Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A trojan, downloader, and possibly rootkit (oh my!)


  • This topic is locked This topic is locked
2 replies to this topic

#1 Kenage

Kenage

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 16 October 2009 - 11:39 AM

Since you could not run a DDS / HJT scan the ones you submitted will suffice

edit: I forgot to add the results from GMER, they are included now

My girlfriend downloaded a video off of Limewire to her computer, attempted to run it, and was presented with a webpage telling her she needed the latest version of the Adobe Flash Player. Unthinkingly she said to download it, but she kept getting the prompt so she kept accepting the download. To my knowledge she didn't run the "install" file. She told me she had a problem playing a video, so I watched what she did, and told her to stop immediately and unplugged her computer from the network.

A quick Task Manager check showed two immediately suspicious processes: b.exe and MSA.exe. I terminated them and started on a scan of her computer.

I've got a memory stick with some basic tools on it: MalwareBytes, Spybot S&D, Autoruns, HijackThis, ProcessExplorer, and ComboFix.exe.
When I inserted the stick into her computer, the virus/trojan/whatever also installed "shortcuts" to Documents, Pictures, etc. as well as an autorun.inf that all attempt to install various forms of malware on the next computer in a variety of ways.

Her computer already has MBAM, Spybot, and SUPERAntiSpyware installed, so I ran them. The first two both loaded, then when scanning both shut down, and would not run again. Windows throws the error "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." when trying.
The main exe files for the programs were either deleted or invisible by the malware, so I reinstalled them and renamed their main exes, but with similar results.
SUPERAntiSpyware ran properly on a quick scan, which caught the MSA file and registry entry, along with a few other entries relating to NordBull and Poprock. The MSA.exe and registry entry were both in use, which SAS would delete upon restart. When I told SAS to restart my computer, I got a STOP 0x7E blue screen before the OS shut down. SAS then suffered the same fate as MBAM and Spybot.

I ran HijackThis unfortunately with similar results: The program would start scanning, then close.
I ran Autoruns to see if I could at least ascertain some insertion point, and it also scans for a few seconds then closes.

I searched for b.exe and MSA.exe to delete them. In finding b.exe, I also found a.exe, c.exe, and d.exe, all created at the same time as b.exe, so I deleted those as well. MSA.exe was a little more difficult to find, but find it I did, and deleted it. I crawled through the registry and deleted the entries for msa.exe, as well as entries Poprock and NordBull.
The MSA.exe process keeps returning every time her computer boots normally.

Her computer doesn't have an Anti-virus on it , so I plugged her back into the network and loaded up the McAfee online scan. It picked up several Downloader-BWS entries in the Recycle Bin.
After the scan finished, I unplugged her from the network again.

I searched through this forum for information, as well as the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum, and downloaded a few utilities: Win32Diag.exe; MGtools; dds.scr; RootRepeal; the free standalone virus scanner Dr. Web CureIt!; OTL.exe; and GMER.

At this point I rebooted her computer into Safe Mode to run the tools.

MGtools copies its folder and files first to my memory stick, then to the C:\MGtools folder. It closes down after a few seconds, throwing an error before the command line window disappears. All I can catch of it is some error with either creating or writing to the zip file it creates from a scan.
DDS.scr starts to run, then closes.
RootRepeal will close when it reaches a point in scanning the Files section after finding Volume Information locked by the Windows API.
Win32Diag.exe executes properly, and I have attached the log it prints out.

The Dr. Web CureIt! executable consistently detects BackDoor.Tdss.565 in various services, as well as the fake video file's embedded Trojan WMAloader. The first scan it was in explorer.exe, second in McciCMservice.exe, and on my most recent scan it's in a temporary file located in AppData\Local\Temp\dc04535117\98y2r6.exe. Each time CureIt! states that the infection has been eradicated, but after the scan the other tools continue to terminate early.

I ran OTL.exe, which completed a quick scan. The log is attached.

I also ran GMER, and I saved a log of the Rootkit/Malware results from its quick scan. This log is attached as well.

Additional help to rid her of this nasty infection would be very much appreciated.



===============================



Running from: J:\Win32kDiag.exe
Log file at : C:\Users\aaron's\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\Windows'...

Found mount point : C:\Windows\AppPatch\Custom\Custom
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1FB0.tmp\ZAP1FB0.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2EBD.tmp\ZAP2EBD.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6DFE.tmp\ZAP6DFE.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9AF7.tmp\ZAP9AF7.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA5B0.tmp\ZAPA5B0.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAC16.tmp\ZAPAC16.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB0D7.tmp\ZAPB0D7.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Globalization\Globalization
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Help\Corporate\Corporate
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\java\classes\classes
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Microsoft.NET\authman\authman
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\msdownld.tmp\msdownld.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\nap\configuration\configuration
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Panther\setup.exe\setup.exe
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\PLA\Templates\Templates
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SchCache\SchCache
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\security\templates\templates
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\PnrpSqm\PnrpSqm
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Cannot access: C:\Windows\System32\cngaudit.dll
[1] 2006-11-02 05:46:03 61952 C:\Windows\System32\cngaudit.dll ()
[1] 2006-11-02 05:46:03 11776 C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll (Microsoft Corporation)

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
[1] 2009-10-16 01:03:40 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
[1] 2009-10-16 01:02:04 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
[1] 2009-10-16 01:02:28 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
[1] 2009-10-16 01:02:28 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTkerberos.etl
[1] 2009-10-16 01:07:21 3320 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTkerberos.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl
[1] 2009-10-16 01:07:07 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl ()

Cannot access: C:\Windows\System32\WerFault.exe
[1] 2009-04-11 02:28:11 217088 C:\Windows\System32\WerFault.exe ()
[1] 2006-11-02 05:45:54 216064 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6000.16386_none_6dd05aa63fde4065\WerFault.exe (Microsoft Corporation)
[1] 2008-01-19 03:33:35 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18000_none_70071ca23cc95139\WerFault.exe (Microsoft Corporation)
[1] 2008-01-19 03:33:35 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18145_none_6fe0e04a3ce53cd7\WerFault.exe (Microsoft Corporation)
[1] 2008-09-20 00:00:16 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.22271_none_70460c29561ecb18\WerFault.exe (Microsoft Corporation)
[1] 2009-04-11 02:28:11 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6002.18005_none_71f295ae39eb1c85\WerFault.exe ()

Found mount point : C:\Windows\twain_32\snpstd\snpstd
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\winsxs\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\winsxs\Temp\PendingDeletes\PendingDeletes
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\winsxs\Temp\PendingRenames\PendingRenames
Mount point destination : \Device\__max++>\^
Cannot access: C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6002.18005_none_71f295ae39eb1c85\WerFault.exe
[1] 2009-04-11 02:28:11 217088 C:\Windows\System32\WerFault.exe ()
[1] 2006-11-02 05:45:54 216064 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6000.16386_none_6dd05aa63fde4065\WerFault.exe (Microsoft Corporation)
[1] 2008-01-19 03:33:35 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18000_none_70071ca23cc95139\WerFault.exe (Microsoft Corporation)
[1] 2008-01-19 03:33:35 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18145_none_6fe0e04a3ce53cd7\WerFault.exe (Microsoft Corporation)
[1] 2008-09-20 00:00:16 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.22271_none_70460c29561ecb18\WerFault.exe (Microsoft Corporation)
[1] 2009-04-11 02:28:11 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6002.18005_none_71f295ae39eb1c85\WerFault.exe ()


Finished!


===============================



OTL logfile created on: 10/16/2009 11:46:49 AM - Run 1
OTL by OldTimer - Version 3.0.21.0 Folder = C:\Users\aaron's\Desktop
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18813)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): c:\pagefile.sys 4507 6144 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 135.13 Gb Total Space | 65.45 Gb Free Space | 48.44% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 6.64 Gb Free Space | 66.38% Space Free | Partition Type: NTFS
Drive E: | 7.70 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 1.89 Gb Total Space | 1.82 Gb Free Space | 96.52% Space Free | Partition Type: FAT
Drive Z: | 3.84 Gb Total Space | 3.51 Gb Free Space | 91.28% Space Free | Partition Type: NTFS

Computer Name: AARONS-PC
Current User Name: aaron's
Logged in as Administrator.

Current Boot Mode: SafeMode
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/10/16 11:15:06 | 00,521,216 | ---- | M] (OldTimer Tools) -- C:\Users\aaron's\Desktop\OTL.exe
PRC - [2009/04/11 02:27:36 | 02,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\Explorer.EXE

========== Win32 Services (SafeList) ==========

SRV - [2009/08/04 11:27:09 | 00,604,488 | ---- | M] (TuneUp Software) -- C:\Windows\System32\TUProgSt.exe -- (TuneUp.ProgramStatisticsSvc [Auto | Stopped])
SRV - [2009/08/04 11:27:04 | 00,361,288 | ---- | M] (TuneUp Software) -- C:\Windows\System32\TuneUpDefragService.exe -- (TuneUp.Defrag [On_Demand | Stopped])
SRV - [2009/07/15 11:48:20 | 00,029,000 | ---- | M] (TuneUp Software) -- C:\Windows\System32\uxtuneup.dll -- (UxTuneUp [Auto | Stopped])
SRV - [2009/04/11 02:28:25 | 01,017,856 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wevtsvc.dll -- (Eventlog [Auto | Running])
SRV - [2009/03/30 00:42:14 | 00,066,368 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2009/02/18 14:39:20 | 00,043,904 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2009/02/18 14:38:43 | 00,129,880 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2009/02/18 14:38:42 | 00,879,448 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/01/26 15:31:10 | 01,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService [Auto | Stopped])
SRV - [2008/11/09 16:48:14 | 00,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService [Auto | Stopped])
SRV - [2008/05/03 01:16:00 | 00,118,784 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe -- (nvsvc [Auto | Stopped])
SRV - [2008/01/19 03:38:24 | 00,272,952 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend [Auto | Running])
SRV - [2008/01/19 03:33:39 | 00,896,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
SRV - [2007/12/05 07:17:24 | 00,077,824 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AERTSrv.exe -- (AERTFilters [Auto | Stopped])
SRV - [2007/10/25 17:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])
SRV - [2007/10/18 12:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])
SRV - [2007/10/02 11:30:08 | 00,303,104 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\Common Files\Motive\McciCMService.exe -- (McciCMService [Auto | Stopped])
SRV - [2007/03/19 13:44:44 | 00,070,656 | ---- | M] () -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService [On_Demand | Stopped])
SRV - [2006/11/05 11:15:12 | 00,880,640 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -- (RoxMediaDB9 [On_Demand | Stopped])
SRV - [2006/11/05 11:13:00 | 00,159,744 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- (RoxWatch9 [Auto | Stopped])
SRV - [2006/09/14 15:54:34 | 00,073,728 | ---- | M] (MicroVision Development, Inc.) -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr [On_Demand | Stopped])
SRV - [2006/08/04 20:39:20 | 00,386,560 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\DRIVERS\xaudio.exe -- (XAudioService [Auto | Stopped])
SRV - [2005/04/04 01:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?wl=true
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.defaulturl: "http://search.yahoo.com/search?fr=ffsp1&p="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.1
FF - prefs.js..extensions.enabledItems: {CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}:1.5.2.35
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: FirefoxToolbar@webwars.com:1.1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.3
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=ffds1&p="


FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/08/03 18:36:33 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/09/18 08:25:55 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/09/18 08:25:55 | 00,000,000 | ---D | M]

[2009/09/03 09:11:51 | 00,000,000 | ---D | M] -- C:\Users\aaron's\AppData\Roaming\mozilla\Extensions
[2009/02/28 21:06:48 | 00,000,000 | ---D | M] -- C:\Users\aaron's\AppData\Roaming\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/09/03 09:11:51 | 00,000,000 | ---D | M] -- C:\Users\aaron's\AppData\Roaming\mozilla\Extensions\mozswing@mozswing.org
[2009/10/15 22:28:19 | 00,000,000 | ---D | M] -- C:\Users\aaron's\AppData\Roaming\mozilla\Firefox\Profiles\vyyrv2n6.default\extensions
[2009/08/03 19:59:20 | 00,000,000 | ---D | M] -- C:\Users\aaron's\AppData\Roaming\mozilla\Firefox\Profiles\vyyrv2n6.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/05/26 10:24:39 | 00,000,000 | ---D | M] -- C:\Users\aaron's\AppData\Roaming\mozilla\Firefox\Profiles\vyyrv2n6.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
[2009/08/14 09:21:30 | 00,000,000 | ---D | M] -- C:\Users\aaron's\AppData\Roaming\mozilla\Firefox\Profiles\vyyrv2n6.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/09/26 21:41:01 | 00,000,000 | ---D | M] -- C:\Users\aaron's\AppData\Roaming\mozilla\Firefox\Profiles\vyyrv2n6.default\extensions\FirefoxToolbar@webwars.com
[2009/05/25 13:52:56 | 00,001,546 | ---- | M] () -- C:\Users\aaron's\AppData\Roaming\Mozilla\FireFox\Profiles\vyyrv2n6.default\searchplugins\wowhead.xml
[2009/08/07 00:22:58 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/09/18 08:25:55 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/05/22 11:44:05 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/09/18 08:25:52 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/09/18 08:25:52 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/05/22 11:43:53 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2009/09/18 08:25:53 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2009/02/27 12:13:42 | 00,103,792 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2009/08/03 20:00:26 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/08/03 20:00:26 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/08/03 20:00:26 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/08/03 20:00:26 | 00,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/08/03 20:00:26 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/08/03 20:00:26 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/08/03 20:00:26 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (806 bytes) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [dscactivate] c:\dell\dsca.exe ( )
O4 - HKLM..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe ( )
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKCU..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe ()
O4 - HKCU..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - HKCU..\Run: [Java Quick Start] C:\Users\aaron's\jusched.exe ()
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [MsnMsgr] C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe (Microsoft Corporation)
O4 - Startup: C:\Users\aaron's\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled [2009/05/23 09:14:02 | 00,000,000 | -H-D | M]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: BindDirectlyToPropertySetStorage = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Search - Reg Error: Value error. File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Windows\System32\napinsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O15 - HKLM\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: mcafee.com ([home] http in Trusted sites)
O15 - HKCU\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} http://support.dell.com/systemprofiler/SysProExe.CAB (WMI Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} http://download.mcafee.com/molbin/iss-loc/...772/mcfscan.cab (McFreeScan Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2005/12/06 18:18:38 | 01,695,744 | R--- | M] (Electronic Arts) - E:\autorun.exe -- [ UDF ]
O32 - AutoRun File - [2005/12/06 18:18:38 | 01,695,744 | R--- | M] (Electronic Arts) - E:\Autorun.exe -- [ UDF ]
O32 - AutoRun File - [2005/11/18 17:44:26 | 00,000,049 | R--- | M] () - E:\autorun.inf -- [ UDF ]
O32 - AutoRun File - [2009/02/04 16:30:52 | 00,000,000 | ---D | M] - J:\Autoruns -- [ FAT ]
O33 - MountPoints2\{35d32bce-8100-11de-b2d4-001aa05fa48f}\Shell\AutoRun\command - "" = J:\setupSNK.exe -- File not found
O33 - MountPoints2\{529d07fe-b49f-11dd-a2a9-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{529d07fe-b49f-11dd-a2a9-806e6f6e6963}\Shell\AutoRun\command - "" = E:\Autorun.exe -- [2005/12/06 18:18:38 | 01,695,744 | R--- | M] (Electronic Arts)
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\Windows\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 14 Days ==========

[2 C:\Windows\*.tmp files]
[2009/10/16 01:41:24 | 00,000,000 | ---D | C] -- C:\Users\aaron's\AppData\Roaming\WebWars
[2009/10/16 11:46:38 | 00,521,216 | ---- | C] (OldTimer Tools) -- C:\Users\aaron's\Desktop\OTL.exe
[2009/10/16 03:09:16 | 00,000,000 | ---D | C] -- C:\MGTools
[2009/10/16 01:58:43 | 00,000,000 | ---D | C] -- C:\Windows\McAfee.com
[2009/10/02 13:36:31 | 00,000,000 | ---D | C] -- C:\Users\aaron's\Desktop\3.0.1.8874 US PTR Installer
[2004/01/28 00:59:00 | 00,036,864 | ---- | C] ( ) -- C:\Windows\System32\vsnpstd.dll
[2003/12/09 21:17:00 | 00,057,344 | ---- | C] ( ) -- C:\Windows\System32\csnpstd.dll

========== Files - Modified Within 14 Days ==========

[2 C:\Windows\*.tmp files]
[2009/10/16 11:43:24 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/10/16 11:43:16 | 00,000,000 | ---- | M] () -- C:\Windows\win32k.sys
[2009/10/16 11:41:58 | 00,012,966 | ---- | M] () -- C:\MGlogs.zip
[2009/10/16 11:36:08 | 00,196,608 | ---- | M] () -- C:\Windows\System32\Ikeext.etl
[2009/10/16 11:36:07 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/10/16 11:35:59 | 00,000,244 | -H-- | M] () -- C:\Windows\tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
[2009/10/16 11:35:56 | 01,492,545 | -H-- | M] () -- C:\Users\aaron's\AppData\Local\IconCache.db
[2009/10/16 11:33:53 | 00,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/10/16 11:33:53 | 00,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/10/16 11:15:06 | 00,521,216 | ---- | M] (OldTimer Tools) -- C:\Users\aaron's\Desktop\OTL.exe
[2009/10/16 11:00:13 | 00,000,508 | ---- | M] () -- C:\Windows\tasks\1-Click Maintenance.job
[2009/10/16 11:00:11 | 00,000,290 | -H-- | M] () -- C:\Windows\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job
[2009/10/16 03:04:21 | 00,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/10/16 03:04:21 | 00,595,446 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/10/16 03:04:21 | 00,101,144 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/10/16 02:54:27 | 00,000,806 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2009/10/16 01:54:20 | 02,382,879 | ---- | M] () -- C:\MGtools.exe
[2009/10/16 00:06:58 | 24,450,9218 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2009/10/15 22:58:19 | 00,167,936 | ---- | M] () -- C:\Windows\msa.exe
[2009/10/15 22:58:10 | 00,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2009/10/15 22:58:10 | 00,000,000 | RHS- | M] () -- C:\IO.SYS

========== Files - No Company Name ==========
[2009/10/16 11:39:53 | 00,012,966 | ---- | C] () -- C:\MGlogs.zip
[2009/10/16 11:35:56 | 01,492,545 | -H-- | C] () -- C:\Users\aaron's\AppData\Local\IconCache.db
[2009/10/16 03:10:01 | 02,382,879 | ---- | C] () -- C:\MGtools.exe
[2009/10/16 00:08:22 | 00,167,936 | ---- | C] () -- C:\Windows\msa.exe
[2009/10/15 22:58:10 | 00,000,000 | RHS- | C] () -- C:\MSDOS.SYS
[2009/10/15 22:58:10 | 00,000,000 | RHS- | C] () -- C:\IO.SYS
[2009/10/15 22:55:37 | 00,000,244 | -H-- | C] () -- C:\Windows\tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
[2009/10/15 22:55:34 | 00,000,290 | -H-- | C] () -- C:\Windows\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job
[2009/10/15 22:55:24 | 00,000,000 | ---- | C] () -- C:\Windows\win32k.sys
[2009/08/03 19:09:53 | 00,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/06/01 09:44:40 | 00,000,024 | ---- | C] () -- C:\Windows\System32\presets.ini
[2009/05/26 10:59:29 | 00,032,061 | ---- | C] () -- C:\ProgramData\nvModes.001
[2009/05/26 10:56:15 | 00,000,000 | ---- | C] () -- C:\Windows\I531_1013.INI
[2009/05/26 10:39:07 | 00,032,061 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2008/12/30 21:24:55 | 00,000,262 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2008/09/09 00:57:12 | 00,056,056 | ---- | C] () -- C:\Windows\System32\DLAAPI_W.DLL
[2008/09/09 00:57:11 | 00,000,120 | ---- | C] () -- C:\Windows\wininit.ini
[2008/09/09 00:27:56 | 00,000,125 | -HS- | C] () -- C:\ProgramData\.zreglib
[2008/07/04 00:59:00 | 00,000,177 | ---- | C] () -- C:\Users\aaron's\AppData\Local\rahistory.xml
[2008/06/12 12:18:00 | 00,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2008/06/03 17:29:50 | 00,007,620 | ---- | C] () -- C:\Users\aaron's\AppData\Local\d3d9caps.dat
[2007/12/27 02:20:52 | 00,000,526 | ---- | C] () -- C:\Users\aaron's\AppData\Roaming\wklnhst.dat
[2007/12/17 18:23:49 | 00,000,000 | ---- | C] () -- C:\Windows\iPlayer.INI
[2007/11/30 21:44:06 | 00,036,352 | ---- | C] () -- C:\Users\aaron's\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/11/30 21:34:00 | 00,081,248 | ---- | C] () -- C:\Users\aaron's\AppData\Local\GDIPFONTCACHEV1.DAT
[2007/10/16 12:21:56 | 00,876,544 | ---- | C] () -- C:\Windows\System32\TEACico2.dll
[2007/08/06 19:22:15 | 00,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
[2007/03/19 06:04:58 | 00,003,584 | ---- | C] () -- C:\Windows\System32\namResES.dll
[2007/03/19 06:04:58 | 00,003,072 | ---- | C] () -- C:\Windows\System32\namResIT.dll
[2007/03/19 06:04:58 | 00,003,072 | ---- | C] () -- C:\Windows\System32\namResFR.dll
[2007/03/19 06:04:58 | 00,003,072 | ---- | C] () -- C:\Windows\System32\namResENG.dll
[2007/03/19 06:04:58 | 00,003,072 | ---- | C] () -- C:\Windows\System32\namResDE.dll
[2007/03/19 06:04:56 | 00,003,584 | ---- | C] () -- C:\Windows\System32\namResPTB.dll
[2007/03/19 06:04:56 | 00,003,072 | ---- | C] () -- C:\Windows\System32\namResZHC.dll
[2007/03/19 06:04:56 | 00,003,072 | ---- | C] () -- C:\Windows\System32\namResKO.dll
[2007/03/19 06:04:56 | 00,003,072 | ---- | C] () -- C:\Windows\System32\namResJA.dll
[2007/03/19 06:04:54 | 00,022,016 | ---- | C] () -- C:\Windows\System32\nam_page.dll
[2007/03/19 06:04:54 | 00,003,072 | ---- | C] () -- C:\Windows\System32\namResZHT.dll
[2006/11/02 08:48:00 | 00,000,174 | -HS- | C] () -- C:\Program Files\desktop.ini
[2006/11/02 06:25:44 | 00,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 06:23:31 | 00,000,215 | ---- | C] () -- C:\Windows\system.ini
[2006/11/02 06:23:31 | 00,000,144 | ---- | C] () -- C:\Windows\win.ini
[2006/11/02 04:43:04 | 00,061,952 | ---- | C] () -- C:\Windows\System32\logevent.dll
[2006/11/02 04:43:04 | 00,061,952 | ---- | C] () -- C:\Windows\System32\cngaudit.dll
[2006/11/02 03:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/09/16 23:36:50 | 00,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2006/09/16 23:36:50 | 00,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
[2003/10/21 16:40:00 | 00,053,248 | ---- | C] () -- C:\Windows\System32\dsnpstd.dll

========== LOP Check ==========

[2009/10/16 01:41:24 | 00,000,000 | ---D | M] -- C:\Users\aaron's\AppData\Roaming
[2008/12/30 20:38:35 | 00,000,000 | ---D | M] -- C:\Users\aaron's\AppData\Roaming\Acreon
[2007/12/17 18:25:25 | 00,000,000 | ---D | M] -- C:\Users\aaron's\AppData\Roaming\CyberLink
[2009/05/24 17:45:50 | 00,000,000 | ---D | M] -- C:\Users\aaron's\AppData\Roaming\Gena01
[2008/11/11 20:45:11 | 00,000,000 | ---D | M] -- C:\Users\aaron's\AppData\Roaming\iWinArcade
[2009/10/15 22:53:15 | 00,000,000 | ---D | M] -- C:\Users\aaron's\AppData\Roaming\LimeWire
[2007/12/10 17:13:49 | 00,000,000 | ---D | M] -- C:\Users\aaron's\AppData\Roaming\Motive
[2007/12/21 15:46:32 | 00,000,000 | ---D | M] -- C:\Users\aaron's\AppData\Roaming\Roxio
[2008/12/07 12:22:30 | 00,000,000 | RH-D | M] -- C:\Users\aaron's\AppData\Roaming\SecuROM
[2008/12/02 18:22:11 | 00,000,000 | ---D | M] -- C:\Users\aaron's\AppData\Roaming\SPORE Creature Creator
[2008/02/06 03:18:20 | 00,000,000 | ---D | M] -- C:\Users\aaron's\AppData\Roaming\Template
[2009/08/04 11:27:01 | 00,000,000 | ---D | M] -- C:\Users\aaron's\AppData\Roaming\TuneUp Software
[2008/12/30 21:25:57 | 00,000,000 | ---D | M] -- C:\Users\aaron's\AppData\Roaming\Ventrilo
[2009/10/16 01:41:24 | 00,000,000 | ---D | M] -- C:\Users\aaron's\AppData\Roaming\WebWars
[2009/03/08 11:44:49 | 00,000,000 | ---D | M] -- C:\Users\aaron's\AppData\Roaming\Wizards of the Coast
[2009/10/16 11:00:13 | 00,000,508 | ---- | M] () -- C:\Windows\Tasks\1-Click Maintenance.job
[2009/10/16 11:36:07 | 00,000,006 | -H-- | M] () -- C:\Windows\Tasks\SA.DAT
[2009/10/16 11:36:08 | 00,032,610 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2009/10/16 11:35:59 | 00,000,244 | -H-- | M] () -- C:\Windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
[2009/10/16 11:00:11 | 00,000,290 | -H-- | M] () -- C:\Windows\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\Users\aaron's\Documents\Imported Photos 00001.JPG:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\aaron's\Documents\Imported Photos 00000.JPG:Roxio EMC Stream
@Alternate Data Stream - 487 bytes -> C:\ProgramData\TEMP:05EE1EEF
@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:B623B5B8
@Alternate Data Stream - 107 bytes -> C:\ProgramData\TEMP:DF53BA0A
< End of report >


===============================



OTL Extras logfile created on: 10/16/2009 11:46:49 AM - Run 1
OTL by OldTimer - Version 3.0.21.0 Folder = C:\Users\aaron's\Desktop
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18813)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): c:\pagefile.sys 4507 6144 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 135.13 Gb Total Space | 65.45 Gb Free Space | 48.44% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 6.64 Gb Free Space | 66.38% Space Free | Partition Type: NTFS
Drive E: | 7.70 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 1.89 Gb Total Space | 1.82 Gb Free Space | 96.52% Space Free | Partition Type: FAT
Drive Z: | 3.84 Gb Total Space | 3.51 Gb Free Space | 91.28% Space Free | Partition Type: NTFS

Computer Name: AARONS-PC
Current User Name: aaron's
Logged in as Administrator.

Current Boot Mode: SafeMode
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\Windows\hh.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.txt [@ = txtfile] -- C:\Program Files\Win32Pad\win32pad.exe (Gennady Feldman)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "%SystemRoot%\hh.exe" %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- C:\Program Files\Win32Pad\win32pad.exe "%L" (Gennady Feldman)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 1
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-70746708-2052560595-2369721371-1000]
"EnableNotifications" = 0
"EnableNotificationsRef" = 2

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0938F039-A3AA-4CB7-A78D-F1E5F28D2BB9}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=c:\windows\system32\svchost.exe |
"{223AA753-0F33-4B7D-A78F-6602F75C7619}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{24801EAB-882F-4611-AF41-1D1B4E3E1F4F}" = lport=3724 | protocol=6 | dir=in | name=blizzard downloader: 3724 |
"{275E8282-1B66-4718-AF4C-42750F8E9211}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{28E957C8-0B14-4FCD-825C-EDA503BD6529}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{2C07401B-0507-4720-B6B1-3A1F10BF472C}" = rport=137 | protocol=17 | dir=out | app=system |
"{3359F0D1-6237-4193-AC6B-9B72219919C3}" = rport=445 | protocol=6 | dir=out | app=system |
"{4C067AC6-3E7C-4538-BF53-B22A50F3A91A}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{51E6A70E-6011-4BE2-82BA-3B1736BE0A92}" = lport=2869 | protocol=6 | dir=in | app=system |
"{5479FEC7-62C3-4FCA-AAEF-486440DCFCA9}" = lport=137 | protocol=17 | dir=in | app=system |
"{59C55F73-8F3F-44DC-BECF-991B698BF429}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{68A6532E-4B44-46D5-A590-35AA69F5E029}" = lport=10243 | protocol=6 | dir=in | app=system |
"{72402055-74F7-42DC-BE7E-5FE4E3621E3E}" = rport=10243 | protocol=6 | dir=out | app=system |
"{8905073B-8A87-49CF-AE77-32968BD75EE8}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=c:\windows\system32\svchost.exe |
"{8DF5E188-102E-44BC-83B1-FAB8BFE38F24}" = lport=139 | protocol=6 | dir=in | app=system |
"{AAD58CAE-A7DB-4980-90E4-ECA5C0A33EA7}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{AF61A959-B5DC-4239-87D1-6800AECA238C}" = lport=2869 | protocol=6 | dir=in | app=system |
"{B6B4E8AC-EDB7-439D-8DD8-893D80E86BE0}" = rport=138 | protocol=17 | dir=out | app=system |
"{BD41C68F-744A-424C-AADC-609B4BE5C9D9}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=c:\windows\system32\svchost.exe |
"{BF6F6540-0926-4BE8-BA00-F39789B58A4C}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=c:\windows\system32\svchost.exe |
"{C15A7EBD-0812-4742-8413-219AC5E9EFFC}" = lport=2869 | protocol=6 | dir=in | app=system |
"{D5125304-9468-42D9-8A56-03F2FF8BDE79}" = lport=445 | protocol=6 | dir=in | app=system |
"{D70F4FD5-E8B4-4CB4-A3A6-1889B998E021}" = lport=2869 | protocol=6 | dir=in | app=system |
"{E4B2686A-0C05-4737-934E-924067FA469A}" = lport=138 | protocol=17 | dir=in | app=system |
"{E8C7238E-3A80-4F5C-87FE-F33C8A2CC9B3}" = rport=139 | protocol=6 | dir=out | app=system |
"{EE53B0FE-1CFD-41FE-8200-CD0D40A84526}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{F5D13CC2-C19B-4FA4-A52B-6A328F6DE35A}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{F7712890-0D83-4533-8B65-7C24C1B77BB1}" = lport=2869 | protocol=6 | dir=in | app=system |
"{FBE2F377-F733-4F8D-8834-8846BAC2C5F3}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{035FA91E-E9B9-435A-8F89-359D10C9C2A5}" = protocol=17 | dir=in | app=c:\program files\windows media player\wmplayer.exe |
"{07A9AB9C-26B3-4822-B755-E2525188B9F8}" = dir=in | app=c:\program files\windows live\messenger\livecall.exe |
"{0A8028D5-95FA-43EF-AD9C-3809AC2E3271}" = protocol=17 | dir=in | app=c:\program files\curse\curseclient.exe |
"{1072EF9B-3FDC-4CB2-A0CA-E775620098A5}" = protocol=17 | dir=in | app=c:\program files\ventrilo\ventrilo.exe |
"{146C9EE5-010E-4CF4-9759-59A2CB72797E}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{15511739-281A-4EB7-9C82-A9CE49F95FA6}" = protocol=17 | dir=in | app=c:\program files\windows media player\wmplayer.exe |
"{156CDF6A-711F-4EB5-A52E-01DC9E8B8B11}" = protocol=17 | dir=out | app=c:\program files\windows media player\wmplayer.exe |
"{243CF179-C2D6-4F76-83F4-BB5E0583D1EB}" = protocol=17 | dir=in | app=c:\program files\windows media player\wmpnetwk.exe |
"{257FEF0D-B66C-4179-A360-A603CC1DD532}" = protocol=6 | dir=out | svc=upnphost | app=c:\windows\system32\svchost.exe |
"{27E4756B-5716-4F53-AB8A-24276F2DE585}" = protocol=17 | dir=out | app=c:\program files\windows media player\wmplayer.exe |
"{2A777796-F038-4DE4-8C1E-2379F0A37E22}" = protocol=6 | dir=in | app=c:\program files\ventrilo\ventrilo.exe |
"{2B5FFFDA-7181-492E-BF09-5540CE447697}" = protocol=17 | dir=out | app=c:\program files\windows media player\wmpnetwk.exe |
"{336A659B-8101-4F55-92F2-32DAD67360FE}" = dir=in | app=c:\program files\windows live\messenger\livecall.exe |
"{360D7D62-09CD-42AE-A0F1-F0CFE8B1B194}" = protocol=6 | dir=out | app=c:\windows\system32\wudfhost.exe |
"{380B9D7A-9510-4CB1-B562-841AD280C71C}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{3A45D6AB-1FDF-41CD-B427-D717DFC13342}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{3D2CFF45-D61E-4E6B-990F-DE73D369F343}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{40636728-D954-4C4E-ABDA-741EE0EF5EF9}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-enus-downloader.exe |
"{42DBBC89-DCF0-4DBA-9810-34BF6CC56F2C}" = protocol=17 | dir=out | app=c:\program files\windows media player\wmplayer.exe |
"{4761F293-B4F1-467C-A403-A3F6CB02390B}" = protocol=17 | dir=in | app=c:\program files\bellsouth\mccibrowser.exe |
"{592EA870-00BC-44DC-9759-BDFBF6DBBE1C}" = protocol=6 | dir=in | app=c:\program files\bellsouth\mccibrowser.exe |
"{5A8ADBEA-DC09-4355-AADB-FC752C8FB351}" = dir=in | app=c:\program files\windows live\messenger\livecall.exe |
"{5E89E878-5C3F-46BA-8A38-EE71D3862EE2}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{5F93993D-4794-4749-A1FF-D85446A0A7DA}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yserver.exe |
"{6764A6D9-CB1E-4886-9E81-5F85DB5A643F}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{6E0CD7E4-3C66-4D81-9F58-81C7672CA0C1}" = protocol=6 | dir=in | app=c:\program files\common files\mcafee\mna\mcnasvc.exe |
"{7C606899-C354-47BC-BFFF-77225493C5F5}" = protocol=6 | dir=in | app=c:\program files\windows media player\wmpnetwk.exe |
"{8EE55C6A-AA91-4DE3-9EC3-91F1EBE60359}" = protocol=6 | dir=out | app=c:\program files\windows media player\wmpnetwk.exe |
"{90A79C5B-946B-48CB-8F0F-97896CBDE457}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yserver.exe |
"{9512AF2D-3DDA-4398-830E-B98E7420ED4B}" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"{9636454E-61E4-44FB-B43C-CC80DA38C96C}" = protocol=6 | dir=out | app=c:\program files\windows media player\wmplayer.exe |
"{AA5483E8-21FD-47A6-885E-33776D9F0E77}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-enus-downloader.exe |
"{B20E8BF8-E56A-43BA-BA44-91A25B1CE16E}" = protocol=6 | dir=out | app=system |
"{BA6B343F-DB9A-4133-BB3E-4769BAB08D42}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{BEC10527-528C-4429-B49F-68A9CF7D447D}" = protocol=6 | dir=out | app=system |
"{C9DCA4C4-16A0-4C33-8D01-6D620025E7B3}" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"{CAB57D19-3599-4116-A219-A6D10DFE54BF}" = protocol=6 | dir=in | app=c:\program files\curse\curseclient.exe |
"{CFAB6557-6E7A-4283-BE0E-E594B6EBF01C}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{DB61FFA4-A7BF-4995-82D3-FC67A0262309}" = protocol=6 | dir=out | app=c:\program files\windows media player\wmplayer.exe |
"{DFDC7FD2-4C17-4234-8F00-39ADA9A4268C}" = protocol=6 | dir=out | svc=upnphost | app=c:\windows\system32\svchost.exe |
"{E7F92CA8-102B-46A5-88EC-A32475CB57EE}" = protocol=6 | dir=out | app=c:\program files\windows media player\wmplayer.exe |
"{F44B2231-A82F-4240-8099-3FCAA191A710}" = protocol=17 | dir=in | app=c:\program files\windows media player\wmplayer.exe |
"{FC9E1A4C-98D3-4070-8941-3E6ED3197A70}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"TCP Query User{39E0A339-9321-4D53-9C76-8917C56D3E9E}C:\users\public\games\world of warcraft\launcher.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe |
"TCP Query User{4981798B-E0CF-4040-862A-4E3A7B370B0E}C:\program files\curse\curseclient.exe" = protocol=6 | dir=in | app=c:\program files\curse\curseclient.exe |
"TCP Query User{A5AD7820-C87C-4EAC-8A24-06E5DBE02A75}C:\program files\common files\roxio shared\9.0\sharedcom\roxwatchtray9.exe" = protocol=6 | dir=in | app=c:\program files\common files\roxio shared\9.0\sharedcom\roxwatchtray9.exe |
"TCP Query User{FE8EF99D-86EC-4C80-84E2-385C9BD441BA}C:\program files\yahoo!\messenger\yahoomessenger.exe" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"UDP Query User{0F8C3280-5A68-425F-AEF9-C0D3EC9EA68E}C:\program files\yahoo!\messenger\yahoomessenger.exe" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"UDP Query User{3F4FF1D2-414A-4B30-9D11-0D03DFBDF9FB}C:\program files\curse\curseclient.exe" = protocol=17 | dir=in | app=c:\program files\curse\curseclient.exe |
"UDP Query User{730B3F3A-CA30-4B7E-8BA9-41A3F1C66BC4}C:\users\public\games\world of warcraft\launcher.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe |
"UDP Query User{7773C606-B555-40AA-A04A-4C37011517DA}C:\program files\common files\roxio shared\9.0\sharedcom\roxwatchtray9.exe" = protocol=17 | dir=in | app=c:\program files\common files\roxio shared\9.0\sharedcom\roxwatchtray9.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{13BA7B44-B712-4DEE-A7B8-1DD564F37AE5}" = Dell System Customization Wizard
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 13
"{281ECE39-F043-492B-8337-F2E546B5604A}" = PowerDVD
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{2A574A21-B448-4B3C-8D48-F389FE07C19C}" = Vista Services Optimizer
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{300A2961-B2B5-4889-9CB9-5C2A570D08AD}" = Debugging Tools for Windows (x86)
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{3E25E350-949F-4DB7-8288-2A60E018B4C1}" = Games, Music, & Photos Launcher
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{55A29068-F2CE-456C-9148-C869879E2357}" = TuneUp Utilities 2009
"{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}" = User's Guides
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{66D6F3BD-CA23-41A4-9FA3-96B26B32528C}" = Command & Conquer The First Decade
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{89CEAE14-DD0F-448E-9554-15781EC9DB24}" = Product Documentation Launcher
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.3
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B8C54AB1-7E1A-40E8-B794-EDB6E8921F3A}" = Dell Support Center
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CCFF1E13-77A2-4032-8B12-7566982A27DF}" = Internet Service Offers Launcher
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D639085F-4B6E-4105-9F37-A0DBB023E2FB}" = Roxio MyDVD DE
"{EFAD4066-CAF3-4B27-9669-12EED352C376}" = NVIDIANetworkDiagnostic
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F63A3748-B93D-4360-9AD4-B064481A5C7B}" = Modem Diagnostic Tool
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"AMDAway INF" = AMDAway INF
"AnyDVD" = AnyDVD
"CloneDVD2" = CloneDVD2
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 PCI V.92 Modem
"CurseClient" = Curse Client
"Fraps" = Fraps
"HijackThis" = HijackThis 2.0.2
"InstallShield_{EFAD4066-CAF3-4B27-9669-12EED352C376}" = NVIDIANetworkDiagnostic
"LimeWire" = LimeWire PRO 5.1.2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.3)" = Mozilla Firefox (3.5.3)
"NVIDIA Drivers" = NVIDIA Drivers
"Peggle World of Warcraft Edition" = Peggle World of Warcraft Edition
"Secunia PSI" = Secunia PSI
"UnityWebPlayer" = Unity Web Player
"WebWarsToolbar" = WebWarsToolbar
"Win32Pad" = Win32Pad 1.5.10
"WinRAR archiver" = WinRAR archiver
"World of Warcraft" = World of Warcraft
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"World of Logs Client" = World of Logs Client
"Wow Web Stats Client v3.0" = Wow Web Stats Client v3.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/3/2009 7:43:38 PM | Computer Name = aarons-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 8/3/2009 7:43:39 PM | Computer Name = aarons-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 8/3/2009 7:43:43 PM | Computer Name = aarons-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 8/3/2009 7:43:44 PM | Computer Name = aarons-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 8/3/2009 7:43:56 PM | Computer Name = aarons-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 8/3/2009 7:43:56 PM | Computer Name = aarons-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 8/6/2009 8:41:22 AM | Computer Name = aarons-PC | Source = VSS | ID = 8194
Description =

Error - 8/25/2009 10:55:20 AM | Computer Name = aarons-PC | Source = VSS | ID = 8194
Description =

Error - 9/1/2009 7:52:35 PM | Computer Name = aarons-PC | Source = Windows Backup | ID = 4104
Description =

Error - 9/1/2009 8:02:32 PM | Computer Name = aarons-PC | Source = Windows Backup | ID = 4104
Description =

[ System Events ]
Error - 10/16/2009 11:45:05 AM | Computer Name = aarons-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 10/16/2009 11:45:05 AM | Computer Name = aarons-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 10/16/2009 11:45:05 AM | Computer Name = aarons-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 10/16/2009 11:45:05 AM | Computer Name = aarons-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 10/16/2009 11:45:05 AM | Computer Name = aarons-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 10/16/2009 11:45:05 AM | Computer Name = aarons-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 10/16/2009 11:45:06 AM | Computer Name = aarons-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 10/16/2009 11:45:16 AM | Computer Name = aarons-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 10/16/2009 11:48:28 AM | Computer Name = aarons-PC | Source = DCOM | ID = 10005
Description =

Error - 10/16/2009 11:48:28 AM | Computer Name = aarons-PC | Source = Service Control Manager | ID = 7001
Description =

[ TuneUp Events ]
Error - 10/16/2009 12:35:02 AM | Computer Name = aarons-PC | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "s": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-10-16 00:35:02', '\device\harddiskvolume3\users\aaron's\appdata\local\temp\is-amr7t.tmp\mbam-setup.tmp','3636',0)

Error - 10/16/2009 12:35:02 AM | Computer Name = aarons-PC | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "s": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-10-16 00:35:02', '\device\harddiskvolume3\users\aaron's\appdata\local\temp\is-0o5tp.tmp\mbam-setup.tmp','2124',0)

Error - 10/16/2009 12:35:17 AM | Computer Name = aarons-PC | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-10-16 00:35:17', '\device\harddiskvolume3\program
files\malwarebytes' anti-malware\mbam.exe','3348',0)

Error - 10/16/2009 1:04:11 AM | Computer Name = aarons-PC | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-10-16 01:04:11', '\device\harddiskvolume3\program
files\malwarebytes' anti-malware\mbamgui.exe','3184',0)

Error - 10/16/2009 1:04:42 AM | Computer Name = aarons-PC | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "s": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-10-16 01:04:42', '\device\harddiskvolume3\users\aaron's\jusched.exe','3604',0)

Error - 10/16/2009 3:10:10 AM | Computer Name = aarons-PC | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "s": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-10-16 03:10:10', '\device\harddiskvolume3\users\aaron's\desktop\mgtools.exe','3604',0)

Error - 10/16/2009 3:14:16 AM | Computer Name = aarons-PC | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "s": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-10-16 03:14:16', '\device\harddiskvolume3\users\aaron's\appdata\local\temp\dc04535117\98y2r6.exe','2204',0)

Error - 10/16/2009 3:14:21 AM | Computer Name = aarons-PC | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "s": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-10-16 03:14:21', '\device\harddiskvolume3\users\aaron's\appdata\local\temp\dc04535117\77g46xp.exe','2600',0)

Error - 10/16/2009 9:33:59 AM | Computer Name = aarons-PC | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "s": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-10-16 09:33:59', '\device\harddiskvolume3\users\aaron's\appdata\local\temp\dc04535117\98y2r6.exe','2204',1)

Error - 10/16/2009 10:27:30 AM | Computer Name = aarons-PC | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "s": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-10-16 10:27:30', '\device\harddiskvolume3\users\aaron's\appdata\local\temp\dc04535117\98y2r6.exe','2968',0)


< End of report >


===============================



GMER 1.0.15.15163 - http://www.gmer.net
Rootkit quick scan 2009-10-16 11:54:19
Windows 6.0.6002 Service Pack 2
Running: gnzge3oy.exe; Driver: C:\Users\aaron's\AppData\Local\Temp\pwryqpog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Edited by Kenage, 17 October 2009 - 09:47 AM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:44 AM

Posted 28 October 2009 - 02:04 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:44 AM

Posted 02 November 2009 - 05:14 PM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users