\Clive_ON_C\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKU\Clive_ON_C\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()
O3 - HKU\Clive_ON_C\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\Clive_ON_C\..\Toolbar\WebBrowser: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll ()
O4 - HKLM..\Run: [Acrobat Assistant 8.0] File not found
O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS5ServiceManager] C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [DNS7reminder] C:\Program Files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe (Easy Systems Japan Ltd.)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] File not found
O4 - HKLM..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE (Cypress Semiconductor)
O4 - HKLM..\Run: [nmapp] C:\Program Files\Pure Networks\Network Magic\nmapp.exe (Cisco Systems, Inc.)
O4 - HKLM..\Run: [nmctxth] C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe (Cisco Systems, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKU\Clive_ON_C..\Run: [OpAgent] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk = File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\USB Sharing.lnk = File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\Clive_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\Clive_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\Clive_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\Clive_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\LocalService_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\systemprofile_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Backward Links - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Cached Snapshot of Page - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Similar Pages - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Translate into English - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O9 - Extra Button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - File not found
O9 - Extra 'Tools' menuitem : Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - File not found
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - File not found
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - File not found
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - File not found
O9 - Extra 'Tools' menuitem : @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - File not found
O9 - Extra Button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - File not found
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1247343244515 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1247376780203 (MUWebControl Class)
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} file:///D:/Program%20Files/AutoCAD%202000i/AcDcToday.ocx (AcDcToday Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} http://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab (Photo Upload Plugin Class)
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} file:///D:/Program%20Files/AutoCAD%202000i/InstFred.ocx (InstaFred Control)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} file:///D:/Program%20Files/AutoCAD%202000i/AcPreview.ocx (AcPreview Control)
O16 - DPF: DirectAnimation Java Classes Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java Reg Error: Value error. (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp4.dll (Cisco Systems, Inc.)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - File not found
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/06/29 00:23:50 | 000,000,047 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/01/11 18:27:00 | 000,000,132 | ---- | M] () - E:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{0337e984-6d66-11de-ba87-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{0337e984-6d66-11de-ba87-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{0337e984-6d66-11de-ba87-806d6172696f}\Shell\AutoRun\command - "" = G:\reatogoMenu.exe
O33 - MountPoints2\{fe4db67b-40ea-11df-acce-00e018f9eab8}\Shell - "" = AutoRun
O33 - MountPoints2\{fe4db67b-40ea-11df-acce-00e018f9eab8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{fe4db67b-40ea-11df-acce-00e018f9eab8}\Shell\AutoRun\command - "" = J:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk /p \??\C:) - File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

AND here is the rest of the OTL.txt file
===========================================
========== Files/Folders - Created Within 90 Days ==========

[2011/12/15 01:00:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Clive\Application Data\SUPERAntiSpyware.com
[2011/12/15 00:57:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
[2011/12/15 00:57:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011/12/15 00:57:33 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2011/12/14 15:04:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2011/12/14 13:36:30 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/12/14 13:36:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Clive\Start Menu\Programs\HiJackThis
[2011/12/13 12:58:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Clive\My Documents\Backup Details
[2011/12/13 08:47:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Clive\My Documents\AAALLL TRANSFERS I to Z
[2011/12/12 19:20:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Clive\Application Data\FixZeroAccess
[2011/12/12 19:19:18 | 001,776,248 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Clive\Desktop\FixZeroAccess.exe
[2011/12/12 18:10:22 | 000,046,640 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\msln.exe
[2011/12/12 17:55:45 | 000,083,064 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SMR210.SYS
[2011/12/12 17:55:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Clive\Local Settings\Application Data\NPE
[2011/12/12 02:42:19 | 000,000,000 | R--D | C] -- C:\Documents and Settings\NetworkService\Favorites
[2011/12/11 18:24:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/12/11 17:34:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/12/11 17:34:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/12/08 15:20:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Clive\Start Menu\Programs\Norton
[2011/12/08 15:20:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Norton
[2011/12/07 12:43:03 | 000,000,000 | ---D | C] -- C:\Program Files\Appnimi
[2011/12/07 12:43:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Appnimi
[2011/11/20 20:23:00 | 000,000,000 | ---D | C] -- C:\SW2010_SP0.0
[2011/11/18 14:04:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Earth
[2011/11/14 01:09:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Clive\Application Data\Auslogics
[2011/11/14 01:09:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Auslogics
[2011/11/14 01:09:14 | 000,000,000 | ---D | C] -- C:\Program Files\Auslogics
[2011/11/13 14:27:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\DiskTrix
[2011/11/13 14:27:12 | 000,000,000 | ---D | C] -- C:\Program Files\DiskTrix
[2011/11/06 13:57:15 | 000,000,000 | ---D | C] -- C:\Sony
[2011/10/29 21:22:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\QuickTime
[2011/10/29 21:20:43 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2011/10/24 16:29:02 | 000,094,208 | ---- | C] (Apple Inc.) -- C:\WINDOWS\System32\QuickTimeVR.qtx
[2011/10/24 16:29:02 | 000,069,632 | ---- | C] (Apple Inc.) -- C:\WINDOWS\System32\QuickTime.qts
[2011/10/13 18:13:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Clive\Local Settings\Application Data\MPlayer
[2011/10/13 18:08:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Clive\.umplayer
[2011/10/13 18:08:22 | 000,000,000 | ---D | C] -- C:\Program Files\UMPlayer
[2011/10/13 11:27:56 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\CanonIJEGV
[2011/10/12 12:02:34 | 000,018,816 | ---- | C] (Nokia) -- C:\WINDOWS\System32\drivers\pccsmcfd.sys
[2011/10/12 12:01:55 | 000,000,000 | ---D | C] -- C:\Program Files\PC Connectivity Solution
[2011/10/07 13:54:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Skype
[2011/10/05 19:45:00 | 000,000,000 | ---D | C] -- C:\AAALLL NEW MUSIC FOR OUR CD PARTY 9 SEPT 2011
[2011/10/05 19:37:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\IsoBuster
[2011/10/05 19:37:36 | 000,000,000 | ---D | C] -- C:\Program Files\Smart Projects
[2011/10/05 19:36:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Clive\Start Menu\Programs\CNET TechTracker
[2011/10/05 19:36:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Clive\Application Data\CBS Interactive
[2011/10/03 12:02:22 | 000,000,000 | ---D | C] -- C:\Program Files\Belarc
[2011/10/02 16:30:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Clive\Application Data\MySQL
[2011/10/01 12:35:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Clive\Start Menu\Programs\XAMPP for Windows
[2011/09/30 16:36:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Canon MX860 series
[2011/09/30 00:52:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\MySQL
[2011/09/30 00:47:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MySQL
[2011/09/30 00:45:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Clive\My Documents\My Web Sites
[2011/09/30 00:45:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Clive\My Documents\IISExpress
[2011/09/30 00:43:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft WebMatrix
[2011/09/30 00:42:18 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft WebMatrix
[2011/09/30 00:28:55 | 000,000,000 | ---D | C] -- C:\Program Files\MySQL
[2011/09/30 00:28:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Clive\Start Menu\Programs\MySQL
[2011/09/30 00:26:17 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server
[2011/09/30 00:23:22 | 000,000,000 | ---D | C] -- C:\Program Files\IIS Express
[2011/09/30 00:21:55 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server Compact Edition
[2011/09/29 20:01:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\IIS 7.0 Extensions
[2011/09/29 20:00:40 | 000,000,000 | ---D | C] -- C:\Program Files\IIS
[2011/09/29 19:58:08 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft ASP.NET
[2011/09/29 18:06:49 | 000,028,256 | ---- | C] (Applian Technologies Inc.) -- C:\WINDOWS\System32\drivers\appliand.sys
[2011/09/29 18:06:37 | 000,000,000 | ---D | C] -- C:\Program Files\Applian Technologies
[2011/09/29 18:01:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Clive\Application Data\Replay Media Catcher 4
[2011/09/27 13:49:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\phpDesigner
[2011/09/27 13:49:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\phpDesigner 7
[2011/09/27 13:48:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Clive\Application Data\phpDesigner
[2011/09/27 13:48:26 | 000,000,000 | ---D | C] -- C:\Program Files\phpDesigner 7
[2011/09/27 11:40:22 | 000,000,000 | ---D | C] -- C:\Program Files\Pure Networks
[2011/09/27 11:36:32 | 000,025,392 | ---- | C] (Cisco Systems, Inc.) -- C:\WINDOWS\System32\drivers\pnarp.sys
[2011/09/27 11:36:28 | 000,026,672 | ---- | C] (Cisco Systems, Inc.) -- C:\WINDOWS\System32\drivers\purendis.sys
[2011/09/27 11:36:21 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Pure Networks Shared
[2011/09/27 11:34:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Pure Networks
[2011/09/27 11:27:23 | 000,000,000 | ---D | C] -- C:\Program Files\Copy of Working Network Magic
[2011/09/26 22:39:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Clive\My Documents\Marinviews from live site 26SEP2011 839PM
[2011/09/21 12:45:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Clive\Local Settings\Application Data\PandaBatchFileRenamer
[2011/09/21 12:45:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Clive\Application Data\Animal Software
[2011/09/21 12:15:17 | 000,000,000 | ---D | C] -- C:\Program Files\Panda Batch File Renamer
[2011/09/20 18:57:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Clive\Application Data\SynchroMaster
[2011/09/20 18:57:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SynchroMaster
[2011/09/20 18:57:33 | 000,000,000 | ---D | C] -- C:\Program Files\SynchroMaster
[2011/09/20 13:28:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Clive\My Documents\CuteFTP Clives Websites Data
[2011/09/20 12:50:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Clive\My Documents\Drive Image 16 Sept 2010
[2009/07/13 23:04:52 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Clive\Application Data\pcouffin.sys
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2011/12/17 17:38:33 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/17 17:13:00 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-776561741-1390067357-839522115-1004UA.job
[2011/12/17 17:13:00 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-776561741-1390067357-839522115-1004Core.job
[2011/12/17 16:54:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/12/17 14:05:17 | 000,088,566 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/12/17 14:04:23 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/12/17 14:04:23 | 000,000,312 | ---- | M] () -- C:\WINDOWS\tasks\GlaryInitialize.job
[2011/12/17 14:04:23 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-776561741-1390067357-839522115-1004.job
[2011/12/17 14:04:17 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/12/17 14:03:52 | 1073,319,936 | -HS- | M] () -- C:\hiberfil.sys
[2011/12/17 13:32:01 | 000,000,425 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
[2011/12/17 13:32:01 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup
[2011/12/16 02:30:16 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/12/15 19:11:44 | 002,396,768 | ---- | M] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/12/15 13:41:23 | 000,002,489 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Word.lnk
[2011/12/15 07:07:15 | 000,000,778 | ---- | M] () -- C:\Documents and Settings\Clive\Desktop\Shortcut to SUPERAntiSpyware.exe.lnk
[2011/12/15 00:58:02 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/12/15 00:57:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
[2011/12/14 18:12:57 | 000,002,347 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2011/12/14 18:07:37 | 001,682,928 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/12/14 15:51:59 | 000,734,468 | ---- | M] () -- C:\WINDOWS\System32\drivers\NIS\1302000.00A\Cat.DB
[2011/12/14 15:36:23 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Clive\Desktop\MBR.dat
[2011/12/14 13:36:30 | 000,001,984 | ---- | M] () -- C:\Documents and Settings\Clive\Desktop\HiJackThis.lnk
[2011/12/14 12:12:58 | 000,006,192 | ---- | M] () -- C:\{5FCC6C63-7A79-4217-9008-9874AA1F7CA2}
[2011/12/14 12:07:58 | 000,004,872 | ---- | M] () -- C:\{EBD9651B-6261-4D6B-9B46-903819BE7DF7}
[2011/12/14 11:51:26 | 000,004,872 | ---- | M] () -- C:\{1AD75ED9-E848-4120-8F59-7B872D040CBB}
[2011/12/14 06:30:04 | 000,004,872 | ---- | M] () -- C:\{C70EDF80-9BD5-45CE-A392-821B1FEFD2B0}
[2011/12/14 01:34:20 | 000,000,026 | ---- | M] () -- C:\WINDOWS\BRPP2KA.INI
[2011/12/13 20:40:47 | 000,000,650 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/12/13 20:40:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/12/13 20:30:37 | 000,000,191 | ---- | M] () -- C:\WINDOWS\phpdesigner.ini
[2011/12/13 20:21:23 | 000,709,968 | ---- | M] () -- C:\WINDOWS\is-28FEL.exe
[2011/12/13 20:21:23 | 000,010,498 | ---- | M] () -- C:\WINDOWS\is-28FEL.msg
[2011/12/13 20:21:23 | 000,000,393 | ---- | M] () -- C:\WINDOWS\is-28FEL.lst
[2011/12/13 18:06:04 | 000,004,872 | ---- | M] () -- C:\{AC77E8C2-4F3C-4944-A066-79EBF368EC28}
[2011/12/13 17:49:55 | 000,004,872 | ---- | M] () -- C:\{E970B01C-3D88-419E-BA0D-AF8A66471B0F}
[2011/12/13 17:34:30 | 000,004,872 | ---- | M] () -- C:\{C3667A11-2EC5-4B59-AF72-B820B31DC20B}
[2011/12/13 17:17:33 | 000,004,872 | ---- | M] () -- C:\{610A3504-5FF3-4C1E-B991-0E6CF05203FE}
[2011/12/13 17:01:11 | 000,004,856 | ---- | M] () -- C:\{CF339214-7860-4944-931A-0D539A7A798A}
[2011/12/13 16:45:41 | 000,004,872 | ---- | M] () -- C:\{633A5982-6479-46E2-9B92-B78FAAB70DD6}
[2011/12/13 16:29:21 | 000,004,872 | ---- | M] () -- C:\{740D24BC-5B92-4550-89C1-3A0AB5D9C4F5}
[2011/12/13 16:20:20 | 000,041,472 | ---- | M] () -- C:\Documents and Settings\Clive\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/12/13 15:39:57 | 000,006,192 | ---- | M] () -- C:\{82D273DB-6DF2-4844-AE9B-07D26F51C014}
[2011/12/13 15:09:30 | 000,004,856 | ---- | M] () -- C:\{57A4138A-6D2C-45B9-B394-3943287836B5}
[2011/12/13 11:57:44 | 000,002,487 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Excel.lnk
[2011/12/13 09:16:52 | 000,004,872 | ---- | M] () -- C:\{41E8C7AA-05C2-4117-9A04-0F5B2B040DE0}
[2011/12/12 21:57:06 | 001,776,248 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Clive\Desktop\FixZeroAccess.exe
[2011/12/12 20:11:33 | 000,002,105 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2011/12/12 18:10:29 | 000,384,414 | ---- | M] () -- C:\WINDOWS\System32\drivers\SMR210.dat
[2011/12/12 18:10:22 | 000,046,640 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\msln.exe
[2011/12/12 17:55:45 | 000,083,064 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SMR210.SYS
[2011/12/12 13:00:55 | 000,032,280 | ---- | M] () -- C:\{C91F9F0C-FCAF-45F5-9EE9-C1307A804E99}
[2011/12/11 18:06:27 | 000,001,973 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton Internet Security.LNK
[2011/12/11 18:06:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Norton Internet Security
[2011/12/10 20:59:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/12/09 11:59:00 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-776561741-1390067357-839522115-1004.job
[2011/12/08 22:35:53 | 000,004,782 | ---- | M] () -- C:\WINDOWS\System32\drivers\NIS\1302000.00A\VT20111023.024
[2011/12/08 21:52:29 | 000,000,746 | ---- | M] () -- C:\Documents and Settings\Clive\Desktop\Norton Installation Files.lnk
[2011/12/08 17:01:21 | 000,127,096 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2011/12/08 17:01:21 | 000,060,872 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2011/12/08 17:01:21 | 000,007,510 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2011/12/08 17:01:21 | 000,000,806 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2011/12/07 12:43:05 | 000,001,019 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Appnimi RAR Password Unlocker.lnk
[2011/12/07 12:43:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Appnimi
[2011/12/05 13:05:25 | 000,002,175 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2011/11/29 14:10:49 | 000,001,041 | ---- | M] () -- C:\WINDOWS\ULead32.ini
[2011/11/28 00:49:04 | 000,000,730 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2011/11/28 00:49:04 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/11/26 14:44:14 | 000,000,705 | ---- | M] () -- C:\Documents and Settings\Clive\Desktop\Analytics Settings - Google Analytics.URL
[2011/11/23 08:25:32 | 001,859,584 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\win32k.sys
[2011/11/23 08:25:32 | 001,859,584 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\win32k.sys
[2011/11/22 13:31:51 | 000,000,492 | ---- | M] () -- C:\WINDOWS\BRWMARK.INI
[2011/11/19 18:41:00 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/11/18 19:22:50 | 000,002,262 | ---- | M] () -- C:\Documents and Settings\Clive\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/11/18 19:22:48 | 000,002,284 | ---- | M] () -- C:\Documents and Settings\Clive\Desktop\Google Chrome.lnk
[2011/11/18 14:04:09 | 000,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2011/11/18 14:04:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Earth
[2011/11/14 01:09:15 | 000,000,801 | ---- | M] () -- C:\Documents and Settings\Clive\Desktop\AusLogics Disk Defrag.lnk
[2011/11/14 01:09:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Auslogics
[2011/11/13 14:29:05 | 000,000,826 | ---- | M] () -- C:\Documents and Settings\Clive\Desktop\Shortcut to UDefrag.exe.lnk
[2011/11/13 14:27:16 | 000,001,720 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\UltimateDefrag.LNK
[2011/11/13 14:27:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\DiskTrix
[2011/11/12 16:39:47 | 000,000,615 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2011/11/09 15:36:32 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/11/06 14:23:00 | 000,503,138 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/11/06 14:23:00 | 000,088,628 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/11/06 14:20:48 | 000,000,000 | ---- | M] () -- C:\WINDOWS\U12A_20e.INI
[2011/11/04 14:20:51 | 005,978,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2011/11/04 14:20:51 | 002,000,384 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iertutil.dll
[2011/11/04 14:20:51 | 001,469,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetcpl.cpl
[2011/11/04 14:20:51 | 001,469,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\inetcpl.cpl
[2011/11/04 14:20:51 | 001,212,416 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\urlmon.dll
[2011/11/04 14:20:51 | 000,916,992 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wininet.dll
[2011/11/04 14:20:51 | 000,611,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mstime.dll
[2011/11/04 14:20:51 | 000,611,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mstime.dll
[2011/11/04 14:20:51 | 000,602,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeeds.dll
[2011/11/04 14:20:51 | 000,602,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeeds.dll
[2011/11/04 14:20:51 | 000,206,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\occache.dll
[2011/11/04 14:20:51 | 000,105,984 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\url.dll
[2011/11/04 14:20:51 | 000,105,984 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\url.dll
[2011/11/04 14:20:51 | 000,066,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtmled.dll
[2011/11/04 14:20:51 | 000,055,296 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeedsbs.dll
[2011/11/04 14:20:51 | 000,055,296 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeedsbs.dll
[2011/11/04 14:20:51 | 000,043,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\licmgr10.dll
[2011/11/04 14:20:51 | 000,043,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\licmgr10.dll
[2011/11/04 14:20:51 | 000,025,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\jsproxy.dll
[2011/11/04 14:20:51 | 000,025,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jsproxy.dll
[2011/11/04 14:20:50 | 011,081,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll
[2011/11/04 14:20:50 | 000,743,424 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[2011/11/04 14:20:50 | 000,387,584 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\iedkcs32.dll
[2011/11/04 14:20:50 | 000,387,584 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedkcs32.dll
[2011/11/04 14:20:50 | 000,184,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\iepeers.dll
[2011/11/04 14:20:50 | 000,184,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iepeers.dll
[2011/11/04 13:58:05 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2011/11/04 06:24:17 | 000,174,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ie4uinit.exe
[2011/11/04 06:24:17 | 000,174,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ie4uinit.exe
[2011/11/04 06:23:59 | 000,385,024 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\html.iec
[2011/11/04 02:16:12 | 000,655,360 | ---- | M] () -- C:\ffastunT.ffl
[2011/11/03 19:43:43 | 000,000,172 | ---- | M] () -- C:\WINDOWS\System32\drivers\NIS\1302000.00A\isolate.ini
[2011/11/02 19:08:42 | 000,007,498 | ---- | M] () -- C:\WINDOWS\System32\drivers\NIS\1302000.00A\symefa.cat
[2011/11/01 11:07:10 | 001,288,704 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ole32.dll
[2011/10/29 21:22:16 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2011/10/29 21:22:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\QuickTime
[2011/10/29 18:51:21 | 000,028,203 | ---- | M] () -- C:\Documents and Settings\Clive\Desktop\2011-10-29_1650.png
[2011/10/28 00:31:48 | 000,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\csrsrv.dll
[2011/10/28 00:31:48 | 000,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\csrsrv.dll
[2011/10/25 08:37:08 | 002,148,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2011/10/25 08:33:08 | 002,192,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ntoskrnl.exe
[2011/10/25 08:33:08 | 002,192,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2011/10/25 07:52:03 | 002,069,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ntkrnlpa.exe
[2011/10/25 07:52:03 | 002,069,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlpa.exe
[2011/10/25 07:52:02 | 002,027,008 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2011/10/24 16:29:02 | 000,094,208 | ---- | M] (Apple Inc.) -- C:\WINDOWS\System32\QuickTimeVR.qtx
[2011/10/24 16:29:02 | 000,069,632 | ---- | M] (Apple Inc.) -- C:\WINDOWS\System32\QuickTime.qts
[2011/10/24 15:52:50 | 000,000,737 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2011/10/24 15:51:47 | 000,001,588 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
[2011/10/24 15:51:46 | 000,001,978 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Publisher.lnk
[2011/10/24 15:51:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office Tools
[2011/10/21 23:01:59 | 000,001,804 | ---- | M] () -- C:\Documents and Settings\Clive\Desktop\SSA Benefit Calculator.lnk
[2011/10/19 17:31:53 | 000,000,218 | ---- | M] () -- C:\Documents and Settings\Clive\.recently-used.xbel
[2011/10/19 17:04:16 | 000,001,819 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Miro.lnk
[2011/10/19 08:30:06 | 000,002,784 | ---- | M] () -- C:\{EBC6B4FC-BEC0-48DF-BC04-172C317A3031}
[2011/10/19 02:25:32 | 000,002,224 | ---- | M] () -- C:\{BE150900-2110-4F68-A871-1006A5C535FD}
[2011/10/18 12:26:20 | 000,121,096 | ---- | M] () -- C:\WINDOWS\System32\MSForms.TWD
[2011/10/18 06:13:22 | 000,186,880 | ---- | M] () -- C:\WINDOWS\System32\dllcache\encdec.dll
[2011/10/16 14:06:44 | 000,152,576 | ---- | M] () -- C:\Documents and Settings\Clive\My Documents\Zoe Project Ver 5.mpp
[2011/10/16 13:14:26 | 000,146,944 | ---- | M] () -- C:\Documents and Settings\Clive\My Documents\Zoe Project Ver 4.mpp
[2011/10/16 00:30:06 | 000,372,736 | ---- | M] () -- C:\Documents and Settings\Clive\My Documents\Zoe Project Ver 3.mpp
[2011/10/15 23:47:34 | 000,387,584 | ---- | M] () -- C:\Documents and Settings\Clive\My Documents\Zoe Project Ver 2.mpp
[2011/10/15 18:01:32 | 000,188,416 | -H-- | M] () -- C:\ffastun.ffo
[2011/10/15 18:01:32 | 000,004,718 | -H-- | M] () -- C:\ffastun.ffa
[2011/10/15 18:01:31 | 014,987,264 | -H-- | M] () -- C:\ffastun0.ffx
[2011/10/15 18:01:31 | 000,376,832 | -H-- | M] () -- C:\ffastun.ffl
[2011/10/15 14:58:02 | 000,035,262 | ---- | M] () -- C:\WINDOWS\Clive.acl
[2011/10/15 14:50:49 | 000,000,695 | ---- | M] () -- C:\Documents and Settings\Clive\Desktop\Shortcut to WINPROJ.EXE.lnk
[2011/10/15 14:41:50 | 000,004,346 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI
[2011/10/15 14:41:50 | 000,000,120 | ---- | M] () -- C:\WINDOWS\MSMAIL32.INI
[2011/10/15 14:41:49 | 000,000,695 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Project.lnk
[2011/10/13 18:08:34 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\UMPlayer.lnk
[2011/10/13 16:11:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
[2011/10/12 12:29:41 | 000,001,788 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Nokia Ovi Suite.lnk
[2011/10/12 12:29:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Nokia
[2011/10/12 11:05:20 | 000,000,736 | ---- | M] () -- C:\Documents and Settings\Clive\Desktop\Notepad++.lnk
[2011/10/10 09:22:41 | 000,692,736 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\inetcomm.dll
[2011/10/07 13:54:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Skype
[2011/10/05 19:37:44 | 000,000,845 | ---- | M] () -- C:\Documents and Settings\Clive\Desktop\IsoBuster.lnk
[2011/10/05 19:37:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\IsoBuster
[2011/10/05 19:36:49 | 000,001,185 | ---- | M] () -- C:\Documents and Settings\Clive\Desktop\CNET TechTracker.lnk
[2011/10/03 12:02:31 | 000,001,738 | ---- | M] () -- C:\Documents and Settings\Clive\Application Data\Microsoft\Internet Explorer\Quick Launch\Belarc Advisor.lnk
[2011/10/03 12:02:31 | 000,001,726 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Belarc Advisor.lnk
[2011/10/03 12:02:31 | 000,001,720 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Belarc Advisor.lnk
[2011/10/02 16:31:47 | 000,000,740 | ---- | M] () -- C:\Documents and Settings\Clive\Desktop\Shortcut to MySQLWorkbench.exe.lnk
[2011/10/02 16:29:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\MySQL
[2011/10/01 15:57:29 | 000,001,564 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SeaMonkey.lnk
[2011/10/01 12:35:50 | 000,000,582 | ---- | M] () -- C:\Documents and Settings\Clive\Desktop\XAMPP Control Panel.lnk
[2011/09/30 17:36:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Canon
[2011/09/30 16:37:22 | 000,001,662 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Canon IJ Network Tool.lnk
[2011/09/30 16:37:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Canon MX860 series
[2011/09/30 11:39:48 | 000,078,848 | ---- | M] () -- C:\Documents and Settings\Clive\My Documents\CLIVE2011.TAX
[2011/09/30 11:38:22 | 000,078,840 | ---- | M] () -- C:\Documents and Settings\Clive\My Documents\CLIVE2011.BAK
[2011/09/30 10:30:16 | 000,001,706 | ---- | M] () -- C:\Documents and Settings\Clive\Desktop\e-tax 2011.lnk
[2011/09/30 01:25:00 | 000,420,466 | ---- | M] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-776561741-1390067357-839522115-1004-0.dat
[2011/09/30 01:24:59 | 000,420,466 | ---- | M] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2011/09/30 00:44:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft WebMatrix
[2011/09/29 20:01:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\IIS 7.0 Extensions
[2011/09/29 19:49:40 | 000,001,820 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Web Platform Installer.lnk
[2011/09/29 19:05:41 | 000,000,452 | ---- | M] () -- C:\Documents and Settings\Clive\Desktop\Shortcut to EasyPHP-5.3.2.lnk
[2011/09/29 18:06:48 | 000,000,954 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Replay Media Catcher 4.lnk
[2011/09/29 18:01:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Applian Technologies
[2011/09/28 02:06:50 | 000,599,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\crypt32.dll
[2011/09/28 00:43:30 | 000,027,830 | ---- | M] () -- C:\Documents and Settings\Clive\Application Data\phpdesigner.xml
[2011/09/27 13:49:00 | 000,000,670 | ---- | M] () -- C:\Documents and Settings\Clive\Desktop\phpDesigner 7.lnk
[2011/09/27 13:49:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\phpDesigner 7
[2011/09/27 11:40:33 | 000,001,800 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Network Magic.lnk
[2011/09/27 11:40:31 | 000,001,938 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Network Magic.lnk
[2011/09/27 11:37:04 | 008,892,928 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\atscie.msi
[2011/09/26 19:38:08 | 000,897,656 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1302000.00A\symefa.sys
[2011/09/26 19:37:31 | 000,003,433 | ---- | M] () -- C:\WINDOWS\System32\drivers\NIS\1302000.00A\symefa.inf
[2011/09/26 19:14:42 | 000,002,801 | ---- | M] () -- C:\WINDOWS\System32\drivers\NIS\1302000.00A\symvtcer.dat
[2011/09/26 13:41:20 | 000,611,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\uiautomationcore.dll
[2011/09/26 13:41:20 | 000,220,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\oleacc.dll
[2011/09/26 13:41:14 | 000,020,480 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\oleaccrc.dll
[2011/09/26 13:41:14 | 000,020,480 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\oleaccrc.dll
[2011/09/25 11:11:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Picasa 3
[2011/09/25 00:49:51 | 000,000,639 | ---- | M] () -- C:\Documents and Settings\Clive\Desktop\Shortcut to phpDesignerPrg.exe.lnk
[2011/09/25 00:49:10 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/09/24 21:55:41 | 000,006,224 | ---- | M] () -- C:\{018132AA-A563-43FB-83C2-6A4252D95F58}
[2011/09/24 21:51:02 | 000,006,120 | ---- | M] () -- C:\{91CA3ECA-C5A7-4DCE-9D0B-1EB8576FADB5}
[2011/09/23 11:22:36 | 000,000,000 | ---- | M] () -- C:\WINDOWS\PhotoNow.INI
[2011/09/21 17:22:00 | 000,003,708 | ---- | M] () -- C:\Documents and Settings\Clive\Desktop\wp-config.php
[2011/09/21 12:15:18 | 000,000,859 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Panda Batch File Renamer.lnk
[2011/09/20 23:22:29 | 000,003,394 | ---- | M] () -- C:\Documents and Settings\Clive\Application Data\SAS7_000.DAT
[2011/09/20 23:17:12 | 000,002,537 | ---- | M] () -- C:\Documents and Settings\Clive\Desktop\Dragon NaturallySpeaking 10.0.lnk
[2011/09/20 18:57:37 | 000,000,680 | ---- | M] () -- C:\Documents and Settings\Clive\Desktop\SynchroMaster.lnk
[2011/09/20 18:57:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\SynchroMaster
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/12/17 13:32:01 | 000,000,425 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
[2011/12/16 02:14:11 | 1073,319,936 | -HS- | C] () -- C:\hiberfil.sys
[2011/12/15 16:13:06 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/12/15 07:07:12 | 000,000,778 | ---- | C] () -- C:\Documents and Settings\Clive\Desktop\Shortcut to SUPERAntiSpyware.exe.lnk
[2011/12/15 00:58:00 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/12/14 15:36:23 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Clive\Desktop\MBR.dat
[2011/12/14 13:36:30 | 000,001,984 | ---- | C] () -- C:\Documents and Settings\Clive\Desktop\HiJackThis.lnk
[2011/12/14 12:12:58 | 000,006,192 | ---- | C] () -- C:\{5FCC6C63-7A79-4217-9008-9874AA1F7CA2}
[2011/12/14 12:07:58 | 000,004,872 | ---- | C] () -- C:\{EBD9651B-6261-4D6B-9B46-903819BE7DF7}
[2011/12/14 11:51:26 | 000,004,872 | ---- | C] () -- C:\{1AD75ED9-E848-4120-8F59-7B872D040CBB}
[2011/12/14 06:30:04 | 000,004,872 | ---- | C] () -- C:\{C70EDF80-9BD5-45CE-A392-821B1FEFD2B0}
[2011/12/13 20:21:23 | 000,709,968 | ---- | C] () -- C:\WINDOWS\is-28FEL.exe
[2011/12/13 20:21:23 | 000,010,498 | ---- | C] () -- C:\WINDOWS\is-28FEL.msg
[2011/12/13 20:21:23 | 000,000,650 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/12/13 20:21:23 | 000,000,393 | ---- | C] () -- C:\WINDOWS\is-28FEL.lst
[2011/12/13 18:06:04 | 000,004,872 | ---- | C] () -- C:\{AC77E8C2-4F3C-4944-A066-79EBF368EC28}
[2011/12/13 17:49:55 | 000,004,872 | ---- | C] () -- C:\{E970B01C-3D88-419E-BA0D-AF8A66471B0F}
[2011/12/13 17:34:30 | 000,004,872 | ---- | C] () -- C:\{C3667A11-2EC5-4B59-AF72-B820B31DC20B}
[2011/12/13 17:17:33 | 000,004,872 | ---- | C] () -- C:\{610A3504-5FF3-4C1E-B991-0E6CF05203FE}
[2011/12/13 17:01:11 | 000,004,856 | ---- | C] () -- C:\{CF339214-7860-4944-931A-0D539A7A798A}
[2011/12/13 16:45:41 | 000,004,872 | ---- | C] () -- C:\{633A5982-6479-46E2-9B92-B78FAAB70DD6}
[2011/12/13 16:29:21 | 000,004,872 | ---- | C] () -- C:\{740D24BC-5B92-4550-89C1-3A0AB5D9C4F5}
[2011/12/13 15:39:57 | 000,006,192 | ---- | C] () -- C:\{82D273DB-6DF2-4844-AE9B-07D26F51C014}
[2011/12/13 15:09:29 | 000,004,856 | ---- | C] () -- C:\{57A4138A-6D2C-45B9-B394-3943287836B5}
[2011/12/13 09:16:51 | 000,004,872 | ---- | C] () -- C:\{41E8C7AA-05C2-4117-9A04-0F5B2B040DE0}
[2011/12/12 21:24:36 | 000,162,816 | ---- | C] () -- C:\netbt.sys
[2011/12/12 19:22:47 | 002,396,768 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/12/12 17:55:46 | 000,384,414 | ---- | C] () -- C:\WINDOWS\System32\drivers\SMR210.dat
[2011/12/12 13:00:55 | 000,032,280 | ---- | C] () -- C:\{C91F9F0C-FCAF-45F5-9EE9-C1307A804E99}
[2011/12/08 15:20:59 | 000,000,746 | ---- | C] () -- C:\Documents and Settings\Clive\Desktop\Norton Installation Files.lnk
[2011/12/07 12:43:05 | 000,001,019 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Appnimi RAR Password Unlocker.lnk
[2011/11/26 14:44:14 | 000,000,705 | ---- | C] () -- C:\Documents and Settings\Clive\Desktop\Analytics Settings - Google Analytics.URL
[2011/11/18 14:04:08 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2011/11/14 01:09:15 | 000,000,801 | ---- | C] () -- C:\Documents and Settings\Clive\Desktop\AusLogics Disk Defrag.lnk
[2011/11/13 14:29:05 | 000,000,826 | ---- | C] () -- C:\Documents and Settings\Clive\Desktop\Shortcut to UDefrag.exe.lnk
[2011/11/13 14:27:16 | 000,001,720 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\UltimateDefrag.LNK
[2011/11/12 16:39:47 | 000,000,615 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2011/11/06 14:20:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\U12A_20e.INI
[2011/11/06 13:57:15 | 000,151,552 | ---- | C] () -- C:\WINDOWS\CheckModels.exe
[2011/11/03 18:55:03 | 000,655,360 | ---- | C] () -- C:\ffastunT.ffl
[2011/10/29 21:22:14 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2011/10/29 18:51:21 | 000,028,203 | ---- | C] () -- C:\Documents and Settings\Clive\Desktop\2011-10-29_1650.png
[2011/10/24 15:51:47 | 000,001,588 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
[2011/10/24 15:51:46 | 000,001,978 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Publisher.lnk
[2011/10/21 23:01:59 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\Clive\Desktop\SSA Benefit Calculator.lnk
[2011/10/19 17:31:52 | 000,000,218 | ---- | C] () -- C:\Documents and Settings\Clive\.recently-used.xbel
[2011/10/19 08:30:06 | 000,002,784 | ---- | C] () -- C:\{EBC6B4FC-BEC0-48DF-BC04-172C317A3031}
[2011/10/19 02:25:31 | 000,002,224 | ---- | C] () -- C:\{BE150900-2110-4F68-A871-1006A5C535FD}
[2011/10/18 12:26:20 | 000,121,096 | ---- | C] () -- C:\WINDOWS\System32\MSForms.TWD
[2011/10/16 13:28:25 | 000,152,576 | ---- | C] () -- C:\Documents and Settings\Clive\My Documents\Zoe Project Ver 5.mpp
[2011/10/16 13:14:24 | 000,146,944 | ---- | C] () -- C:\Documents and Settings\Clive\My Documents\Zoe Project Ver 4.mpp
[2011/10/15 23:47:51 | 000,372,736 | ---- | C] () -- C:\Documents and Settings\Clive\My Documents\Zoe Project Ver 3.mpp
[2011/10/15 20:56:07 | 000,387,584 | ---- | C] () -- C:\Documents and Settings\Clive\My Documents\Zoe Project Ver 2.mpp
[2011/10/15 18:01:32 | 000,004,718 | -H-- | C] () -- C:\ffastun.ffa
[2011/10/15 18:01:31 | 000,188,416 | -H-- | C] () -- C:\ffastun.ffo
[2011/10/15 18:01:27 | 014,987,264 | -H-- | C] () -- C:\ffastun0.ffx
[2011/10/15 17:52:21 | 000,376,832 | -H-- | C] () -- C:\ffastun.ffl
[2011/10/15 14:58:02 | 000,035,262 | ---- | C] () -- C:\WINDOWS\Clive.acl
[2011/10/15 14:50:49 | 000,000,695 | ---- | C] () -- C:\Documents and Settings\Clive\Desktop\Shortcut to WINPROJ.EXE.lnk
[2011/10/15 14:41:50 | 000,000,120 | ---- | C] () -- C:\WINDOWS\MSMAIL32.INI
[2011/10/15 14:41:49 | 000,000,695 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Project.lnk
[2011/10/13 18:08:32 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\UMPlayer.lnk
[2011/10/12 12:29:36 | 000,001,788 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Nokia Ovi Suite.lnk
[2011/10/07 13:54:00 | 000,002,175 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2011/10/05 19:37:43 | 000,000,845 | ---- | C] () -- C:\Documents and Settings\Clive\Desktop\IsoBuster.lnk
[2011/10/05 19:36:48 | 000,001,185 | ---- | C] () -- C:\Documents and Settings\Clive\Desktop\CNET TechTracker.lnk
[2011/10/03 12:02:31 | 000,001,738 | ---- | C] () -- C:\Documents and Settings\Clive\Application Data\Microsoft\Internet Explorer\Quick Launch\Belarc Advisor.lnk
[2011/10/03 12:02:31 | 000,001,720 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Belarc Advisor.lnk
[2011/10/03 12:02:30 | 000,001,726 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Belarc Advisor.lnk
[2011/10/03 12:02:24 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2011/10/02 16:31:47 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\Clive\Desktop\Shortcut to MySQLWorkbench.exe.lnk
[2011/10/01 12:35:05 | 000,000,582 | ---- | C] () -- C:\Documents and Settings\Clive\Desktop\XAMPP Control Panel.lnk
[2011/09/30 01:24:59 | 000,420,466 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2011/09/30 01:24:59 | 000,420,466 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-776561741-1390067357-839522115-1004-0.dat
[2011/09/29 19:49:40 | 000,001,820 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Web Platform Installer.lnk
[2011/09/29 19:05:41 | 000,000,452 | ---- | C] () -- C:\Documents and Settings\Clive\Desktop\Shortcut to EasyPHP-5.3.2.lnk
[2011/09/29 18:06:48 | 000,000,954 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Replay Media Catcher 4.lnk
[2011/09/28 00:43:30 | 000,027,830 | ---- | C] () -- C:\Documents and Settings\Clive\Application Data\phpdesigner.xml
[2011/09/27 13:49:00 | 000,000,670 | ---- | C] () -- C:\Documents and Settings\Clive\Desktop\phpDesigner 7.lnk
[2011/09/27 11:40:31 | 000,001,938 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Network Magic.lnk
[2011/09/27 11:40:31 | 000,001,800 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Network Magic.lnk
[2011/09/25 00:49:51 | 000,000,639 | ---- | C] () -- C:\Documents and Settings\Clive\Desktop\Shortcut to phpDesignerPrg.exe.lnk
[2011/09/24 21:55:41 | 000,006,224 | ---- | C] () -- C:\{018132AA-A563-43FB-83C2-6A4252D95F58}
[2011/09/24 21:51:02 | 000,006,120 | ---- | C] () -- C:\{91CA3ECA-C5A7-4DCE-9D0B-1EB8576FADB5}
[2011/09/23 11:22:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PhotoNow.INI
[2011/09/21 17:22:00 | 000,003,708 | ---- | C] () -- C:\Documents and Settings\Clive\Desktop\wp-config.php
[2011/09/21 12:15:18 | 000,000,859 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Panda Batch File Renamer.lnk
[2011/09/20 18:57:36 | 000,000,680 | ---- | C] () -- C:\Documents and Settings\Clive\Desktop\SynchroMaster.lnk
[2011/09/08 14:51:35 | 000,152,382 | ---- | C] () -- C:\WINDOWS\AudioLabel Uninstaller.exe
[2011/04/03 09:29:39 | 000,819,200 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2011/04/03 09:29:36 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2010/10/29 16:42:01 | 000,245,888 | ---- | C] () -- C:\WINDOWS\System32\drivers\XHASP.sys
[2010/10/27 21:04:16 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\AceCrypt.dll
[2010/10/27 20:58:41 | 000,000,383 | ---- | C] () -- C:\WINDOWS\System32\haspdos.sys
[2010/10/27 20:57:10 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\hsduinst.exe
[2010/10/27 20:57:09 | 000,164,864 | ---- | C] () -- C:\WINDOWS\System32\UNWISE.EXE
[2010/10/27 18:26:06 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2010/10/10 21:51:41 | 000,000,229 | ---- | C] () -- C:\WINDOWS\OPENFX_.INI
[2010/10/03 00:37:22 | 000,122,880 | ---- | C] () -- C:\WINDOWS\UnGins.exe
[2010/08/10 19:28:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\eDrawingOfficeAutomator.INI
[2010/04/18 06:12:18 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/03/09 21:26:42 | 000,000,015 | ---- | C] () -- C:\WINDOWS\cfwin.ini
[2010/03/09 21:26:38 | 000,000,098 | ---- | C] () -- C:\WINDOWS\cfwinlib.ini
[2010/02/19 13:49:11 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Clive\Local Settings\Application Data\Schedule8.dat
[2010/02/09 16:54:42 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\pxhpinst.exe
[2010/01/26 14:24:34 | 000,103,784 | ---- | C] () -- C:\Documents and Settings\Clive\GoToAssistDownloadHelper.exe
[2010/01/08 18:40:19 | 000,003,654 | ---- | C] () -- C:\WINDOWS\System32\drivers\Sonyhcp.dll
[2009/12/22 14:42:20 | 000,000,038 | ---- | C] () -- C:\WINDOWS\AviSplitter.INI
[2009/11/27 18:48:24 | 000,640,512 | ---- | C] () -- C:\WINDOWS\System32\gfkernel.dll
[2009/11/27 18:48:24 | 000,640,512 | ---- | C] () -- C:\WINDOWS\System32\gfbaksm.dat
[2009/11/27 17:35:37 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\rmc_rtspdl.dll
[2009/11/26 22:50:40 | 000,000,046 | ---- | C] () -- C:\WINDOWS\System32\DonationCoder_urlsnooper_InstallInfo.dat
[2009/11/25 18:41:02 | 000,260,608 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/11/25 18:41:02 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009/11/25 18:41:01 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/11/25 18:41:01 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/11/25 18:41:01 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/11/14 17:17:11 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Clive\Local Settings\Application Data\fusioncache.dat
[2009/11/11 17:51:25 | 000,004,704 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2009/11/11 17:51:25 | 000,000,008 | RHS- | C] () -- C:\WINDOWS\System32\C9EAF77DC1.sys
[2009/10/20 13:19:30 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2009/10/13 19:00:30 | 000,086,608 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/09/12 10:57:00 | 000,000,023 | ---- | C] () -- C:\WINDOWS\bo9840cd.ini
[2009/08/28 00:37:09 | 000,003,394 | ---- | C] () -- C:\Documents and Settings\Clive\Application Data\SAS7_000.DAT
[2009/08/01 20:28:52 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2009/07/29 23:58:18 | 000,000,060 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2009/07/29 23:58:16 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2009/07/28 15:50:04 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\XDirTree.dll
[2009/07/28 15:50:04 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\XFileLst.dll
[2009/07/28 15:29:18 | 000,000,023 | -HS- | C] () -- C:\WINDOWS\System32\efea2_g.dll
[2009/07/27 18:42:21 | 000,060,744 | ---- | C] () -- C:\Documents and Settings\Clive\g2mdlhlpx.exe
[2009/07/27 13:40:47 | 000,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2009/07/22 17:41:54 | 000,000,191 | ---- | C] () -- C:\WINDOWS\phpdesigner.ini
[2009/07/22 13:13:30 | 000,000,395 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2009/07/21 18:55:42 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/07/21 13:37:04 | 000,041,472 | ---- | C] () -- C:\Documents and Settings\Clive\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/18 01:11:13 | 000,000,737 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/07/17 13:44:11 | 000,000,034 | ---- | C] () -- C:\WINDOWS\System32\bd9840cd.dat
[2009/07/16 20:51:05 | 000,000,492 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2009/07/16 20:51:05 | 000,000,026 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2009/07/16 20:48:08 | 008,892,928 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\atscie.msi
[2009/07/16 19:41:28 | 000,001,041 | ---- | C] () -- C:\WINDOWS\ULead32.ini
[2009/07/15 13:07:48 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS6y.DLL
[2009/07/13 23:04:52 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\Clive\Application Data\pcouffin.cat
[2009/07/13 23:04:52 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Clive\Application Data\pcouffin.inf
[2009/07/13 18:46:43 | 000,000,398 | ---- | C] () -- C:\WINDOWS\System32\CNCMP60.INI
[2009/07/13 18:46:38 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\CNCFMS60.EXE
[2009/07/12 12:55:01 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/07/11 15:27:44 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2009/07/10 17:48:07 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/07/10 17:44:30 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/07/10 10:33:47 | 000,004,346 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/07/10 10:32:54 | 001,682,928 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/08/21 22:46:34 | 000,059,160 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll
[2006/10/22 14:22:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/10/22 14:22:00 | 001,622,016 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2006/10/22 14:22:00 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/10/22 14:22:00 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2006/10/22 14:22:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/10/22 14:22:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/10/22 14:22:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/10/22 14:22:00 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2006/10/22 14:22:00 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2006/10/22 14:22:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/10/22 14:22:00 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/08/04 22:24:28 | 000,010,747 | ---- | C] () -- C:\WINDOWS\System32\UDBDef.exe
[2005/11/24 14:49:26 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2004/09/16 15:24:26 | 003,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
[2003/07/01 14:44:08 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\btsendto_ie.dll
[2003/07/01 14:43:18 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\btsendto_wab.dll
[2003/07/01 14:38:40 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2003/07/01 14:29:10 | 000,022,183 | ---- | C] () -- C:\WINDOWS\System32\drivers\btserial.sys
[2002/08/29 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002/08/29 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2002/08/29 07:00:00 | 000,503,138 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2002/08/29 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2002/08/29 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2002/08/29 07:00:00 | 000,162,816 | ---- | C] () -- C:\WINDOWS\System32\drivers\netbt.sys
[2002/08/29 07:00:00 | 000,088,628 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2002/08/29 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2002/08/29 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2002/08/29 07:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2002/08/29 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2002/08/29 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2001/11/14 15:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll
[2000/06/12 03:37:18 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\mtstack.exe
[2000/03/30 00:00:00 | 000,125,440 | ---- | C] () -- C:\WINDOWS\System32\UNZDLL.DLL
[1999/10/23 20:29:44 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\UNRAR.DLL
[1999/08/11 17:28:02 | 000,101,888 | ---- | C] () -- C:\WINDOWS\System32\LIBBZ2.DLL
[1999/05/21 23:10:00 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\ZIPDLL.DLL
[1998/04/07 02:00:00 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\ODBCMON.DLL
[1998/01/28 02:06:04 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\UNACE.DLL
[1996/11/17 02:00:00 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\WRKGADM.EXE
[1996/11/17 02:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL
[1996/11/17 02:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1996/11/17 02:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

========== LOP Check ==========

[2011/03/15 00:54:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\Amazon
[2011/09/21 12:45:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\Animal Software
[2009/09/03 02:29:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\Ashampoo
[2011/11/14 01:09:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\Auslogics
[2011/02/11 04:42:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\Auto Click Profits
[2010/06/29 01:00:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\Autodesk
[2011/04/01 07:30:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\Backslash
[2011/09/30 17:35:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\Canon
[2011/10/05 19:36:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\CBS Interactive
[2011/09/17 19:45:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/04/14 20:42:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\CopyToDvd
[2010/08/13 00:10:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\DAEMON Tools Lite
[2010/08/10 19:31:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\DassaultSystemes
[2011/11/17 00:32:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\Domain Name Analyzer v4.1
[2009/11/26 22:50:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\DonationCoder
[2010/10/11 12:56:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\DWGeditor
[2009/11/19 02:31:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\EBookSys
[2010/08/10 19:31:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\EDrawings
[2011/12/12 19:20:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\FixZeroAccess
[2009/07/22 11:15:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\GlarySoft
[2009/07/14 01:55:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\GlobalSCAPE
[2011/12/07 13:30:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\gtk-2.0
[2009/07/22 17:40:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\JAM Software
[2011/02/04 13:25:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\Keyword Advantage
[2010/08/30 00:34:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\Luxology
[2011/03/06 20:21:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\MarketSamurai.6E37012E1CBD7F47B14488FCC715944F3EBDCEDC.1
[2011/10/02 16:33:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\MySQL
[2011/01/28 14:33:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\Nokia
[2011/10/12 11:05:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\Notepad++
[2009/08/11 18:42:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\Nuance
[2009/11/02 16:34:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\Nvu
[2009/08/02 12:19:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\Opera
[2011/08/21 13:39:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\OutWit
[2011/09/15 00:30:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\PandoraRecovery
[2010/04/14 12:30:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\Participatory Culture Foundation
[2010/06/25 16:35:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\PC Suite
[2011/12/07 15:21:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\PCF-VLC
[2009/08/01 20:28:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\pdf995
[2011/10/10 13:22:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\phpDesigner
[2011/09/29 18:01:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\Replay Media Catcher 4
[2009/07/22 13:16:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\ScanSoft
[2009/10/11 03:28:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\Softnik Technologies
[2011/09/20 21:10:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\SynchroMaster
[2011/08/08 22:56:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\TeamViewer
[2010/11/20 16:35:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\Tific
[2011/07/10 01:55:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\Usenet.nl
[2011/12/07 18:06:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\UseNeXT
[2010/05/24 12:25:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\Vso
[2011/03/02 19:01:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\WordWeb
[2010/03/12 16:18:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\YouSendIt
[2009/07/22 13:16:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Clive\Application Data\Zeon
[2011/08/11 10:09:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\1Click DVD Copy
[2011/03/18 17:00:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applian
[2009/09/03 02:29:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ashampoo
[2010/07/05 19:08:00 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2011/10/13 11:27:56 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJEGV
[2010/07/05 20:46:39 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJScan
[2010/08/12 11:42:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2010/08/10 19:31:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DassaultSystemes
[2009/11/26 20:35:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DonationCoder
[2011/01/28 15:33:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Installations
[2011/09/30 00:47:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MySQL
[2010/06/25 01:46:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nokia
[2010/07/18 18:06:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NokiaInstallerCache
[2009/08/11 18:35:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nuance
[2009/11/12 15:17:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OLYMPUS
[2010/06/25 16:35:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
[2010/02/02 17:29:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2011/09/27 13:49:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\phpDesigner
[2009/09/02 23:57:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlotSoft
[2011/09/17 18:03:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\regid.1986-12.com.adobe
[2010/01/25 23:47:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RetroExp
[2009/08/11 18:35:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2009/07/13 10:33:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Seagate
[2009/11/11 17:52:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
[2009/11/14 17:12:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tanagra
[2011/09/20 23:20:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/07/14 00:49:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\vsosdk
[2010/05/06 13:33:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/12/17 14:04:23 | 000,000,312 | ---- | M] () -- C:\WINDOWS\Tasks\GlaryInitialize.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 409 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E36085B5
@Alternate Data Stream - 217 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F35A93AD
@Alternate Data Stream - 182 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9FB286BF
@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:12F3A419
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A5B56640
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5B18E8E9
< End of report >

AND I will do the following when I can

Please run the SAS, MBAM and DDS scans and post the logs here.

Cheers
CB

* Open OTL
* Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.



* Click Run Fix
* OTLI2 may ask to reboot the machine. Please do so if asked.
* Click OK
* A report will open. Copy and Paste that report in your next reply.

I Ran the Fix and it said "process completed" but no log file or whatever opened up and the only relevant text file I could find was the one below that was in a C:\OTL\MovedFiles folder and was called 12172011_214116.log


========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4401FDC3-7996-4774-8D2B-C1AE9CD6CC25}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4401FDC3-7996-4774-8D2B-C1AE9CD6CC25}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D425283-D487-4337-BAB6-AB8354A81457}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D425283-D487-4337-BAB6-AB8354A81457}\ deleted successfully.
File C:\Program Files\Search Toolbar\SearchToolbar.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Acrobat Assistant 8.0 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Malwarebytes' Anti-Malware deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\UserFaultCheck deleted successfully.
Registry value HKEY_USERS\Clive_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\OpAgent deleted successfully.
File move failed. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\USB Sharing.lnk scheduled to be moved on reboot.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{36ECAF82-3300-8F84-092E-AFF36D6C7040}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36ECAF82-3300-8F84-092E-AFF36D6C7040}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{36ECAF82-3300-8F84-092E-AFF36D6C7040}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36ECAF82-3300-8F84-092E-AFF36D6C7040}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CCA281CA-C863-46ef-9331-5C8D4460577F}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCA281CA-C863-46ef-9331-5C8D4460577F}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CCA281CA-C863-46ef-9331-5C8D4460577F}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCA281CA-C863-46ef-9331-5C8D4460577F}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB858B22-55E2-413f-87F5-30ADC5552151}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB858B22-55E2-413f-87F5-30ADC5552151}\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\skype-ie-addon-data\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91774881-D725-4E58-B298-07617B9B86A8}\ deleted successfully.
File {91774881-D725-4E58-B298-07617B9B86A8} - File not found not found.
Error: Unable to interpret <:folders> in the current context!
Error: Unable to interpret in the current context!
========== COMMANDS ==========
HOSTS file reset successfully

OTLPE by OldTimer - Version 3.1.48.0 log created on 12172011_214116

I still need the logs from SAS, MBAM and DDS (2).

Hi Dave
It's party weekend here in the "Keys" (Bel Marin keys that is) so I'll have to do those tomorrow.
All the best
Clive
P.S. Three sequential Christmas parties yesterday!

Hi Dave
I have the logs from SAS, MBAM and DDS runs and will try to attach them here - hope it works better this time than any time before.
However, I read a story once where this crew of a few men were trying to cross the pacific ocean in a large wooden boat they had built themselves. Not being experts they had not taken into account what a teredo worm can do to a wooden boat and as they progressed they found themselves spending all their waking moments bailing or patching the boat as it sank further and further into the water and gradually became more like a giant sponge riddled with teredo wormholes than a functioning boat. I believe it broke up before they reached land but were close enough that they were rescued.
Unfortunately, I feel like that with my desktop. Now I have to go through two boot cycles every time to get it up and going - the first cycle resulting in a blue screen of death. Also, I find that quite a number of my vital applications don't work anymore - can't connect to the internet, can't fix that with Network Magic (Platform missing) or Internet Explorer (Winsock catalog missing).
I think I may have to bite the bullet and revert the system to factory state.
Please have a look at the attached files and let me have your thoughts.
Best regards
Clive

Download BlueScreenView to your desktop.
BlueScreenView
unzip downloaded file and double click on BlueScreenView.exe to run the program.
when scanning is done, go to EDIT - Select All
Go to FILE - SAVE Selected Items, and save the report as BSOD.txt
Open BSOD.txt in Notepad, copy all of the content, and paste it into your next reply.

Hi Dave
I've been away from my desk most of today but finally managed to create the BSOD file which I will attempt to paste below. If that doesn't work please look for it at http://cliveburton.com/TidservTrojanRemoval/
I would greatly appreciate a little insight into what you are looking for in all these files and also your best educated guess as to our chances of pulling this one out of the fire and, if so, when.
Best regards
Clive
===================================================
==================================================
Dump File : Mini121911-02.dmp
Crash Time : 12/19/2011 11:07:18 AM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc0000005
Parameter 2 : 0x80563bdc
Parameter 3 : 0xf6badc74
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+8cbdc
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6165 (xpsp_sp3_gdr.111025-1629)
Processor : 32-bit
Crash Address : ntoskrnl.exe+8cbdc
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121911-02.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini121911-01.dmp
Crash Time : 12/19/2011 5:49:07 AM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc0000005
Parameter 2 : 0x80563bdc
Parameter 3 : 0xf6ba9c74
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+8cbdc
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6165 (xpsp_sp3_gdr.111025-1629)
Processor : 32-bit
Crash Address : ntoskrnl.exe+8cbdc
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121911-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini121511-06.dmp
Crash Time : 12/15/2011 10:21:15 PM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc0000005
Parameter 2 : 0x80563bdc
Parameter 3 : 0xf6bb5c74
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+8cbdc
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6165 (xpsp_sp3_gdr.111025-1629)
Processor : 32-bit
Crash Address : ntoskrnl.exe+8cbdc
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121511-06.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini121511-05.dmp
Crash Time : 12/15/2011 10:02:14 PM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc0000005
Parameter 2 : 0x80563bdc
Parameter 3 : 0xf6bb5c74
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+8cbdc
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6165 (xpsp_sp3_gdr.111025-1629)
Processor : 32-bit
Crash Address : ntoskrnl.exe+8cbdc
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121511-05.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini121511-04.dmp
Crash Time : 12/15/2011 4:52:11 PM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc0000005
Parameter 2 : 0x80563bdc
Parameter 3 : 0xf6b81c74
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+8cbdc
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6165 (xpsp_sp3_gdr.111025-1629)
Processor : 32-bit
Crash Address : ntoskrnl.exe+8cbdc
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121511-04.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini121511-03.dmp
Crash Time : 12/15/2011 4:25:40 PM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc0000005
Parameter 2 : 0x80563bdc
Parameter 3 : 0xf6b79c74
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+8cbdc
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6165 (xpsp_sp3_gdr.111025-1629)
Processor : 32-bit
Crash Address : ntoskrnl.exe+8cbdc
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121511-03.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini121511-02.dmp
Crash Time : 12/15/2011 4:21:58 PM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc0000005
Parameter 2 : 0x80563bdc
Parameter 3 : 0xf6b65c74
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+8cbdc
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6165 (xpsp_sp3_gdr.111025-1629)
Processor : 32-bit
Crash Address : ntoskrnl.exe+8cbdc
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121511-02.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini121511-01.dmp
Crash Time : 12/15/2011 4:00:44 AM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc0000005
Parameter 2 : 0x80563bdc
Parameter 3 : 0xf6b61c74
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+8cbdc
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6165 (xpsp_sp3_gdr.111025-1629)
Processor : 32-bit
Crash Address : ntoskrnl.exe+8cbdc
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121511-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini121411-03.dmp
Crash Time : 12/14/2011 9:45:32 PM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc0000005
Parameter 2 : 0x80563bdc
Parameter 3 : 0xf6b61c74
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+8cbdc
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6165 (xpsp_sp3_gdr.111025-1629)
Processor : 32-bit
Crash Address : ntoskrnl.exe+8cbdc
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121411-03.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini121411-02.dmp
Crash Time : 12/14/2011 3:06:33 PM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc0000005
Parameter 2 : 0x80563bdc
Parameter 3 : 0xf6b75c74
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+8cbdc
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6165 (xpsp_sp3_gdr.111025-1629)
Processor : 32-bit
Crash Address : ntoskrnl.exe+8cbdc
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121411-02.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini121411-01.dmp
Crash Time : 12/14/2011 3:01:20 PM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc0000005
Parameter 2 : 0x80563bdc
Parameter 3 : 0xf6b71c74
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+8cbdc
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6165 (xpsp_sp3_gdr.111025-1629)
Processor : 32-bit
Crash Address : ntoskrnl.exe+8cbdc
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121411-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini121311-01.dmp
Crash Time : 12/13/2011 6:39:01 PM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc0000005
Parameter 2 : 0x80563bdc
Parameter 3 : 0xf6b7dc74
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+8cbdc
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6165 (xpsp_sp3_gdr.111025-1629)
Processor : 32-bit
Crash Address : ntoskrnl.exe+8cbdc
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121311-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini121211-02.dmp
Crash Time : 12/12/2011 10:16:35 PM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc0000005
Parameter 2 : 0x80563bdc
Parameter 3 : 0xf6b83c74
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+8cbdc
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6165 (xpsp_sp3_gdr.111025-1629)
Processor : 32-bit
Crash Address : ntoskrnl.exe+8cbdc
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121211-02.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini121211-01.dmp
Crash Time : 12/12/2011 4:19:35 AM
Bug Check String : IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x1000000a
Parameter 1 : 0x000000b0
Parameter 2 : 0x00000002
Parameter 3 : 0x00000000
Parameter 4 : 0x8052d79e
Caused By Driver : CLASSPNP.SYS
Caused By Address : CLASSPNP.SYS+a456
File Description : SCSI Class System Dll
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.5512 (xpsp.080413-2108)
Processor : 32-bit
Crash Address : ntoskrnl.exe+5679e
Stack Address 1 : CLASSPNP.SYS+a456
Stack Address 2 : CLASSPNP.SYS+9b89
Stack Address 3 : ntoskrnl.exe+c807
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121211-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini121111-01.dmp
Crash Time : 12/11/2011 11:04:25 PM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc000009a
Parameter 2 : 0x805197d9
Parameter 3 : 0xba5b05e0
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+427d9
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6165 (xpsp_sp3_gdr.111025-1629)
Processor : 32-bit
Crash Address : ntoskrnl.exe+427d9
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121111-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini061811-01.dmp
Crash Time : 6/18/2011 10:27:30 AM
Bug Check String : SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000007e
Parameter 1 : 0xc0000005
Parameter 2 : 0xf76d5895
Parameter 3 : 0xf7ac8bd8
Parameter 4 : 0xf7ac88d4
Caused By Driver : CLASSPNP.SYS
Caused By Address : CLASSPNP.SYS+4895
File Description : SCSI Class System Dll
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.5512 (xpsp.080413-2108)
Processor : 32-bit
Crash Address : CLASSPNP.SYS+4895
Stack Address 1 : CLASSPNP.SYS+2d1d
Stack Address 2 : CLASSPNP.SYS+2cb1
Stack Address 3 : aksfridge.sys+21253
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini061811-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini053010-01.dmp
Crash Time : 5/30/2010 11:44:52 AM
Bug Check String : NTFS_FILE_SYSTEM
Bug Check Code : 0x00000024
Parameter 1 : 0x001902fe
Parameter 2 : 0xa06c5940
Parameter 3 : 0xa06c563c
Parameter 4 : 0xf76b4ae8
Caused By Driver : Ntfs.sys
Caused By Address : Ntfs.sys+42ae8
File Description : NT File System Driver
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.5512 (xpsp.080413-2111)
Processor : 32-bit
Crash Address : ntoskrnl.exe+5c826
Stack Address 1 : Ntfs.sys+dff0
Stack Address 2 : Ntfs.sys+63c87
Stack Address 3 : ntoskrnl.exe+c807
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini053010-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 94,208
==================================================

==================================================
Dump File : Mini041410-01.dmp
Crash Time : 4/14/2010 5:55:09 PM
Bug Check String : NTFS_FILE_SYSTEM
Bug Check Code : 0x00000024
Parameter 1 : 0x001902fe
Parameter 2 : 0xf7c81940
Parameter 3 : 0xf7c8163c
Parameter 4 : 0xf76b4ae8
Caused By Driver : Ntfs.sys
Caused By Address : Ntfs.sys+42ae8
File Description : NT File System Driver
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.5512 (xpsp.080413-2111)
Processor : 32-bit
Crash Address : ntoskrnl.exe+5c826
Stack Address 1 : Ntfs.sys+dff0
Stack Address 2 : Ntfs.sys+63c87
Stack Address 3 : ntoskrnl.exe+c807
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini041410-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 94,208
==================================================

==================================================
Dump File : Mini102609-01.dmp
Crash Time : 10/26/2009 8:05:43 AM
Bug Check String : NTFS_FILE_SYSTEM
Bug Check Code : 0x00000024
Parameter 1 : 0x001902fe
Parameter 2 : 0xf7c89940
Parameter 3 : 0xf7c8963c
Parameter 4 : 0xf76b4ae8
Caused By Driver : Ntfs.sys
Caused By Address : Ntfs.sys+42ae8
File Description : NT File System Driver
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.5512 (xpsp.080413-2111)
Processor : 32-bit
Crash Address : ntoskrnl.exe+5c806
Stack Address 1 : Ntfs.sys+dff0
Stack Address 2 : Ntfs.sys+63c87
Stack Address 3 : ntoskrnl.exe+c7f7
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini102609-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 94,208
==================================================

==================================================
Dump File : Mini090309-01.dmp
Crash Time : 9/2/2009 11:54:36 PM
Bug Check String : DRIVER_IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x100000d1
Parameter 1 : 0xf7f3c002
Parameter 2 : 0x00000002
Parameter 3 : 0x00000000
Parameter 4 : 0xf7aff0df
Caused By Driver : dvd43llh.sys
Caused By Address : dvd43llh.sys+10df
File Description : dvd43llh.sys
Product Name : DVD For Free
Company : RIF
File Version : 3.5.000
Processor : 32-bit
Crash Address : dvd43llh.sys+10df
Stack Address 1 : dvd43llh.sys+1962
Stack Address 2 : ntoskrnl.exe+cd38
Stack Address 3 : atapi.sys+76fc
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini090309-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 94,208
==================================================

I would greatly appreciate a little insight into what you are looking for in all these files and also your best educated guess as to our chances of pulling this one out of the fire and, if so, when.

At this point it looks like an infected or corrupt file
Please run this even if you don't have the OS disk and let me know the results.
Do you have an XP CD?

If so, place it in your CD ROM drive and follow the instructions below:
•Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
*Let this run undisturbed until the window with the blue progress bar goes away
SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.
*********************************************************
Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

and save it to your Desktop.
It would be easiest to download using Internet Explorer.
If you want to use Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

Hi Dave
Sorry - I wasn't able to do much towards the "war" effort today. I had to use my desktop for a number of things today and, amazingly, I am not getting any error messages now. Tomorrow I will follow your suggestions above. However, I don't have a copy of XP - only the Recovery disks that came with the computer (dreadful idea that!). So, should I try running SCF with the existing XP system on the desktop? Wasn't sure what to do there.
Best regards
Clive

rich_hilton wrote:

Hi Dave
Sorry - I wasn't able to do much towards the "war" effort today. I had to use my desktop for a number of things today and, amazingly, I am not getting any error messages now. Tomorrow I will follow your suggestions above. However, I don't have a copy of XP - only the Recovery disks that came with the computer (dreadful idea that!). So, should I try running SCF with the existing XP system on the desktop? Wasn't sure what to do there.
Best regards
Clive

Please run the SFC check even if you don't have the disk. If it finds a corrupt or missing file, it will prompt you for the disk.

Hi Dave
I could only run ComboFix
It discovered that Rootkit.ZeroAccess had inserted itself into the tcp/ip stack and attempted to fix it.

Here's the logfile - gotta go.
Cheers
Clive
ComboFix 11-12-21.02 - Clive 12/21/2011 17:35:35.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1024.649 [GMT -8:00]
Running from: l:\combofix\ComboFix.exe
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Clive\Application Data\Mozilla\Firefox\Profiles\pfrurtul.default\Extensions\{A5DCA3F5-ED5A-4ed3-9671-DBB0C68FA469}
c:\documents and settings\Clive\Application Data\Mozilla\Firefox\Profiles\pfrurtul.default\Extensions\{A5DCA3F5-ED5A-4ed3-9671-DBB0C68FA469}\chrome.manifest
c:\documents and settings\Clive\Application Data\Mozilla\Firefox\Profiles\pfrurtul.default\Extensions\{A5DCA3F5-ED5A-4ed3-9671-DBB0C68FA469}\content\ff-overlay.xul
c:\documents and settings\Clive\Application Data\Mozilla\Firefox\Profiles\pfrurtul.default\Extensions\{A5DCA3F5-ED5A-4ed3-9671-DBB0C68FA469}\content\overlay.js
c:\documents and settings\Clive\Application Data\Mozilla\Firefox\Profiles\pfrurtul.default\Extensions\{A5DCA3F5-ED5A-4ed3-9671-DBB0C68FA469}\install.rdf
c:\documents and settings\Clive\g2mdlhlpx.exe
c:\documents and settings\Clive\GoToAssistDownloadHelper.exe
c:\documents and settings\Clive\WINDOWS
c:\program files\Common Files\Help
c:\program files\Common Files\Help\_updated.js
c:\program files\Common Files\Help\qnue.chm
c:\program files\Common Files\Help\qnue.lif
c:\program files\Common Files\Help\qnue.lt3
c:\program files\Common Files\Help\qnue.rul
c:\program files\Common Files\Help\quicken.chm
c:\program files\Common Files\Help\quicken.lif
c:\program files\Common Files\Help\Quicken.lt3
c:\program files\Common Files\Help\Quicken.rul
c:\program files\Common Files\Help\quickenProject.lt3
c:\program files\Common Files\Help\quickenProject.rul
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\windows\$NtUninstallKB20212$\1774397239\@
c:\windows\$NtUninstallKB20212$\1774397239\bckfg.tmp
c:\windows\$NtUninstallKB20212$\1774397239\cfg.ini
c:\windows\$NtUninstallKB20212$\1774397239\Desktop.ini
c:\windows\$NtUninstallKB20212$\1774397239\keywords
c:\windows\$NtUninstallKB20212$\1774397239\kwrd.dll
c:\windows\$NtUninstallKB20212$\1774397239\L\tyiycewx
c:\windows\$NtUninstallKB20212$\1774397239\lsflt7.ver
c:\windows\$NtUninstallKB20212$\1774397239\U\00000001.@
c:\windows\$NtUninstallKB20212$\1774397239\U\00000002.@
c:\windows\$NtUninstallKB20212$\1774397239\U\00000004.@
c:\windows\$NtUninstallKB20212$\1774397239\U\80000000.@
c:\windows\$NtUninstallKB20212$\1774397239\U\80000004.@
c:\windows\$NtUninstallKB20212$\1774397239\U\80000032.@
c:\windows\$NtUninstallKB20212$\686445642
c:\windows\system32\oobe\isperror
c:\windows\system32\oobe\isperror\ispcnerr.htm
c:\windows\system32\oobe\isperror\ispdtone.htm
c:\windows\system32\oobe\isperror\isphdshk.htm
c:\windows\system32\oobe\isperror\ispins.htm
c:\windows\system32\oobe\isperror\ispnoanw.htm
c:\windows\system32\oobe\isperror\isppberr.htm
c:\windows\system32\oobe\isperror\ispphbsy.htm
c:\windows\system32\oobe\isperror\ispsbusy.htm
c:\windows\system32\SET125F.tmp
c:\windows\system32\SET1263.tmp
c:\windows\system32\SET126B.tmp
J:\autorun.inf
K:\autorun.inf
c:\windows\$NtUninstallKB20212$ . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2011-11-22 to 2011-12-22 )))))))))))))))))))))))))))))))
.
.
2011-12-20 23:14 . 2001-08-17 21:47 6272 -c--a-w- c:\windows\system32\dllcache\apmbatt.sys
2011-12-20 23:14 . 2002-08-29 06:59 36224 -c--a-w- c:\windows\system32\dllcache\an983.sys
2011-12-20 23:14 . 2001-08-17 21:52 12032 -c--a-w- c:\windows\system32\dllcache\amsint.sys
2011-12-20 23:14 . 2001-08-17 20:11 16969 -c--a-w- c:\windows\system32\dllcache\amb8002.sys
2011-12-20 23:14 . 2001-08-17 21:51 5248 -c--a-w- c:\windows\system32\dllcache\aliide.sys
2011-12-20 23:14 . 2001-08-17 21:49 26624 -c--a-w- c:\windows\system32\dllcache\alifir.sys
2011-12-20 23:14 . 2001-08-17 20:11 27678 -c--a-w- c:\windows\system32\dllcache\ali5261.sys
2011-12-20 23:14 . 2001-08-17 22:07 56960 -c--a-w- c:\windows\system32\dllcache\aic78xx.sys
2011-12-20 23:14 . 2001-08-17 22:07 55168 -c--a-w- c:\windows\system32\dllcache\aic78u2.sys
2011-12-20 23:14 . 2001-08-17 21:52 12800 -c--a-w- c:\windows\system32\dllcache\aha154x.sys
2011-12-20 02:51 . 2011-12-20 02:51 -------- d-----w- c:\program files\NirSoft
2011-12-18 02:41 . 2011-07-13 02:55 2237440 ----a-r- C:\OTLPE.exe
2011-12-18 02:37 . 2011-12-18 02:37 -------- d-----w- C:\_OTL
2011-12-15 06:00 . 2011-12-15 06:00 -------- d-----w- c:\documents and settings\Clive\Application Data\SUPERAntiSpyware.com
2011-12-15 05:57 . 2011-12-15 06:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-15 05:57 . 2011-12-15 05:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-12-14 20:04 . 2011-12-14 20:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-12-14 18:36 . 2011-12-14 18:36 388096 ----a-r- c:\documents and settings\Clive\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-12-14 18:36 . 2011-12-14 18:36 -------- d-----w- c:\program files\Trend Micro
2011-12-14 01:21 . 2011-12-14 01:21 709968 ----a-w- c:\windows\is-28FEL.exe
2011-12-13 02:24 . 2008-04-13 19:21 162816 ----a-w- C:\netbt.sys
2011-12-13 00:20 . 2011-12-13 00:20 -------- d-----w- c:\documents and settings\Clive\Application Data\FixZeroAccess
2011-12-12 23:10 . 2011-12-12 23:10 46640 ----a-w- c:\windows\system32\msln.exe
2011-12-12 22:55 . 2011-12-12 23:10 384414 ----a-w- c:\windows\system32\drivers\SMR210.dat
2011-12-12 22:55 . 2011-12-12 22:55 83064 ----a-w- c:\windows\system32\drivers\SMR210.SYS
2011-12-12 22:55 . 2011-12-13 00:08 -------- d-----w- c:\documents and settings\Clive\Local Settings\Application Data\NPE
2011-12-09 03:33 . 2011-12-11 22:51 -------- d-----w- c:\windows\system32\drivers\NIS\1302000.00A
2011-12-07 17:43 . 2011-12-07 17:43 -------- d-----w- c:\program files\Appnimi
2011-11-27 22:50 . 2011-11-05 03:20 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-11-27 22:50 . 2011-11-05 07:10 19416 ----a-w- c:\program files\Mozilla Firefox\AccessibleMarshal.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-08 22:01 . 2010-11-21 00:15 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-12-08 22:01 . 2010-11-21 00:15 127096 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-11-23 13:25 . 2002-08-29 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2006-06-23 18:33 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2002-08-29 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2002-08-29 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2005-07-26 04:31 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2002-08-29 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2002-08-29 12:00 2192768 ------w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2002-08-29 01:04 2069376 ------w- c:\windows\system32\ntkrnlpa.exe
2011-10-24 21:29 . 2011-10-24 21:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 21:29 . 2011-10-24 21:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-22 04:02 . 2011-08-01 19:37 53248 ----a-r- c:\documents and settings\Clive\Application Data\Microsoft\Installer\{340D61BB-350A-40F4-8CFD-4F860E12066E}\ARPPRODUCTICON.exe
2011-10-22 04:02 . 2011-08-01 19:37 40960 ----a-r- c:\documents and settings\Clive\Application Data\Microsoft\Installer\{340D61BB-350A-40F4-8CFD-4F860E12066E}\NewShortcut2_8637FCC51F2244009511B0F022380F4D.exe
2011-10-22 04:02 . 2011-08-01 19:37 40960 ----a-r- c:\documents and settings\Clive\Application Data\Microsoft\Installer\{340D61BB-350A-40F4-8CFD-4F860E12066E}\NewShortcut1_A35BF946C93442D89CCA96E4AF7A10B3.exe
2011-10-18 11:13 . 2002-08-29 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2009-07-10 22:44 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2002-08-29 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-27 16:37 . 2009-07-17 01:48 8892928 ----a-w- c:\documents and settings\All Users\Application Data\atscie.msi
2011-09-26 18:41 . 2008-07-30 02:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2002-08-29 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2002-08-29 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-25 05:49 . 2011-05-15 20:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-05 07:10 . 2011-04-09 17:05 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-07 30192]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"MXOBG"="c:\windows\MXOALDR.EXE" [2003-10-10 94208]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-07 1848648]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-07-08 472112]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\C:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MsDepSvc"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" -osboot
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"d:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\WINDOWS\\system32\\hasplms.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\mafia ii - public demo\\launcher.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe"= c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:LocalSubNet,0.0.0.0/255.255.255.255:Enabled:Pure Networks Platform Service
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
.
R0 SMR210;Symantec SMR Utility Service 2.1.0;c:\windows\system32\drivers\SMR210.SYS [12/12/2011 2:55 PM 83064]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/12/2010 8:44 AM 691696]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1302000.00A\symds.sys [12/8/2011 7:35 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1302000.00A\symefa.sys [12/8/2011 7:35 PM 897656]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.1.3\Definitions\BASHDefs\20111210.003\BHDrvx86.sys [12/14/2011 4:20 PM 819320]
R1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NIS\1302000.00A\ccsetx86.sys [12/8/2011 7:35 PM 132744]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 8:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 1:55 PM 67664]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1302000.00A\ironx86.sys [12/8/2011 7:35 PM 149624]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 3:38 PM 116608]
R2 Apache2.2;Apache2.2;d:\xampplite\apache\bin\httpd.exe [10/1/2011 9:33 AM 29416]
R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [6/15/2011 4:33 PM 249648]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/25/2009 10:32 PM 189736]
R2 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 MBAMService;MBAMService;d:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/25/2009 5:36 PM 366152]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\19.2.0.10\ccsvchst.exe [12/8/2011 7:34 PM 138760]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 10:19 AM 50704]
R2 Secunia PSI Agent;Secunia PSI Agent;d:\program files\Secunia\PSI\psia.exe [12/21/2010 4:04 AM 987704]
R2 Secunia Update Agent;Secunia Update Agent;d:\program files\Secunia\PSI\sua.exe [12/21/2010 4:04 AM 399416]
R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [9/29/2011 3:06 PM 28256]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/9/2011 9:29 AM 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.1.3\Definitions\IPSDefs\20111216.001\IDSXpx86.sys [12/17/2011 10:16 AM 356280]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/25/2009 5:36 PM 22216]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [7/13/2009 8:04 PM 47360]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 12:30 AM 15544]
S0 iycct;iycct;c:\windows\system32\drivers\bhcfi.sys --> c:\windows\system32\drivers\bhcfi.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [7/29/2009 7:34 AM 30192]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/22/2009 10:12 PM 133104]
S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [9/29/2011 3:06 PM 28256]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [7/7/2011 6:31 PM 195336]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;d:\program files\SolidWorks\SolidWorks\swScheduler\DTSCoordinatorService.exe [10/15/2009 5:51 AM 87336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/22/2009 10:12 PM 133104]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S3 XHASP;XHASP;c:\windows\system32\drivers\XHASP.sys [10/29/2010 1:42 PM 245888]
S4 MsDepSvc;Web Deployment Agent Service;c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe [4/1/2011 7:17 PM 67400]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 6:01 AM 2799808]
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
2011-12-22 c:\windows\Tasks\GlaryInitialize.job
- d:\program files\Glary Utilities\initialize.exe [2009-07-22 00:02]
.
2011-12-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-23 06:12]
.
2011-12-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-23 06:12]
.
2011-12-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-1390067357-839522115-1004Core.job
- c:\documents and settings\Clive\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-23 06:12]
.
2011-12-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-1390067357-839522115-1004UA.job
- c:\documents and settings\Clive\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-23 06:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mirostart.com/?cfg=2-365-0-QcG4
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Send To &Bluetooth - d:\program files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.0.1
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Clive\Application Data\Mozilla\Firefox\Profiles\pfrurtul.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3074349&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3074349&SearchSource=2&q=
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-PowerArchiver - d:\powerarchiver\UNINST.EXE
AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-21 18:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MsDepSvc]
"ImagePath"="\"c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe\" -runService:MsDepSvc"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\19.2.0.10\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\19.2.0.10\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(796)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(4192)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
d:\program files\Belkin\Bluetooth Software\bin\btwdins.exe
c:\program files\Google\Update\1.3.21.79\GoogleCrashHandler.exe
c:\windows\system32\hasplms.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
d:\xampplite\mysql\bin\mysqld.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2011-12-21 18:16:01 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-22 02:15
ComboFix2.txt 2009-11-26 01:10
.
Pre-Run: 46,555,459,584 bytes free
Post-Run: 47,568,580,608 bytes free
.
- - End Of File - - 5498EE1703427F4FC437FEE9804E69A1

Hi Dave
I have run ComboFix again since the 5:35PM run that produced the log above. It didn't complain about anything and Norton and a quick scan using MBAM didn't find anything though while it was running Norton Internet Security (Auto-Protect) said it was processing a security risk Trojan.ADH which it quarantined. I'm running a full scan of MBAM on all my desktop disks overnight.
Should I run SAS and DDS again and maybe apply any fixes they recommend?
All the best
Clive

Should I run SAS and DDS again and maybe apply any fixes they recommend?

You can run SAS and MBAM again, if you wish. I don't need to see DDS logs.

Re-running ComboFix to remove infections:

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Open notepad and copy/paste the text in the quotebox below into it:
  

  
  KillAll::
  
  Folder::
  c:\windows\$NtUninstallKB20212$
  
  

  
  
• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
  
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• I don't need to see the log from this script.
  

***************************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
  
• Click on the Log tab.
  
• In the Write to log box select the following items.
  
  
  
  • Process << Selected
    
  • Kernel Modules << Selected
    
  • SSDT << Selected
    
  • Kernel Hooks << Selected
    
  • IRP Hooks << NOT Selected
    
  • Ports << NOT Selected
    
  • Hidden Files << Selected
    
  
  
• At the bottom of the page
  
  
  
  • Hidden Objects Only << Selected
    
  
  
• Click on the Create Log button on the bottom right.
  
• After a few seconds a new window should appear.
  
• Select Scan Root Drive. Click on the Start button.
  
• When it is complete a new window will appear to indicate that the scan is finished.
  
• The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
  

Hi Dave
It seems that with your very knowledgeable help we might be getting somewhere. I ran combofix as you instructed then sysprotantirootkit and its log is pasted below.
The system seems to be behaving well - no messages and only one blue screen on Tuesday. None since.
Best regards
Clive
==============================================
SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: spas.sys
Service Name: ---
Module Base: F751A000
Module End: F760D000
Hidden: Yes

Module Name: SYMDS.SYS
Service Name: SymDS
Module Base: F7415000
Module End: F746C000
Hidden: Yes

Module Name: SYMEFA.SYS
Service Name: SymEFA
Module Base: F7322000
Module End: F7403000
Hidden: Yes

Module Name: Combo-Fix.sys
Service Name: ---
Module Base: F769E000
Module End: F76AD000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\a2uvq3yu.SYS
Service Name: ---
Module Base: F6BF0000
Module End: F6C29000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: F555E000
Module End: F5576000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7B70000
Module End: F7B72000
Hidden: Yes

Module Name: \??\C:\ComboFix\catchme.sys
Service Name: catchme
Module Base: BA581000
Module End: BA589000
Hidden: Yes

Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Service Name: ---
Module Base: F7BE4000
Module End: F7BE6000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAlertResumeThread
Address: 8679A008
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwAlertThread
Address: 86750A30
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwAllocateVirtualMemory
Address: 86738D40
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwAssignProcessToJobObject
Address: 867750F8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwConnectPort
Address: 86ADA628
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateKey
Address: F5910980
Driver Base: F58FA000
Driver End: F5920000
Driver Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

Function Name: ZwCreateMutant
Address: 867A2120
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateSymbolicLinkObject
Address: 867C5100
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateThread
Address: 86777998
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDebugActiveProcess
Address: 867751B8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDeleteKey
Address: F5910C00
Driver Base: F58FA000
Driver End: F5920000
Driver Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

Function Name: ZwDeleteValueKey
Address: F5910F10
Driver Base: F58FA000
Driver End: F5920000
Driver Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

Function Name: ZwDuplicateObject
Address: 86AA3918
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwEnumerateKey
Address: F7533DA4
Driver Base: F751A000
Driver End: F760D000
Driver Name: spas.sys

Function Name: ZwEnumerateValueKey
Address: F7534132
Driver Base: F751A000
Driver End: F760D000
Driver Name: spas.sys

Function Name: ZwFreeVirtualMemory
Address: 8679BB50
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwImpersonateAnonymousToken
Address: 867A2008
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwImpersonateThread
Address: 8679A110
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwLoadDriver
Address: 86817820
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwMapViewOfSection
Address: 867B29A0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenEvent
Address: 867BE008
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenKey
Address: F751B0C0
Driver Base: F751A000
Driver End: F760D000
Driver Name: spas.sys

Function Name: ZwOpenProcess
Address: 86734718
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenProcessToken
Address: 867B15F8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenSection
Address: 867BE050
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenThread
Address: 867B20E8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwProtectVirtualMemory
Address: 867C5008
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwQueryKey
Address: F753420A
Driver Base: F751A000
Driver End: F760D000
Driver Name: spas.sys

Function Name: ZwQueryValueKey
Address: F753408A
Driver Base: F751A000
Driver End: F760D000
Driver Name: spas.sys

Function Name: ZwResumeThread
Address: 86738138
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetContextThread
Address: 867A3050
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetInformationProcess
Address: 867A3130
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetSystemInformation
Address: 8677E0F0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetValueKey
Address: F5911160
Driver Base: F58FA000
Driver End: F5920000
Driver Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

Function Name: ZwSuspendProcess
Address: 867BE130
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSuspendThread
Address: 86757068
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateProcess
Address: 86753708
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateThread
Address: 86757148
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwUnmapViewOfSection
Address: 867B28E0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwWriteVirtualMemory
Address: 86738C50
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Hi Dave
Unfortunately I can no longrer connect my desktop to the internet. I have Cisco's Network Magic installed on all of my machines and following its trouble shooting guide (plus sometimes actually having to unscrew thecoax cable from the Comcast cable modem) has always got me out of trouble before. The Desktop is connected by Ethernet as is my wife's desktop which is still working fine so I am at a bit of a loss to know what to do next. The fault seemed to occur after a run of SAS. I'm currently uninstalling the Realtek Ethernet driver and rebooting - it just found the Ethernet hardware after reboot so let's hope that works. Now I have to reboot again to satisfy "the software that supports your hardware" - I suppose that means Network Magic or maybe the driver?? Isn't this fun??
While I'm waiting for the 2nd reboot I have a question - how the hell do you know all this stuff - is this your day job too or just a (very serious) hobby?
OH lovely! - now Network Magic and IE tools can't detect the Ethernet Adapter even though it shows OK under Device Manager. I don't seem to have any good software for probing network Adapters - any suggestions?
I can download stuff on my laptop which is what I am using to communicate with you and the rest of the world.
Best regards
Clive

how the hell do you know all this stuff - is this your day job too or just a (very serious) hobby?

Over three years of training on-line. This is just a hobby. I couldn't get rich doing this for a living as everything is free.

Please download MiniToolBox to Desktop and run it.



Checkmark the following boxes:

• Flush DNS
  
• Report IE Proxy Settings
  
• Reset IE Proxy Settings
  
• List content of Hosts
  
• List IP Configuration
  
• Lst Last 10 Event Viewer Errors
  
• List Users, Partitions and Memory Size
  

Click Go and copy/paste the log (Result.txt) into your next post. .

Dear Dave
I just came online to thank you for all your help and wish you a very Merry Christmas - didn't expect a note from you on Christmas Eve!
Thanks very much!
Clearly you are not in this for the money - it's nice to communicate with someone who might be even more altruistic than I am - that's a rarity.
I'll do as you suggest with the MiniToolBox
Have a great Christmas Day.
Cheers
Clive

rich_hilton wrote:

Dear Dave
I just came online to thank you for all your help and wish you a very Merry Christmas - didn't expect a note from you on Christmas Eve!
Thanks very much!
Clearly you are not in this for the money - it's nice to communicate with someone who might be even more altruistic than I am - that's a rarity.
I'll do as you suggest with the MiniToolBox
Have a great Christmas Day.
Cheers
Clive

Malware never takes a holiday and neither do I. Merry Christmas.

Hi Dave
Here's the result of the MiniToolKit run.
I noticed this in the Result:-
========================================
Error: (12/26/2011 04:30:17 AM) (Source: Service Control Manager) (User: )
Description: The TCP/IP NetBIOS Helper service depends on the following nonexistent service: NetBT
========================================
I believe NetBT was spotted by one of the antivirus/Antispy applications as containing a Trojan and may have been erased or quarantined.
Is that possible and possibly the reason my networks adapter isn't working????
In a previous communication I said :-
======================================
Hi Dave
I could only run ComboFix
It discovered that Rootkit.ZeroAccess had inserted itself into the tcp/ip stack and attempted to fix it.
======================================
That sounds very suspect too! Might have stuffed up the tcp/ip communication.
Best regards
Clive


MiniToolBox by Farbar
Ran by Clive (administrator) on 26-12-2011 at 11:41:13
Microsoft Windows XP Home Edition Service Pack 3 (X86)

***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration




========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

Realtek RTL8139 Family PCI Fast Ethernet NIC = Local Area Connection 3 (Connected)
1394 Net Adapter = 1394 Connection (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip



popd
# End of interface IP configuration




Windows IP Configuration



Server: UnKnown
Address: 127.0.0.1

Ping request could not find host google.com. Please check the name and try again.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host yahoo.com. Please check the name and try again.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host bleepingcomputer.com. Please check the name and try again.



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (12/24/2011 11:28:23 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module unknown, version 0.0.0.0, fault address 0x042c22c8.
Processing media-specific event for [explorer.exe!ws!]

Error: (12/23/2011 04:31:42 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [explorer.exe!ws!]

Error: (12/22/2011 00:11:29 PM) (Source: Application Error) (User: )
Description: Fault bucket 1272456061.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Error: (12/22/2011 00:11:27 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module unknown, version 0.0.0.0, fault address 0x676c8062.
Processing media-specific event for [explorer.exe!ws!]

Error: (12/22/2011 10:33:34 AM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot unload your registry file. The memory used by the registry has not been freed. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account. If this problem persists, contact your administrator.


DETAIL - Insufficient system resources exist to complete the requested service.

Error: (12/21/2011 07:56:09 PM) (Source: Application Error) (User: )
Description: Fault bucket 862106380.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Error: (12/21/2011 07:55:57 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module unknown, version 0.0.0.0, fault address 0x05d522c8.
Processing media-specific event for [explorer.exe!ws!]

Error: (12/21/2011 06:03:27 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: with error: This operation returned because the timeout period expired.

Error: (12/21/2011 05:34:59 PM) (Source: SENS) (User: )
Description: Event System Win32 Error: No service is operating at the destination network endpoint on the remote system.

ServiceStart(): SensInitialize() failed

Error: (12/21/2011 05:33:04 PM) (Source: MySQL) (User: )
Description: Aborting


System errors:
=============
Error: (12/26/2011 04:30:53 AM) (Source: DCOM) (User: SYSTEM)
Description: The server {4EB61BAC-A3B6-4760-9581-655041EF4D69} did not register with DCOM within the required timeout.

Error: (12/26/2011 04:30:25 AM) (Source: Service Control Manager) (User: )
Description: The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).

Error: (12/26/2011 04:30:17 AM) (Source: Service Control Manager) (User: )
Description: The Symantec Eraser Service service failed to start due to the following error:
%%1053

Error: (12/26/2011 04:30:17 AM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for the Symantec Eraser Service service to connect.

Error: (12/26/2011 04:30:17 AM) (Source: Service Control Manager) (User: )
Description: The TCP/IP NetBIOS Helper service depends on the following nonexistent service: NetBT

Error: (12/26/2011 04:30:17 AM) (Source: Service Control Manager) (User: )
Description: The DHCP Client service depends on the following nonexistent service: NetBT

Error: (12/25/2011 08:40:41 PM) (Source: DCOM) (User: SYSTEM)
Description: The server {4EB61BAC-A3B6-4760-9581-655041EF4D69} did not register with DCOM within the required timeout.

Error: (12/25/2011 08:40:02 PM) (Source: Service Control Manager) (User: )
Description: The Symantec Eraser Service service failed to start due to the following error:
%%1053

Error: (12/25/2011 08:40:02 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for the Symantec Eraser Service service to connect.

Error: (12/25/2011 08:40:02 PM) (Source: Service Control Manager) (User: )
Description: The TCP/IP NetBIOS Helper service depends on the following nonexistent service: NetBT


Microsoft Office Sessions:
=========================
Error: (12/24/2011 11:28:23 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.5512unknown0.0.0.0042c22c8

Error: (12/23/2011 04:31:42 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.55120.0.0.000000000

Error: (12/22/2011 00:11:29 PM) (Source: Application Error)(User: )
Description: 1272456061

Error: (12/22/2011 00:11:27 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.5512unknown0.0.0.0676c8062

Error: (12/22/2011 10:33:34 AM) (Source: Userenv)(User: SYSTEM)SYSTEM
Description: Insufficient system resources exist to complete the requested service.

Error: (12/21/2011 07:56:09 PM) (Source: Application Error)(User: )
Description: 862106380

Error: (12/21/2011 07:55:57 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.5512unknown0.0.0.005d522c8

Error: (12/21/2011 06:03:27 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis operation returned because the timeout period expired.

Error: (12/21/2011 05:34:59 PM) (Source: SENS)(User: )
Description: Event System Win32 Error: No service is operating at the destination network endpoint on the remote system.

ServiceStart(): SensInitialize() failed

Error: (12/21/2011 05:33:04 PM) (Source: MySQL)(User: )
Description: Aborting


========================= Memory info: ===================================

Percentage of memory in use: 31%
Total physical RAM: 1023.53 MB
Available physical RAM: 700.3 MB
Total Pagefile: 2461.45 MB
Available Pagefile: 1752.55 MB
Total Virtual: 2047.88 MB
Available Virtual: 1973.26 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:322.27 GB) (Free:43.81 GB) NTFS
3 Drive d: () (Fixed) (Total:143.49 GB) (Free:11.64 GB) NTFS
7 Drive h: (DRV2_VOL2) (Fixed) (Total:97.62 GB) (Free:0.83 GB) NTFS
8 Drive i: (DRV2_VOL1) (Fixed) (Total:14.16 GB) (Free:1.52 GB) FAT32
9 Drive j: (FreeAgent Drive) (Fixed) (Total:1397.26 GB) (Free:0.05 GB) NTFS
10 Drive k: (FreeAgent Drive) (Fixed) (Total:698.64 GB) (Free:70.45 GB) NTFS
11 Drive l: () (Removable) (Total:7.45 GB) (Free:0.08 GB) FAT32
12 Drive m: (Iomega HDD) (Fixed) (Total:1863.01 GB) (Free:732.77 GB) NTFS

========================= Users: ========================================

User accounts for \\CB-SONY-DESKTOP

Administrator ASPNET Clive
Guest HelpAssistant SUPPORT_388945a0


**** End of log ****

Please download Farbar Service Scanner and run it on the computer with the issue.

• Press "Scan".
  
• It will create a log (FSS.txt) in the same directory the tool is run.
  
• Please copy and paste the log to your reply.
  

Hi Dave
Here is the result of the Farbar scan.
Registry keys missing
Best regards
Clive
++++++++++++++++++++++++++++++++++++++++
Farbar Service Scanner
Ran by Clive (administrator) on 26-12-2011 at 22:10:18
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking LEGACY_NetBt: Attention! Unable to open LEGACY_NetBt\0000 registry key. The key does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

Please run FSS again. It would appear that some of the log is missing.

Hi Dave
I checked all the boxes this time.
Cheers
Clive
==========================================
Farbar Service Scanner
Ran by Clive (administrator) on 27-12-2011 at 20:43:38
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking LEGACY_NetBt: Attention! Unable to open LEGACY_NetBt\0000 registry key. The key does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) PSched(7) RFCOMM(9) SYMTDI(8) Tcpip(4)
0x09000000050000000100000002000000030000000400000008000000060000000700000009000000

**** End of log ****

Following steps involve registry editing. Please create new restore point before proceeding!!!

How to:
XP - Create new Restore Point
Vista and Seven - Create a new Restore Point

Download XP.zip file from here: XP.zip
Unzip the file.
You'll find six files inside.
Right click on afd.reg file, click "Merge".
Allow registry merge.
Restart computer and see if internet works.

If not ask please post fresh Farbar Service Scanner log.

Hi Dave
Sorry - that didn't work.
I was interrupted for a long time and forgot to create a restore point - fortunately nothing seemed to crash and I have created one now.
It seems like the NetBt is the problem??? As I said earlier I think it got clobbered by one of the AV/AS applications which found a trojan in it. I found this link which sounds like my problem to me but it horrifies me how much effort seems to be involved in rectifying it!
Whaddayathink? ( I'm an Aussie - but have lived for nearly 15 years about 20 miles North of the Golden Gate bridge.

http://www.christowles.com/2011/11/how-to-reinstall-netbt-on-windows-xp.html

Below is the new Farber log
All the best.
Clive
=====================================
Farbar Service Scanner
Ran by Clive (administrator) on 28-12-2011 at 18:45:53
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking LEGACY_NetBt: Attention! Unable to open LEGACY_NetBt\0000 registry key. The key does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) PSched(7) RFCOMM(9) SYMTDI(8) Tcpip(4)
0x09000000050000000100000002000000030000000400000008000000060000000700000009000000

**** End of log ****

Hello again Dave
I've looked at my registry and the entry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT
is missing.
I have obtained a copy of NetBt.reg (see below) from the ChristOwles link in my last post. What, if anything, should I do with it?
Can I merge it with the registry as we did before?
=========================================
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:00000006
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,6e,00,65,00,74,00,62,00,74,00,2e,\
00,73,00,79,00,73,00,00,00
"DisplayName"="NetBios over Tcpip"
"Group"="PNP_TDI"
"DependOnService"=hex(7):54,00,63,00,70,00,69,00,70,00,00,00,00,00
"DependOnGroup"=hex(7):00,00
"Description"="NetBios over Tcpip"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Linkage]
"OtherDependencies"=hex(7):54,00,63,00,70,00,69,00,70,00,00,00,00,00
"Bind"=hex(7):5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,54,00,63,00,70,\
00,69,00,70,00,5f,00,7b,00,34,00,38,00,43,00,35,00,37,00,43,00,39,00,44,00,\
2d,00,38,00,41,00,41,00,34,00,2d,00,34,00,37,00,44,00,45,00,2d,00,41,00,36,\
00,45,00,37,00,2d,00,38,00,35,00,39,00,46,00,30,00,35,00,44,00,44,00,39,00,\
30,00,43,00,34,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,\
00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,36,00,38,00,38,00,33,00,36,00,\
34,00,45,00,32,00,2d,00,43,00,35,00,44,00,43,00,2d,00,34,00,45,00,41,00,32,\
00,2d,00,41,00,30,00,30,00,46,00,2d,00,44,00,32,00,38,00,38,00,43,00,31,00,\
45,00,35,00,33,00,33,00,35,00,41,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,\
00,63,00,65,00,5c,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,30,00,38,00,\
30,00,39,00,41,00,38,00,43,00,30,00,2d,00,38,00,46,00,35,00,44,00,2d,00,34,\
00,37,00,30,00,46,00,2d,00,38,00,44,00,30,00,44,00,2d,00,30,00,45,00,33,00,\
35,00,37,00,31,00,33,00,33,00,31,00,30,00,36,00,37,00,7d,00,00,00,5c,00,44,\
00,65,00,76,00,69,00,63,00,65,00,5c,00,54,00,63,00,70,00,69,00,70,00,5f,00,\
7b,00,41,00,44,00,33,00,37,00,39,00,30,00,32,00,33,00,2d,00,33,00,33,00,45,\
00,32,00,2d,00,34,00,32,00,42,00,41,00,2d,00,39,00,33,00,39,00,39,00,2d,00,\
43,00,44,00,38,00,31,00,43,00,45,00,30,00,46,00,45,00,30,00,33,00,38,00,7d,\
00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,54,00,63,00,70,00,\
69,00,70,00,5f,00,7b,00,46,00,44,00,31,00,36,00,36,00,38,00,34,00,37,00,2d,\
00,37,00,42,00,31,00,30,00,2d,00,34,00,35,00,45,00,33,00,2d,00,41,00,41,00,\
35,00,31,00,2d,00,38,00,37,00,32,00,33,00,44,00,39,00,41,00,30,00,34,00,31,\
00,31,00,33,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,\
54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,42,00,30,00,43,00,39,00,35,00,33,\
00,41,00,34,00,2d,00,42,00,45,00,31,00,35,00,2d,00,34,00,41,00,39,00,46,00,\
2d,00,39,00,31,00,34,00,31,00,2d,00,34,00,31,00,45,00,39,00,45,00,46,00,36,\
00,33,00,35,00,45,00,31,00,36,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,\
63,00,65,00,5c,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,32,00,30,00,44,\
00,42,00,36,00,35,00,31,00,31,00,2d,00,30,00,39,00,43,00,44,00,2d,00,34,00,\
45,00,37,00,39,00,2d,00,41,00,43,00,38,00,31,00,2d,00,42,00,35,00,41,00,30,\
00,38,00,33,00,45,00,43,00,41,00,33,00,31,00,36,00,7d,00,00,00,5c,00,44,00,\
65,00,76,00,69,00,63,00,65,00,5c,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,\
00,45,00,44,00,35,00,45,00,42,00,33,00,35,00,42,00,2d,00,32,00,37,00,30,00,\
44,00,2d,00,34,00,34,00,32,00,46,00,2d,00,39,00,42,00,35,00,41,00,2d,00,32,\
00,45,00,38,00,45,00,30,00,45,00,38,00,32,00,37,00,44,00,32,00,44,00,7d,00,\
00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,54,00,63,00,70,00,69,\
00,70,00,5f,00,7b,00,43,00,36,00,39,00,45,00,46,00,36,00,30,00,39,00,2d,00,\
46,00,35,00,36,00,35,00,2d,00,34,00,43,00,45,00,42,00,2d,00,42,00,34,00,37,\
00,44,00,2d,00,37,00,31,00,44,00,42,00,39,00,33,00,45,00,41,00,31,00,39,00,\
43,00,46,00,7d,00,00,00,00,00
"Route"=hex(7):22,00,54,00,63,00,70,00,69,00,70,00,22,00,20,00,22,00,7b,00,34,\
00,38,00,43,00,35,00,37,00,43,00,39,00,44,00,2d,00,38,00,41,00,41,00,34,00,\
2d,00,34,00,37,00,44,00,45,00,2d,00,41,00,36,00,45,00,37,00,2d,00,38,00,35,\
00,39,00,46,00,30,00,35,00,44,00,44,00,39,00,30,00,43,00,34,00,7d,00,22,00,\
00,00,22,00,54,00,63,00,70,00,69,00,70,00,22,00,20,00,22,00,7b,00,36,00,38,\
00,38,00,33,00,36,00,34,00,45,00,32,00,2d,00,43,00,35,00,44,00,43,00,2d,00,\
34,00,45,00,41,00,32,00,2d,00,41,00,30,00,30,00,46,00,2d,00,44,00,32,00,38,\
00,38,00,43,00,31,00,45,00,35,00,33,00,33,00,35,00,41,00,7d,00,22,00,00,00,\
22,00,54,00,63,00,70,00,69,00,70,00,22,00,20,00,22,00,7b,00,30,00,38,00,30,\
00,39,00,41,00,38,00,43,00,30,00,2d,00,38,00,46,00,35,00,44,00,2d,00,34,00,\
37,00,30,00,46,00,2d,00,38,00,44,00,30,00,44,00,2d,00,30,00,45,00,33,00,35,\
00,37,00,31,00,33,00,33,00,31,00,30,00,36,00,37,00,7d,00,22,00,00,00,22,00,\
54,00,63,00,70,00,69,00,70,00,22,00,20,00,22,00,7b,00,41,00,44,00,33,00,37,\
00,39,00,30,00,32,00,33,00,2d,00,33,00,33,00,45,00,32,00,2d,00,34,00,32,00,\
42,00,41,00,2d,00,39,00,33,00,39,00,39,00,2d,00,43,00,44,00,38,00,31,00,43,\
00,45,00,30,00,46,00,45,00,30,00,33,00,38,00,7d,00,22,00,00,00,22,00,54,00,\
63,00,70,00,69,00,70,00,22,00,20,00,22,00,7b,00,46,00,44,00,31,00,36,00,36,\
00,38,00,34,00,37,00,2d,00,37,00,42,00,31,00,30,00,2d,00,34,00,35,00,45,00,\
33,00,2d,00,41,00,41,00,35,00,31,00,2d,00,38,00,37,00,32,00,33,00,44,00,39,\
00,41,00,30,00,34,00,31,00,31,00,33,00,7d,00,22,00,00,00,22,00,54,00,63,00,\
70,00,69,00,70,00,22,00,20,00,22,00,7b,00,42,00,30,00,43,00,39,00,35,00,33,\
00,41,00,34,00,2d,00,42,00,45,00,31,00,35,00,2d,00,34,00,41,00,39,00,46,00,\
2d,00,39,00,31,00,34,00,31,00,2d,00,34,00,31,00,45,00,39,00,45,00,46,00,36,\
00,33,00,35,00,45,00,31,00,36,00,7d,00,22,00,00,00,22,00,54,00,63,00,70,00,\
69,00,70,00,22,00,20,00,22,00,7b,00,32,00,30,00,44,00,42,00,36,00,35,00,31,\
00,31,00,2d,00,30,00,39,00,43,00,44,00,2d,00,34,00,45,00,37,00,39,00,2d,00,\
41,00,43,00,38,00,31,00,2d,00,42,00,35,00,41,00,30,00,38,00,33,00,45,00,43,\
00,41,00,33,00,31,00,36,00,7d,00,22,00,00,00,22,00,54,00,63,00,70,00,69,00,\
70,00,22,00,20,00,22,00,4e,00,64,00,69,00,73,00,57,00,61,00,6e,00,49,00,70,\
00,22,00,00,00,00,00
"Export"=hex(7):5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,\
00,42,00,54,00,5f,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,34,00,38,00,\
43,00,35,00,37,00,43,00,39,00,44,00,2d,00,38,00,41,00,41,00,34,00,2d,00,34,\
00,37,00,44,00,45,00,2d,00,41,00,36,00,45,00,37,00,2d,00,38,00,35,00,39,00,\
46,00,30,00,35,00,44,00,44,00,39,00,30,00,43,00,34,00,7d,00,00,00,5c,00,44,\
00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,54,00,5f,00,\
54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,36,00,38,00,38,00,33,00,36,00,34,\
00,45,00,32,00,2d,00,43,00,35,00,44,00,43,00,2d,00,34,00,45,00,41,00,32,00,\
2d,00,41,00,30,00,30,00,46,00,2d,00,44,00,32,00,38,00,38,00,43,00,31,00,45,\
00,35,00,33,00,33,00,35,00,41,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,\
63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,54,00,5f,00,54,00,63,00,70,00,69,\
00,70,00,5f,00,7b,00,30,00,38,00,30,00,39,00,41,00,38,00,43,00,30,00,2d,00,\
38,00,46,00,35,00,44,00,2d,00,34,00,37,00,30,00,46,00,2d,00,38,00,44,00,30,\
00,44,00,2d,00,30,00,45,00,33,00,35,00,37,00,31,00,33,00,33,00,31,00,30,00,\
36,00,37,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,\
00,65,00,74,00,42,00,54,00,5f,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,\
41,00,44,00,33,00,37,00,39,00,30,00,32,00,33,00,2d,00,33,00,33,00,45,00,32,\
00,2d,00,34,00,32,00,42,00,41,00,2d,00,39,00,33,00,39,00,39,00,2d,00,43,00,\
44,00,38,00,31,00,43,00,45,00,30,00,46,00,45,00,30,00,33,00,38,00,7d,00,00,\
00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,\
54,00,5f,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,46,00,44,00,31,00,36,\
00,36,00,38,00,34,00,37,00,2d,00,37,00,42,00,31,00,30,00,2d,00,34,00,35,00,\
45,00,33,00,2d,00,41,00,41,00,35,00,31,00,2d,00,38,00,37,00,32,00,33,00,44,\
00,39,00,41,00,30,00,34,00,31,00,31,00,33,00,7d,00,00,00,5c,00,44,00,65,00,\
76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,54,00,5f,00,54,00,63,\
00,70,00,69,00,70,00,5f,00,7b,00,42,00,30,00,43,00,39,00,35,00,33,00,41,00,\
34,00,2d,00,42,00,45,00,31,00,35,00,2d,00,34,00,41,00,39,00,46,00,2d,00,39,\
00,31,00,34,00,31,00,2d,00,34,00,31,00,45,00,39,00,45,00,46,00,36,00,33,00,\
35,00,45,00,31,00,36,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,\
00,5c,00,4e,00,65,00,74,00,42,00,54,00,5f,00,54,00,63,00,70,00,69,00,70,00,\
5f,00,7b,00,32,00,30,00,44,00,42,00,36,00,35,00,31,00,31,00,2d,00,30,00,39,\
00,43,00,44,00,2d,00,34,00,45,00,37,00,39,00,2d,00,41,00,43,00,38,00,31,00,\
2d,00,42,00,35,00,41,00,30,00,38,00,33,00,45,00,43,00,41,00,33,00,31,00,36,\
00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,\
74,00,42,00,54,00,5f,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,45,00,44,\
00,35,00,45,00,42,00,33,00,35,00,42,00,2d,00,32,00,37,00,30,00,44,00,2d,00,\
34,00,34,00,32,00,46,00,2d,00,39,00,42,00,35,00,41,00,2d,00,32,00,45,00,38,\
00,45,00,30,00,45,00,38,00,32,00,37,00,44,00,32,00,44,00,7d,00,00,00,5c,00,\
44,00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,54,00,5f,\
00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,43,00,36,00,39,00,45,00,46,00,\
36,00,30,00,39,00,2d,00,46,00,35,00,36,00,35,00,2d,00,34,00,43,00,45,00,42,\
00,2d,00,42,00,34,00,37,00,44,00,2d,00,37,00,31,00,44,00,42,00,39,00,33,00,\
45,00,41,00,31,00,39,00,43,00,46,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]
"NbProvider"="_tcp"
"NameServerPort"=dword:00000089
"CacheTimeout"=dword:000927c0
"BcastNameQueryCount"=dword:00000003
"BcastQueryTimeout"=dword:000002ee
"NameSrvQueryCount"=dword:00000003
"NameSrvQueryTimeout"=dword:000005dc
"Size/Small/Medium/Large"=dword:00000001
"SessionKeepAlive"=dword:0036ee80
"TransportBindName"="\\Device\\"
"EnableLMHOSTS"=dword:00000001
"DhcpNodeType"=dword:00000008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Security]
"Security"=hex:01,00,14,80,e8,00,00,00,f4,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,b8,00,08,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,25,02,\
00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,14,\
00,40,00,00,00,01,01,00,00,00,00,00,05,13,00,00,00,00,00,14,00,40,00,00,00,\
01,01,00,00,00,00,00,05,14,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,\
00,00,05,20,00,00,00,2c,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Enum]
"0"="Root\\LEGACY_NETBT\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

Can I merge it with the registry as we did before?

Please try these first.

Download WinSockXPFix to fix broken LSP chain for XP (if needed).

• Double click on WinsockXPFix.
  
• Click Fix.
  

************************************************
Go Start>Run (Start search in Vista and 7), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

At Command Prompt, type in:
netsh int ip reset reset.log
Hit Enter.
Type in:
netsh winsock reset catalog
Hit Enter.

Please ignore the two instructions I posted in my previous post and try the following.

The following steps involve registry editing. Please create new restore point before proceeding!!!

Please go to Start=>Run (alternatively use Windows key+R), type regedit and click OK.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
Right-Click Root and select Permissions...
Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.
Click Apply and OK.

Download XP.zip file from here: XP.zip
Unzip the file.
You'll find six files inside.
Right click on Legacy_netbt.reg file, click "Merge".
Allow registry merge.

Please go back to the the Root key again while Everyone is selected remove check mark in the box under Allow next to Full Control and close the registry.
Restart computer.

Hi Dave
I just saw your new 4:03 PM message as I tried to post mine below.
Please have a look at what I've said and I'll have a look at yours.
Cheers
CB
============================
Hi Dave
Well I tried that and have not seen any joy.
I installed a USB wireless stick and it seems to communicate with the router just fine but no internet connection. Farbar says still no NetBt (do we really need that?).
I can't continue this much longer - I need to be able to use my desktop for certain tasks that I've been unable to do for 3 weeks.
I'm thinking of writing an DriveImage XML .xml image from 2009 back onto the C drive and using that as a starting point to rebuild or maybe just use the Sony system restore disks????
But the PCPIP seems to be the only problem?
How close are we do you think?
What about the Windows Recovery option on bootup?
Best regards
Clive
========================================
Latest Farbar output:-


Farbar Service Scanner
Ran by Clive (administrator) on 29-12-2011 at 16:45:13
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking LEGACY_NetBt: Attention! Unable to open LEGACY_NetBt\0000 registry key. The key does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) PSched(7) RFCOMM(9) SYMTDI(8) Tcpip(4)
0x09000000050000000100000002000000030000000400000008000000060000000700000009000000

**** End of log ****

do we really need that?).

Yes. This what the latest infections does. It removes necessary registry keys. If you follow my latest set of instructions, I'm sure it will fix the problem.

Hi Dave
I tried your 4:03PM suggestion but still no joy. The Legacy_NetBt key exists (here's the entry :- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETBT) and the entries inside of it look reasonable compared to the Legacy_NetBios key which I understand serves a similar function). But the FSS output below says that the NetBt registry key can't be opened????
Maybe this Network Diagnostics for Windows XP (courtesy of IE) holds the answer to someone aho understands what it's trying to say. However, your 11:09 post which I followed looked like it should have fixed that shouldn't it?
Regards
CB
P.S. I took the Dlink DWA130 USB wireless Stick out before running this. Note also that the 1394 is just a connection to an external HDD.
=================================================
Last diagnostic run time: 12/29/11 17:42:08 WinSock Diagnostic
WinSock status

info Error attmpting to validate the Winsock base providers: 2
error Not all base service provider entries could be found in the winsock catalog. A reset is needed.
info Redirecting user to support call



Network Adapter Diagnostic
Network location detection

info Using home Internet connection
Network adapter identification

info Network connection: Name=Local Area Connection 3, Device=Realtek RTL8139 Family PCI Fast Ethernet NIC, MediaType=LAN, SubMediaType=LAN
info Network connection: Name=1394 Connection, Device=1394 Net Adapter, MediaType=LAN, SubMediaType=1394
info Ethernet connection selected
Network adapter status

info Network connection status: Connected



HTTP, HTTPS, FTP Diagnostic
HTTP, HTTPS, FTP connectivity

warn FTP (Passive): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved
warn HTTP: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved
warn HTTPS: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved
warn FTP (Active): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved
warn HTTP: Error 12007 connecting to www.hotmail.com: The server name or address could not be resolved
warn HTTPS: Error 12007 connecting to www.passport.net: The server name or address could not be resolved
error Could not make an HTTP connection.
error Could not make an HTTPS connection.
error Could not make an FTP connection.
=================================================
====================================================
Farbar Service Scanner
Ran by Clive (administrator) on 29-12-2011 at 17:29:49
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open NetBt registry key. The service key does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) PSched(7) RFCOMM(9) SYMTDI(8) Tcpip(4)
0x09000000050000000100000002000000030000000400000008000000060000000700000009000000

**** End of log ****

But the FSS output below says that the NetBt registry key can't be opened????

Did you do this first part?

Please go to Start=>Run (alternatively use Windows key+R), type regedit and click OK.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
Right-Click Root and select Permissions...
Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.
Click Apply and OK.

Yes - and all the rest of it as well

I'm as sure as I can be that I followed all the instructions today to the letter.

Will you please try that fix again. It is supposed to fix your connection problem

Hi Dave
Well I went carefully through that process again and still FSS says Unable to open NetBt registry key.
I have screen shots of the process as I actioned it but don't see any way to send them to you. Sometimes there is a file attachment box here sometimes not??? Not one here right now.
FSS complained that there was an Autolt Error on Line 2443 when I ran it "Error: Variable used without being declared" so I downloaded FSS.exe afresh from the link you gave me and used the new version but still got the same error. Cheez this is painful - I never could understand when I heard that some people just dumped their virus-laden computers and went and bought a new one - now I do! In fact, although I still want to get this machine back in its right mind, I've decided that it is time to replace it as my main desktop after nearly nine years - It's amazing , given the grunty work I do on it like SolidWorks and Mefisto microwave models, that it has lasted me as well as it has. I have, very reluctantly, sprung for a new machine which is being built as I write (I hope).
Best regards
Clive
P.S. I should probably mentioned previously that the XP machine has not been booting cleanly for several years since I had a hard drive crash and replaced it with a new HDD and wrote the old (DriveImage XML) image back to the new drive. It kinda worked but I have to hit F2 as it is booting and then boot from within the BIOS. The boot order is correct. After - I'm afraid to say it really - 51 years dealing with computers on a daily basis I have always been able to troubleshoot things that aren't right and get myself out of trouble but this time - no!) Yeah! 51 years! I'll be 73 in February - am I the oldest geek in the world? I'm surely not. But I'll swear to you I am not making any errors. Not Ga Ga yet!


==================================================
Farbar Service Scanner
Ran by Clive (administrator) on 30-12-2011 at 17:35:25
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open NetBt registry key. The service key does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

Hi Again Dave
I found this advice on http://www.bleepingcomputer.com/forums/topic434831.html
================================================
You have missing/corrupted two registry keys.

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://www.howtogeek.com/howto/windows-vista/create-a-restore-point-for-windows-vistas-system-restore/

Download XP.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
Unzip the file.
You'll find several files inside.
Right click on netbt.reg file, click "Merge".
Allow registry merge.

Then....

Please go to Start=>Run (alternatively use Windows key+R), type regedit and click OK.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
Right-Click Root and select Permissions...
Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.
Click Apply and OK.
Go back to files you download in previous step.
Double-click LEGACY_netbt.reg and confirm the prompt.
Please go back to the the Root key again while Everyone is selected remove check mark in the box under Allow next to Full Control and close the registry.
============================================

So I followed it (note that includes the action
"Right click on netbt.reg file, click "Merge".
Allow registry merge."
which we hadn't been doing.

Now FSS gives:-
===============================================
Farbar Service Scanner
Ran by Clive (administrator) on 30-12-2011 at 18:39:28
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable
=================================================
So it's not complaining about being unable to open the registry key NetBt anymore - though it still isn't connecting to the internet. However, maybe if I do my tricks with unplugging the router and cable modem it might fetch an IP address and work OK ( when my wife doesn't need the internet for her real estate transactions going on now).
Any other thoughts?
Best regards
Clive