Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected w/what I suspect to be a rootkit, Trojans, etc.. posted Logs, used Avira Bootable- Can you tell me if I am DISINFECTED?


  • This topic is locked This topic is locked
13 replies to this topic

#1 ForzaDavide

ForzaDavide

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 12 July 2010 - 11:36 AM

Hello,

I have a Win 7 Pro x64 system running on an Intel core 2 cpu.
I got infected with what I suspect to be a rootkit, Trojans, etc.. basically everything.

My Installed MacAfee Total Internet Security 2010 (firewall + AV) was disabled and I was unable to reactivate it. I also was not able to run, update, or even install MBAM (even with renaming the .exe before launching for first time). My system started showing the syptoms of an immediate infection.
I feared the worst and went for the big guns.
I downloaded and burned the latest version on Avira AntiVir Rescue System and proceeded to run this virus scanner. I’m sure your aware, but for the record, it is a Linux based, bootable, virus scanner, that I understand, is ideal for a rootkit type scenario because it’s very difficult to remove a rootkit from the system from which it is infected.
I’m sorry but I do not have that log. I do remember seeing that it renamed several files(that couldn’t be removed or deleted).
Since then, I have been able to successfully turn ALL of my security back on:
I have turned on and updated and scanned with my McAfee 2010 AV scanner, (fond a couple of Trojans, names escape me, sorry)
I have also been able to install (from CD) the most recent versions of MBAM, SuperAntiSpyware, AdAware. I have updated to the latest definitions and have scanned with all of them several times. I unfortunately do not have their Logs. But I DO HAVE a MBAM and a HiJackThis LOG from last night.

I have also used the Trend Micro Online AV Scanner and that found nothing on two full scans.

My QUESTION is this… now that I SEEMED dry.gif to have removed the infections.. Are they ALL completely GONE? Is my System Safe for continued Use? Or should I start looking at reinstalling Win7 (which will be a b***h because I have the win7 upgrade from XP… sigh) dry.gif
I will attach the MBAM scan LOG as well as the HiJackThis LOG from Last Night. These are the only two Scan Logs I have available.
Also- what the hell are these lines that read "system root" in HiJackTHis and when it says "file removed"... does this mean I was infected with a rootkit? if YES , PLEASE tell me which one.

Another Note- when I Scanned with HiJackThis, I got a popup immediately, saying that it could not access the HOSTS files… and to follow some directions, which is where I stopped. wacko.gif

Below is my MBAM scan (with the lasted definitions) and below that is my HiJackThis Log..
In conclusion, please help me further by telling me what you see from these logs as well as telling me why you want to use a certain scanner.. etc. After all, this is a learning experience. Please tell me, the kind of infect you see(or see the remnants of) and what and how we are going to clean them.

I know the routine- i will NOT download, install, add or remove ANYTHING unless instructed to do so by you. thumbup.gif

Thank you ALL so much ahead of time, you know this is very much appreciated by me and all other visitors. clapping.gif






Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4294

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

7/8/2010 8:28:06 PM
mbam-log-2010-07-08 (20-28-06).txt

Scan type: Quick scan
Objects scanned: 151318
Time elapsed: 4 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)












Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:52:52 AM, on 7/12/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files (x86)\Steam\steam.exe
C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe
C:\Windows\SysWOW64\Ctxfihlp.exe
C:\Program Files (x86)\Common Files\Acronis\Timounter\TimounterMonitor.exe
C:\Program Files (x86)\Acronis\TrayMonitor\TrayMonitor.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\SysWOW64\CTXFISPI.EXE
C:\Users\David\AppData\Local\Microsoft\Windows Sidebar\Gadgets\GPUMonitor[1].gadget\GPUMonitor.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Program Files (x86)\AltBinz\altbinz.exe
H:\HijackThis 2.0.4.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: SearchHook Class - {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20100518134509.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [BCU] "C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe"
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [BackupAndRecoveryMonitor.exe] C:\Program Files (x86)\Acronis\BackupAndRecovery\BackupAndRecoveryMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files (x86)\Common Files\Acronis\Timounter\TimounterMonitor.exe
O4 - HKLM\..\Run: [TrayMonitor.exe] C:\Program Files (x86)\Acronis\TrayMonitor\TrayMonitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Steam] "c:\program files (x86)\steam\steam.exe" -silent
O4 - HKCU\..\Run: [EPSON Stylus CX8400 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATICEA.EXE /FU "C:\Windows\TEMP\E_S6646.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1348487664-676021802-3389984467-1005\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'Acronis Agent User')
O4 - HKUS\S-1-5-21-1348487664-676021802-3389984467-1005\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'Acronis Agent User')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O15 - Trusted Zone: *.bullhorn.com
O15 - Trusted Zone: *.bullhornstaffing.com
O15 - Trusted Zone: http://asia.msi.com.tw
O15 - Trusted Zone: http://global.msi.com.tw
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareup...15111/CTPID.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: McAfee Application Installer Cleanup (0281511278777509) (0281511278777509mcinstcleanup) - McAfee, Inc. - C:\Windows\TEMP\028151~1.EXE
O23 - Service: Acronis Remote Agent (AcronisAgent) - Acronis - C:\Program Files (x86)\Common Files\Acronis\Agent\agent.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Browser Configuration Utility Service (BCUService) - DeviceVM, Inc. - C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: Creative ALchemy AL6 Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Media Toolbox 6 Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\MT6Licensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files (x86)\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Personal Firewall (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: Acronis Managed Machine Service (MMS) - Acronis - C:\Program Files (x86)\Acronis\BackupAndRecovery\mms.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files (x86)\WinPcap\rpcapd.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: TurboBoost - Intel® Corporation - C:\Program Files\Intel\TurboBoost\TurboBoost.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 13879 bytes





BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:19 PM

Posted 17 July 2010 - 06:35 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    user32.dll
    ws2_32.dll
    /md5stop
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 ForzaDavide

ForzaDavide
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 18 July 2010 - 07:56 PM

Thank you sir for the assistence, I do not mind the lag at all, that is why i have a ps3 ;) dance.gif

I'll attach the OTL scan logs below, however, i am unable to select the boxes you requested; I SAVED a SCREENSHOT of the error and attached it with the scan logs below. thumbup2.gif I went ahead and scanned wiht it anyways, althoguh as you can see from the screenshot that i was only able to select the bottom 3 checkboxes. When the scan completed , GMER said no modified system, however it did not yeild a Log post-completion.

Is there another scan we can run? How do the OTL scan logs look?

Thanks!

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:19 PM

Posted 18 July 2010 - 08:20 PM

Hi ForzaDavide-

Please don't forget to attach the OTL logs!

Separately, I just noticed you have a 64-bit OS...that makes rootkits highly unlikely, and is why GMER can't run. I missed that when I picked up this log...I usually pick up 10 or so at once and it's easy to cut and paste and miss something until we start working a log. Sorry about that!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 ForzaDavide

ForzaDavide
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 18 July 2010 - 10:38 PM

sorry im having trouble attachign the files as attachments, and i cant paste, forum says it too long.. mt problem was selectign the wrong scan. I did a full on accident, here is the quick


OTL logfile created on: 7/18/2010 8:39:19 PM - Run 2
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\David\Desktop
64bit- An unknown product (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 59.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 596.07 Gb Total Space | 53.97 Gb Free Space | 9.06% Space Free | Partition Type: NTFS
Drive D: | 4.11 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 233.75 Gb Total Space | 32.68 Gb Free Space | 13.98% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DAVID-PC
Current User Name: David
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/07/18 12:43:35 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\David\Desktop\OTL.exe
PRC - [2010/07/10 00:38:03 | 000,395,048 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe
PRC - [2010/05/10 18:03:39 | 001,238,352 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Steam\steam.exe
PRC - [2010/02/27 18:13:12 | 000,107,832 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrB.exe
PRC - [2010/02/27 18:12:52 | 000,066,872 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrA.exe
PRC - [2010/01/16 12:15:35 | 001,523,712 | ---- | M] (Nick Connors) -- C:\Users\David\AppData\Local\Microsoft\Windows Sidebar\Gadgets\GPUMonitor[1].gadget\GPUMonitor.exe
PRC - [2010/01/11 22:00:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2009/11/28 00:48:12 | 000,842,240 | ---- | M] (Acronis) -- C:\Program Files (x86)\Acronis\TrayMonitor\TrayMonitor.exe
PRC - [2009/11/27 21:00:02 | 000,382,368 | ---- | M] (Acronis) -- C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2009/11/27 20:57:30 | 001,865,560 | ---- | M] (Acronis) -- C:\Program Files (x86)\Common Files\Acronis\Agent\agent.exe
PRC - [2009/11/27 20:35:02 | 004,285,664 | ---- | M] (Acronis) -- C:\Program Files (x86)\Acronis\BackupAndRecovery\mms.exe
PRC - [2009/11/27 20:28:10 | 000,957,024 | ---- | M] (Acronis) -- C:\Program Files (x86)\Common Files\Acronis\Timounter\TimounterMonitor.exe
PRC - [2009/08/22 11:25:00 | 002,781,184 | ---- | M] () -- C:\Program Files (x86)\RivaTuner\RivaTuner.exe
PRC - [2009/08/04 18:29:54 | 000,219,360 | ---- | M] (DeviceVM, Inc.) -- C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe
PRC - [2009/08/04 18:29:52 | 000,346,320 | ---- | M] (DeviceVM, Inc.) -- C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe
PRC - [2009/07/30 18:51:02 | 000,068,136 | ---- | M] () -- C:\Program Files (x86)\GIGABYTE\EnergySaver\GSvr.exe
PRC - [2009/07/14 01:28:00 | 000,024,576 | ---- | M] (Creative Technology Ltd) -- C:\Windows\SysWOW64\Ctxfihlp.exe
PRC - [2009/07/14 01:22:08 | 001,263,616 | ---- | M] (Creative Technology Ltd) -- C:\Windows\SysWOW64\CTxfispi.exe
PRC - [2009/07/13 18:14:47 | 000,254,976 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
PRC - [2009/02/23 12:43:54 | 000,307,200 | ---- | M] (Creative Technology Ltd) -- C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe


========== Modules (SafeList) ==========

MOD - [2010/07/18 12:43:35 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\David\Desktop\OTL.exe
MOD - [2010/04/01 09:57:36 | 000,015,056 | ---- | M] (McAfee, Inc.) -- c:\Program Files (x86)\McAfee\SiteAdvisor\sahook.dll
MOD - [2009/07/13 18:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\msscript.ocx
MOD - [2009/07/13 18:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - File not found [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -d -f %ProgramFiles%\WinPcap\rpcapd.ini -- (rpcapd)
SRV:64bit: - File not found [Auto | Running] -- C:\Windows\SysNative\PnkBstrB.exe -- (PnkBstrB)
SRV:64bit: - File not found [Auto | Running] -- C:\Windows\SysNative\PnkBstrA.exe -- (PnkBstrA)
SRV:64bit: - [2010/06/29 10:49:27 | 000,128,752 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE -- (!SASCORE)
SRV:64bit: - [2010/04/27 17:16:24 | 000,244,840 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV:64bit: - [2010/04/27 17:16:24 | 000,148,520 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe -- (mfevtp)
SRV:64bit: - [2010/04/15 09:45:10 | 000,509,416 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV:64bit: - [2010/04/14 12:29:58 | 000,199,032 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV:64bit: - [2010/03/10 10:14:44 | 000,355,440 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV:64bit: - [2010/03/10 10:14:44 | 000,355,440 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV:64bit: - [2010/03/10 10:14:44 | 000,355,440 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV:64bit: - [2010/03/10 10:14:44 | 000,355,440 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV:64bit: - [2010/03/10 10:14:44 | 000,355,440 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV:64bit: - [2010/03/10 10:14:44 | 000,355,440 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV:64bit: - [2010/03/10 10:14:44 | 000,355,440 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV:64bit: - [2009/11/02 13:48:18 | 000,126,352 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\TurboBoost\TurboBoost.exe -- (TurboBoost)
SRV:64bit: - [2009/07/13 18:41:56 | 000,195,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\umrdp.dll -- (UmRdpService)
SRV:64bit: - [2009/07/13 18:41:54 | 000,017,920 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\StorSvc.dll -- (StorSvc)
SRV:64bit: - [2009/07/13 18:41:53 | 001,361,920 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\PeerDistSvc.dll -- (PeerDistSvc)
SRV:64bit: - [2009/07/13 18:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/13 18:40:24 | 000,689,152 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\cscsvc.dll -- (CscService)
SRV:64bit: - [2009/07/13 18:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2010/07/13 23:57:10 | 001,352,832 | ---- | M] (Lavasoft) [Auto | Stopped] -- C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/07/10 00:38:03 | 000,395,048 | ---- | M] (Valve Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/06/09 22:22:04 | 000,120,712 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe -- (LMIMaint)
SRV - [2010/04/28 17:13:42 | 000,820,488 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Windows\Temp\0317991279470997mcinst.exe -- (0317991279470997mcinstcleanup) McAfee Application Installer Cleanup (0317991279470997)
SRV - [2010/03/18 14:27:14 | 000,138,576 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_64)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/02/27 18:13:12 | 000,107,832 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\PnkBstrB.exe -- (PnkBstrB)
SRV - [2010/02/27 18:12:52 | 000,066,872 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\PnkBstrA.exe -- (PnkBstrA)
SRV - [2010/02/05 20:43:53 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe -- (Creative ALchemy AL6 Licensing Service)
SRV - [2010/01/21 00:41:07 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe -- (Creative Audio Engine Licensing Service)
SRV - [2010/01/16 00:51:54 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\MT6Licensing.exe -- (Creative Media Toolbox 6 Licensing Service)
SRV - [2010/01/11 22:00:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2009/11/27 21:00:42 | 000,899,528 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2009/11/27 20:57:30 | 001,865,560 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files (x86)\Common Files\Acronis\Agent\agent.exe -- (AcronisAgent)
SRV - [2009/11/27 20:35:02 | 004,285,664 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files (x86)\Acronis\BackupAndRecovery\mms.exe -- (MMS)
SRV - [2009/11/06 14:13:20 | 000,276,584 | ---- | M] (NVIDIA) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneService.exe -- (nTuneService)
SRV - [2009/08/04 18:29:54 | 000,219,360 | ---- | M] (DeviceVM, Inc.) [Auto | Running] -- C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe -- (BCUService)
SRV - [2009/07/30 18:51:02 | 000,068,136 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\GIGABYTE\EnergySaver\GSvr.exe -- (GEST Service)
SRV - [2009/02/23 12:43:54 | 000,307,200 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe -- (CTAudSvcService)
SRV - [2008/10/25 12:44:08 | 000,065,888 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)
SRV - [2008/08/11 13:40:58 | 000,057,920 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe -- (LogMeIn)
SRV - [2007/01/11 05:02:00 | 000,126,464 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE -- (EPSON_PM_RPCV4_01) EPSON V3 Service4(01)


========== Driver Services (SafeList) ==========

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\NTACCESS.SYS -- (WEBNTACCESS)
DRV:64bit: - File not found [Kernel | System | Stopped] -- C:\Windows\SysNative\SAVRKBootTasks.sys -- (SAVRKBootTasks)
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rootrepeal.sys -- (rootrepeal)
DRV:64bit: - [2010/06/21 10:44:12 | 000,069,152 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\Lbd.sys -- (Lbd)
DRV:64bit: - [2010/06/09 22:22:02 | 000,014,944 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\radpms.sys -- (radpms)
DRV:64bit: - [2010/06/09 22:21:50 | 000,087,456 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\Windows\SysNative\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV:64bit: - [2010/05/26 10:39:08 | 000,006,144 | ---- | M] (Sophos Plc) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\F9DD.tmp -- (MEMSWEEP2)
DRV:64bit: - [2010/04/27 17:16:24 | 000,528,616 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mfehidk.sys -- (mfehidk)
DRV:64bit: - [2010/04/27 17:16:24 | 000,440,688 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mfefirek.sys -- (mfefirek)
DRV:64bit: - [2010/04/27 17:16:24 | 000,279,752 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mfewfpk.sys -- (mfewfpk)
DRV:64bit: - [2010/04/27 17:16:24 | 000,189,880 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mfeavfk.sys -- (mfeavfk)
DRV:64bit: - [2010/04/27 17:16:24 | 000,121,504 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mfeapfk.sys -- (mfeapfk)
DRV:64bit: - [2010/04/27 17:16:24 | 000,093,840 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mferkdet.sys -- (mferkdet)
DRV:64bit: - [2010/04/27 17:16:24 | 000,075,288 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\mfenlfk.sys -- (mfenlfk)
DRV:64bit: - [2010/04/27 17:16:24 | 000,062,416 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\cfwids.sys -- (cfwids)
DRV:64bit: - [2010/02/17 11:23:05 | 000,014,920 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys -- (SASDIFSV)
DRV:64bit: - [2010/02/17 11:23:05 | 000,012,360 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\saskutil64.sys -- (SASKUTIL)
DRV:64bit: - [2010/02/06 19:54:40 | 000,082,816 | ---- | M] (VSO Software) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\pcouffin.sys -- (pcouffin)
DRV:64bit: - [2010/01/21 22:26:40 | 000,951,904 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\timntr.sys -- (timounter)
DRV:64bit: - [2010/01/21 22:23:59 | 000,265,824 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\snapman.sys -- (snapman)
DRV:64bit: - [2009/11/02 13:48:02 | 000,013,784 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\TurboB.sys -- (TurboB)
DRV:64bit: - [2009/09/15 14:59:30 | 000,042,088 | ---- | M] (NVIDIA Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvoclk64.sys -- (nvoclk64)
DRV:64bit: - [2009/08/28 20:42:52 | 000,049,152 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2009/07/30 04:58:42 | 000,236,544 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2009/07/14 03:54:52 | 001,613,336 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ha20x22k.sys -- (ha20x22k)
DRV:64bit: - [2009/07/14 03:54:38 | 001,568,792 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ha20x2k.sys -- (ha20x2k)
DRV:64bit: - [2009/07/14 03:54:28 | 000,118,296 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\emupia2k.sys -- (emupia)
DRV:64bit: - [2009/07/14 03:54:18 | 000,213,016 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV:64bit: - [2009/07/14 03:54:12 | 000,015,896 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV:64bit: - [2009/07/14 03:54:04 | 000,179,224 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ctoss2k.sys -- (ossrv)
DRV:64bit: - [2009/07/14 03:53:54 | 000,696,984 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV:64bit: - [2009/07/14 03:53:46 | 000,580,632 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ctac32k.sys -- (ctac32k)
DRV:64bit: - [2009/07/14 03:53:36 | 001,445,912 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CTEXFIFX.sys -- (CTEXFIFX.SYS)
DRV:64bit: - [2009/07/14 03:53:36 | 001,445,912 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CTEXFIFX.sys -- (CTEXFIFX)
DRV:64bit: - [2009/07/14 03:53:24 | 000,095,256 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CTHWIUT.sys -- (CTHWIUT.SYS)
DRV:64bit: - [2009/07/14 03:53:24 | 000,095,256 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CTHWIUT.sys -- (CTHWIUT)
DRV:64bit: - [2009/07/14 03:53:16 | 000,230,424 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CT20XUT.sys -- (CT20XUT.SYS)
DRV:64bit: - [2009/07/14 03:53:16 | 000,230,424 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CT20XUT.sys -- (CT20XUT)
DRV:64bit: - [2009/07/13 18:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/13 18:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/13 18:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 18:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 18:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 18:45:55 | 000,200,272 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vmbus.sys -- (vmbus)
DRV:64bit: - [2009/07/13 18:45:55 | 000,046,672 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\vmstorfl.sys -- (storflt)
DRV:64bit: - [2009/07/13 18:45:55 | 000,034,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\storvsc.sys -- (storvsc)
DRV:64bit: - [2009/07/13 18:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 16:42:58 | 000,006,656 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vms3cap.sys -- (s3cap)
DRV:64bit: - [2009/07/13 16:42:44 | 000,021,760 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VMBusHID.sys -- (VMBusHID)
DRV:64bit: - [2009/07/13 16:24:27 | 000,514,048 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\csc.sys -- (CSC)
DRV:64bit: - [2009/06/10 13:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 13:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 13:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 13:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 13:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/05/18 15:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/03/27 02:23:54 | 000,019,432 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\cpuz132_x64.sys -- (cpuz132)
DRV:64bit: - [2008/11/04 11:21:08 | 000,098,144 | ---- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\jraid.sys -- (JRAID)
DRV:64bit: - [2008/08/11 13:40:58 | 000,072,216 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV:64bit: - [2008/08/11 13:40:32 | 000,011,552 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\lmimirr.sys -- (lmimirr)
DRV:64bit: - [2007/11/06 13:23:14 | 000,040,464 | ---- | M] (CACE Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\npf.sys -- (NPF)
DRV:64bit: - [2007/08/20 12:05:02 | 000,012,744 | ---- | M] (EnTech Taiwan) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Entech64.sys -- (ENTECH64)
DRV - [2010/07/18 09:34:17 | 000,025,640 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\Windows\gdrv.sys -- (gdrv)
DRV - [2010/07/01 22:55:19 | 000,033,280 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\rootrepeal.sys -- (rootrepeal)
DRV - [2010/05/26 10:45:04 | 000,018,816 | ---- | M] (Sophos Plc) [Kernel | System | Stopped] -- C:\Windows\SysWOW64\SAVRKBootTasks.sys -- (SAVRKBootTasks)
DRV - [2010/01/22 23:32:44 | 000,019,952 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files (x86)\RivaTuner\RivaTuner64.sys -- (RivaTuner64)
DRV - [2009/02/10 18:23:10 | 000,115,600 | ---- | M] (EZB Systems, Inc.) [File_System | System | Running] -- C:\Program Files (x86)\UltraISO\drivers\ISODrv64.sys -- (ISODrive)
DRV - [2008/08/11 13:41:00 | 000,015,928 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files (x86)\LogMeIn\x64\rainfo.sys -- (LMIInfo)
DRV - [2008/04/14 03:21:50 | 000,017,920 | ---- | M] (Your Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\Ntaccess.sys -- (WEBNTACCESS)
DRV - [2007/02/07 11:27:46 | 000,014,104 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | Boot | Running] -- C:\Windows\SysWOW64\speedfan.sys -- (speedfan)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1348487664-676021802-3389984467-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
IE - HKU\S-1-5-21-1348487664-676021802-3389984467-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-1348487664-676021802-3389984467-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-1348487664-676021802-3389984467-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 4D 75 3D E4 66 96 CA 01 [binary data]
IE - HKU\S-1-5-21-1348487664-676021802-3389984467-1001\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\S-1-5-21-1348487664-676021802-3389984467-1001\..\URLSearchHook: {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll (DeviceVM, Inc.)
IE - HKU\S-1-5-21-1348487664-676021802-3389984467-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1348487664-676021802-3389984467-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
IE - HKU\S-1-5-21-1348487664-676021802-3389984467-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-1348487664-676021802-3389984467-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-1348487664-676021802-3389984467-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 4D 75 3D E4 66 96 CA 01 [binary data]
IE - HKU\S-1-5-21-1348487664-676021802-3389984467-1005\..\URLSearchHook: {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll (DeviceVM, Inc.)
IE - HKU\S-1-5-21-1348487664-676021802-3389984467-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files (x86)\McAfee\SiteAdvisor [2010/06/22 08:05:50 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2009/06/10 14:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho64.dll ()
O2:64bit: - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100518134509.dll (McAfee, Inc.)
O2:64bit: - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20100518134509.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3:64bit: - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O4:64bit: - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4:64bit: - HKLM..\Run: [LogMeIn GUI] C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe (LogMeIn, Inc.)
O4:64bit: - HKLM..\Run: [NvCplDaemon] C:\Windows\SysNative\NvCpl.DLL (NVIDIA Corporation)
O4:64bit: - HKLM..\Run: [RivaTuner] C:\Program Files (x86)\RivaTuner\RivaTunerWrapper.exe ()
O4:64bit: - HKLM..\Run: [RivaTunerStartupDaemon] C:\Program Files (x86)\RivaTuner\RivaTunerWrapper.exe ()
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files (x86)\Common Files\Acronis\Timounter\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [BackupAndRecoveryMonitor.exe] C:\Program Files (x86)\Acronis\BackupAndRecovery\BackupAndRecoveryMonitor.exe (Acronis)
O4 - HKLM..\Run: [BCU] C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe (DeviceVM, Inc.)
O4 - HKLM..\Run: [CTxfiHlp] C:\Windows\SysWow64\Ctxfihlp.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe ()
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [TrayMonitor.exe] C:\Program Files (x86)\Acronis\TrayMonitor\TrayMonitor.exe (Acronis)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1348487664-676021802-3389984467-1001..\Run: [EPSON Stylus CX8400 Series] C:\Windows\SysWow64\spool\DRIVERS\x64\3\E_IATICEA.EXE File not found
O4 - HKU\S-1-5-21-1348487664-676021802-3389984467-1001..\Run: [Steam] c:\program files (x86)\steam\steam.exe (Valve Corporation)
O4 - HKU\S-1-5-21-1348487664-676021802-3389984467-1001..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKU\S-1-5-21-1348487664-676021802-3389984467-1005..\Run: [EPSON Stylus CX8400 Series] C:\Windows\SysWow64\spool\DRIVERS\x64\3\E_IATICEA.EXE File not found
O4 - HKU\S-1-5-21-1348487664-676021802-3389984467-1005..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1348487664-676021802-3389984467-1005..\Run: [Steam] c:\program files (x86)\steam\steam.exe (Valve Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\SysWow64\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\SysWow64\mctadmin.exe File not found
O4 - HKU\S-1-5-21-1348487664-676021802-3389984467-1005..\RunOnce: [InetReg] C:\Program Files (x86)\Creative\Product Registration\English\InetReg.exe (Creative Technology Ltd)
O4 - HKU\S-1-5-21-1348487664-676021802-3389984467-1005..\RunOnce: [mctadmin] C:\Windows\SysWow64\mctadmin.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-1348487664-676021802-3389984467-1001\..Trusted Domains: bullhorn.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1348487664-676021802-3389984467-1001\..Trusted Domains: bullhornstaffing.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1348487664-676021802-3389984467-1001\..Trusted Domains: com.tw ([asia.msi] http in Trusted sites)
O15 - HKU\S-1-5-21-1348487664-676021802-3389984467-1001\..Trusted Domains: com.tw ([global.msi] http in Trusted sites)
O15 - HKU\S-1-5-21-1348487664-676021802-3389984467-1001\..Trusted Domains: com.tw ([www.msi] http in Trusted sites)
O15 - HKU\S-1-5-21-1348487664-676021802-3389984467-1005\..Trusted Domains: bullhorn.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1348487664-676021802-3389984467-1005\..Trusted Domains: bullhornstaffing.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1348487664-676021802-3389984467-1005\..Trusted Domains: com.tw ([asia.msi] http in Trusted sites)
O15 - HKU\S-1-5-21-1348487664-676021802-3389984467-1005\..Trusted Domains: com.tw ([global.msi] http in Trusted sites)
O15 - HKU\S-1-5-21-1348487664-676021802-3389984467-1005\..Trusted Domains: com.tw ([www.msi] http in Trusted sites)
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} http://liveupdate.msi.com.tw/autobios/LOnline/install.cab (WebSDev Control)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creative.com/Web/softwareup...15111/CTPID.cab (Creative Software AutoUpdate Support Package)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 208.67.222.222 208.67.220.220
O18:64bit: - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
O18:64bit: - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{77beb626-025f-11df-a6ac-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{77beb626-025f-11df-a6ac-806e6f6e6963}\Shell\AutoRun\command - "" = D:\SETUP.EXE -- File not found
O33 - MountPoints2\{d2a557bf-0215-11df-8792-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{d2a557bf-0215-11df-8792-806e6f6e6963}\Shell\AutoRun\command - "" = D:\Run.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/07/18 13:07:49 | 000,000,000 | ---D | C] -- C:\Users\David\Desktop\gmer
[2010/07/18 12:43:30 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\David\Desktop\OTL.exe
[2010/07/18 09:32:26 | 000,000,000 | ---D | C] -- C:\Users\David\Documents\DVDFab
[2010/07/18 09:32:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\DVDFab 6
[2010/07/06 20:48:12 | 000,000,000 | ---D | C] -- C:\Users\David\AppData\Roaming\SUPERAntiSpyware.com
[2010/07/06 20:48:12 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010/07/06 20:48:00 | 000,000,000 | ---D | C] -- C:\ProgramData\!SASCORE
[2010/07/06 20:47:59 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/07/06 20:47:50 | 009,070,816 | ---- | C] (SUPERAntiSpyware.com) -- C:\Users\David\Desktop\SUPERAntiSpyware.exe
[2010/07/06 20:33:49 | 002,133,536 | ---- | C] (AVG Technologies) -- C:\Users\David\Desktop\avg_iswt_stb_all_9_115_cnet.exe
[2010/07/06 20:30:58 | 001,137,360 | ---- | C] (F-Secure Corporation) -- C:\Users\David\Desktop\fsbl blcklight.exe
[2010/07/06 19:24:36 | 000,069,152 | ---- | C] (Lavasoft AB) -- C:\Windows\SysNative\drivers\Lbd.sys
[2010/07/06 19:22:20 | 000,000,000 | -H-D | C] -- C:\ProgramData\{90FF8911-FC06-4E49-8959-C3CF1CA226BB}
[2010/07/06 19:22:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2010/07/01 22:52:22 | 000,018,816 | ---- | C] (Sophos Plc) -- C:\Windows\SysWow64\SAVRKBootTasks.sys
[2010/07/01 20:55:03 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Sophos
[2010/07/01 17:29:51 | 000,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbam.sys
[2010/07/01 17:26:52 | 000,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Users\David\Desktop\HijackThis.exe
[2010/06/30 23:32:19 | 003,942,048 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\David\Desktop\TOY.exe
[2010/06/30 23:31:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Lavasoft
[2010/05/10 22:03:25 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\McAfee.com
[2010/05/10 22:03:17 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\McAfee
[2010/05/10 22:03:16 | 000,009,984 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfeclnk.sys
[2010/05/10 22:02:28 | 000,528,616 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfehidk.sys
[2010/05/10 22:02:28 | 000,440,688 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfefirek.sys
[2010/05/10 22:02:28 | 000,279,752 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfewfpk.sys
[2010/05/10 22:02:28 | 000,189,880 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfeavfk.sys
[2010/05/10 22:02:28 | 000,121,504 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfeapfk.sys
[2010/05/10 22:02:28 | 000,093,840 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mferkdet.sys
[2010/05/10 22:02:28 | 000,075,288 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfenlfk.sys
[2010/05/10 22:02:28 | 000,062,416 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\cfwids.sys
[2010/05/10 22:02:11 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee.com
[2010/05/10 22:02:11 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee
[2010/05/10 22:02:11 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\McAfee
[2010/05/10 22:02:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\McAfee
[2010/05/10 21:54:48 | 000,000,000 | ---D | C] -- C:\ProgramData\McAfee
[2010/04/30 03:00:32 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Wat
[2010/04/30 03:00:32 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\Wat
[2009/07/14 01:30:56 | 000,014,336 | ---- | C] ( ) -- C:\Windows\SysWow64\a3d.dll
[2 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/07/18 20:40:05 | 004,194,304 | -HS- | M] () -- C:\Users\David\ntuser.dat
[2010/07/18 17:57:02 | 000,355,357 | ---- | M] () -- C:\Users\David\Desktop\gmer error.jpg
[2010/07/18 17:56:49 | 000,399,424 | ---- | M] () -- C:\Users\David\Desktop\gmer error.png
[2010/07/18 17:43:49 | 000,284,915 | ---- | M] () -- C:\Users\David\Desktop\gmer.zip
[2010/07/18 12:54:28 | 000,013,648 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/07/18 12:54:28 | 000,013,648 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/07/18 12:53:13 | 000,726,316 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/07/18 12:53:13 | 000,623,940 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/07/18 12:53:13 | 000,106,316 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/07/18 12:43:35 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\David\Desktop\OTL.exe
[2010/07/18 09:36:36 | 000,001,828 | ---- | M] () -- C:\Users\Public\Desktop\McAfee Total Protection.lnk
[2010/07/18 09:35:36 | 000,000,394 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2010/07/18 09:34:17 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/07/18 09:34:14 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/07/18 09:34:13 | 3220,037,632 | -HS- | M] () -- C:\hiberfil.sys
[2010/07/18 09:33:14 | 000,062,308 | ---- | M] () -- C:\Windows\SysNative\BMXStateBkp-{00000002-00000000-00000000-00001102-0000000B-00431102}.rfx
[2010/07/18 09:33:14 | 000,062,308 | ---- | M] () -- C:\Windows\SysNative\BMXState-{00000002-00000000-00000000-00001102-0000000B-00431102}.rfx
[2010/07/18 09:33:14 | 000,000,820 | ---- | M] () -- C:\Windows\SysNative\DVCState-{00000002-00000000-00000000-00001102-0000000B-00431102}.rfx
[2010/07/18 09:32:52 | 001,831,511 | -H-- | M] () -- C:\Users\David\AppData\Local\IconCache.db
[2010/07/18 09:32:24 | 000,000,931 | ---- | M] () -- C:\Users\David\Desktop\DVDFab 6.lnk
[2010/07/17 11:01:12 | 000,072,903 | ---- | M] () -- C:\Users\David\Desktop\deal1.jpg
[2010/07/07 22:33:25 | 000,000,036 | ---- | M] () -- C:\Users\David\AppData\Local\housecall.guid.cache
[2010/07/06 21:59:35 | 000,001,009 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/06 20:48:00 | 000,001,808 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/07/06 19:22:18 | 000,001,166 | ---- | M] () -- C:\Users\David\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk
[2010/07/06 19:22:18 | 000,001,142 | ---- | M] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2010/07/06 14:38:43 | 009,070,816 | ---- | M] (SUPERAntiSpyware.com) -- C:\Users\David\Desktop\SUPERAntiSpyware.exe
[2010/07/06 14:28:25 | 001,137,360 | ---- | M] (F-Secure Corporation) -- C:\Users\David\Desktop\fsbl blcklight.exe
[2010/07/06 14:14:33 | 002,133,536 | ---- | M] (AVG Technologies) -- C:\Users\David\Desktop\avg_iswt_stb_all_9_115_cnet.exe
[2010/07/05 23:10:26 | 000,413,312 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010/07/01 22:55:19 | 000,033,280 | ---- | M] () -- C:\Windows\SysWow64\drivers\rootrepeal.sys
[2010/07/01 17:38:20 | 001,376,832 | ---- | M] () -- C:\Users\David\Desktop\sar.exe
[2010/06/21 10:44:12 | 000,069,152 | ---- | M] (Lavasoft AB) -- C:\Windows\SysNative\drivers\Lbd.sys
[2010/06/21 10:44:11 | 000,015,880 | ---- | M] () -- C:\Windows\SysNative\lsdelete.exe
[2010/06/16 21:48:14 | 000,028,273 | ---- | M] () -- C:\Users\David\Desktop\r1678231344.jpg
[2010/06/16 21:47:28 | 000,223,285 | ---- | M] () -- C:\Users\David\Desktop\1276644215.gif
[2010/06/16 21:47:28 | 000,032,089 | ---- | M] () -- C:\Users\David\Desktop\r613849126.jpg
[2010/06/16 21:47:25 | 000,102,564 | ---- | M] () -- C:\Users\David\Desktop\ept_sports_sow_experts-642910203-1276702410.jpg
[2010/06/09 22:22:02 | 000,014,944 | ---- | M] (LogMeIn, Inc.) -- C:\Windows\SysNative\drivers\radpms.sys
[2010/06/09 22:21:50 | 000,087,456 | ---- | M] (LogMeIn, Inc.) -- C:\Windows\SysNative\LMIRfsClientNP.dll
[2010/06/09 22:21:49 | 000,080,768 | ---- | M] (LogMeIn, Inc.) -- C:\Windows\SysNative\LMIinit.dll
[2010/06/09 22:21:49 | 000,033,152 | ---- | M] (LogMeIn, Inc.) -- C:\Windows\SysNative\LMIport.dll
[2010/06/09 03:18:32 | 000,524,288 | -HS- | M] () -- C:\Users\David\ntuser.dat{614ab40e-70ea-11df-8c08-00241dc4abaf}.TMContainer00000000000000000002.regtrans-ms
[2010/06/09 03:18:32 | 000,524,288 | -HS- | M] () -- C:\Users\David\ntuser.dat{614ab40e-70ea-11df-8c08-00241dc4abaf}.TMContainer00000000000000000001.regtrans-ms
[2010/06/09 03:18:32 | 000,065,536 | -HS- | M] () -- C:\Users\David\ntuser.dat{614ab40e-70ea-11df-8c08-00241dc4abaf}.TM.blf
[2010/06/05 23:06:12 | 000,000,221 | ---- | M] () -- C:\Users\David\Desktop\Shattered Horizon.url
[2010/05/26 10:45:04 | 000,018,816 | ---- | M] (Sophos Plc) -- C:\Windows\SysWow64\SAVRKBootTasks.sys
[2010/05/19 13:17:09 | 000,000,162 | -H-- | M] () -- C:\Users\David\Documents\~$rsuation Speech Outline Formatted Nice FINAL COPY Proofed.docx
[2010/05/18 21:52:30 | 000,022,485 | ---- | M] () -- C:\Users\David\Documents\Persuation Speech Final Copy for NOTECARDs.docx
[2010/05/18 20:57:36 | 000,023,227 | ---- | M] () -- C:\Users\David\Documents\Persuation Speech Outline Formatted Nice FINAL COPY Proofed.docx
[2010/05/18 20:48:04 | 000,023,026 | ---- | M] () -- C:\Users\David\Documents\Persuation Speech Outline Formatted Nice.docx
[2010/05/18 19:37:07 | 000,015,872 | ---- | M] () -- C:\Users\David\Documents\Full sentence outline Final Persuasive Speech.docx
[2010/05/18 19:04:03 | 000,013,203 | ---- | M] () -- C:\Users\David\Documents\Sources Cited Page for Persuasion FINAL speech.docx
[2010/05/17 20:26:53 | 000,022,752 | ---- | M] () -- C:\Users\David\Documents\Persuasion speech.docx
[2010/05/16 20:02:47 | 002,468,838 | ---- | M] () -- C:\Users\David\Desktop\Sanzio_01 Raphael-most famous- vatican.jpg
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010/04/29 15:39:28 | 000,024,664 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2010/04/27 17:16:24 | 000,528,616 | ---- | M] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfehidk.sys
[2010/04/27 17:16:24 | 000,440,688 | ---- | M] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfefirek.sys
[2010/04/27 17:16:24 | 000,279,752 | ---- | M] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfewfpk.sys
[2010/04/27 17:16:24 | 000,189,880 | ---- | M] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfeavfk.sys
[2010/04/27 17:16:24 | 000,121,504 | ---- | M] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfeapfk.sys
[2010/04/27 17:16:24 | 000,093,840 | ---- | M] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mferkdet.sys
[2010/04/27 17:16:24 | 000,075,288 | ---- | M] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfenlfk.sys
[2010/04/27 17:16:24 | 000,062,416 | ---- | M] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\cfwids.sys
[2010/04/27 17:16:24 | 000,009,984 | ---- | M] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfeclnk.sys
[2 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/18 17:57:01 | 000,355,357 | ---- | C] () -- C:\Users\David\Desktop\gmer error.jpg
[2010/07/18 17:45:18 | 000,399,424 | ---- | C] () -- C:\Users\David\Desktop\gmer error.png
[2010/07/18 12:43:57 | 000,284,915 | ---- | C] () -- C:\Users\David\Desktop\gmer.zip
[2010/07/18 09:35:36 | 000,000,394 | ---- | C] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2010/07/18 09:32:24 | 000,000,931 | ---- | C] () -- C:\Users\David\Desktop\DVDFab 6.lnk
[2010/07/17 11:03:12 | 000,072,903 | ---- | C] () -- C:\Users\David\Desktop\deal1.jpg
[2010/07/07 22:33:25 | 000,000,036 | ---- | C] () -- C:\Users\David\AppData\Local\housecall.guid.cache
[2010/07/06 21:59:35 | 000,001,009 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/06 20:48:00 | 000,001,808 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/07/06 19:34:48 | 000,015,880 | ---- | C] () -- C:\Windows\SysNative\lsdelete.exe
[2010/07/06 19:22:18 | 000,001,166 | ---- | C] () -- C:\Users\David\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk
[2010/07/06 19:22:18 | 000,001,142 | ---- | C] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2010/07/06 00:23:32 | 000,050,155 | ---- | C] () -- C:\Users\David\Desktop\GTA4 Text Msg Cars.jpg
[2010/07/06 00:23:32 | 000,049,569 | ---- | C] () -- C:\Users\David\Desktop\GTA4 stuntjumps.jpg
[2010/07/01 21:12:14 | 000,033,280 | ---- | C] () -- C:\Windows\SysWow64\drivers\rootrepeal.sys
[2010/07/01 17:38:06 | 001,376,832 | ---- | C] () -- C:\Users\David\Desktop\sar.exe
[2010/06/16 21:49:35 | 000,028,273 | ---- | C] () -- C:\Users\David\Desktop\r1678231344.jpg
[2010/06/16 21:49:27 | 000,032,089 | ---- | C] () -- C:\Users\David\Desktop\r613849126.jpg
[2010/06/16 21:49:21 | 000,223,285 | ---- | C] () -- C:\Users\David\Desktop\1276644215.gif
[2010/06/16 21:48:51 | 000,102,564 | ---- | C] () -- C:\Users\David\Desktop\ept_sports_sow_experts-642910203-1276702410.jpg
[2010/06/05 23:06:12 | 000,000,221 | ---- | C] () -- C:\Users\David\Desktop\Shattered Horizon.url
[2010/06/05 14:36:51 | 000,524,288 | -HS- | C] () -- C:\Users\David\ntuser.dat{614ab40e-70ea-11df-8c08-00241dc4abaf}.TMContainer00000000000000000002.regtrans-ms
[2010/06/05 14:36:51 | 000,524,288 | -HS- | C] () -- C:\Users\David\ntuser.dat{614ab40e-70ea-11df-8c08-00241dc4abaf}.TMContainer00000000000000000001.regtrans-ms
[2010/06/05 14:36:51 | 000,065,536 | -HS- | C] () -- C:\Users\David\ntuser.dat{614ab40e-70ea-11df-8c08-00241dc4abaf}.TM.blf
[2010/05/19 13:17:09 | 000,000,162 | -H-- | C] () -- C:\Users\David\Documents\~$rsuation Speech Outline Formatted Nice FINAL COPY Proofed.docx
[2010/05/18 20:50:40 | 000,022,485 | ---- | C] () -- C:\Users\David\Documents\Persuation Speech Final Copy for NOTECARDs.docx
[2010/05/18 20:48:34 | 000,023,227 | ---- | C] () -- C:\Users\David\Documents\Persuation Speech Outline Formatted Nice FINAL COPY Proofed.docx
[2010/05/18 19:19:49 | 000,023,026 | ---- | C] () -- C:\Users\David\Documents\Persuation Speech Outline Formatted Nice.docx
[2010/05/18 18:09:05 | 000,013,203 | ---- | C] () -- C:\Users\David\Documents\Sources Cited Page for Persuasion FINAL speech.docx
[2010/05/18 15:00:30 | 000,015,872 | ---- | C] () -- C:\Users\David\Documents\Full sentence outline Final Persuasive Speech.docx
[2010/05/17 18:38:36 | 000,001,828 | ---- | C] () -- C:\Users\Public\Desktop\McAfee Total Protection.lnk
[2010/05/16 20:04:28 | 002,468,838 | ---- | C] () -- C:\Users\David\Desktop\Sanzio_01 Raphael-most famous- vatican.jpg
[2010/05/10 19:30:07 | 000,022,752 | ---- | C] () -- C:\Users\David\Documents\Persuasion speech.docx
[2010/01/29 12:39:42 | 000,237,568 | ---- | C] () -- C:\Windows\SysWow64\rmc_rtspdl.dll
[2010/01/25 12:58:06 | 000,462,848 | ---- | C] () -- C:\Windows\SysWow64\ractrlkeyhook.dll
[2010/01/24 13:31:08 | 000,000,097 | ---- | C] () -- C:\Windows\SysWow64\PICSDK.ini
[2010/01/16 00:18:51 | 000,166,912 | ---- | C] () -- C:\Windows\SysWow64\APOMngr.DLL
[2010/01/16 00:18:51 | 000,073,728 | ---- | C] () -- C:\Windows\SysWow64\CmdRtr.DLL
[2010/01/15 21:53:07 | 000,000,010 | ---- | C] () -- C:\Windows\GSetup.ini
[2009/07/14 02:14:20 | 000,027,839 | ---- | C] () -- C:\Windows\SysWow64\instwdm.ini
[2009/07/14 02:14:16 | 000,000,054 | ---- | C] () -- C:\Windows\SysWow64\ctzapxx.ini
[2009/07/14 01:28:04 | 000,002,560 | ---- | C] () -- C:\Windows\SysWow64\CtxfiRes.dll
[2009/07/13 16:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 14:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/05/26 13:12:38 | 000,000,285 | ---- | C] () -- C:\Windows\SysWow64\kill.ini
[2008/02/01 09:18:14 | 000,009,216 | ---- | C] () -- C:\Windows\SysWow64\drivers\FlashSys.sys
[2007/11/06 13:19:28 | 000,053,299 | ---- | C] () -- C:\Windows\SysWow64\pthreadVC.dll

========== LOP Check ==========

[2010/02/06 19:40:48 | 000,000,000 | ---D | M] -- C:\Users\David\AppData\Roaming\Foxit
[2010/01/29 12:23:27 | 000,000,000 | ---D | M] -- C:\Users\David\AppData\Roaming\PPLive
[2010/04/01 18:54:57 | 000,000,000 | ---D | M] -- C:\Users\David\AppData\Roaming\The Creative Assembly
[2010/07/18 12:44:40 | 000,000,000 | ---D | M] -- C:\Users\David\AppData\Roaming\uTorrent
[2010/07/18 09:32:28 | 000,000,000 | ---D | M] -- C:\Users\David\AppData\Roaming\Vso
[2010/07/18 09:35:36 | 000,000,394 | ---- | M] () -- C:\Windows\Tasks\Ad-Aware Update (Weekly).job
[2009/07/13 22:08:49 | 000,028,892 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========


< End of report >










PS------- Umm, i just noticed: the OTL scanner..didn't yield 2 Logs like the last.. just this one.

THanks,


-Davide

Edited by ForzaDavide, 18 July 2010 - 10:49 PM.


#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:19 PM

Posted 19 July 2010 - 07:51 PM

Hello, ForzaDavide.

If the logs are too big to post, feel free to split into multiple posts if you need them.

First question...what were you infected iwth originally?

Good news is that a rootkit shouldn't be able to infect a 64-bit system due to the driver signing requirement. So, we can rule that out. Do you have any remaining symptoms from the infection? E.g., Google Redirects, Can't run security programs, etc.? If so, we can clean up the remnants.

You only get one log since it's the second time you've run. It's all good for now.

I don't see much in your logs. You may be clean, unless you're noticing something odd. Let's clean up some orphaned registry entries and take a look at an odd directory. I think it's related to Lavasoft Adaware as it has a similar timestamp, but I'm always suspicious of hidden directories with limited google hits for the CLSID. Then we'll get an online a/v scan for a second opinion.





Trusted Zone Warning

Having trusted sites may not be a good idea. The reason why I say it's not a good idea is because the security settings for the internet is not extremely high and once you put a site in your trusted zone, basically almost anymore or thing, including hackers or other malicious software have full access to that site which can lead to hijacking that site and may even have access to your computer. Are you sure you trust a site to that degree?

It is recommended NOT to have ANY sites in your Trusted Zone unless the site requires it to function properly and you trust it very well. Other than that, it is not necessary for you to add any sites into the trusted zone. If you're not sure, and/or you do not need these in your trusted zone to facilitate access or you did not knowingly permit this access yourself, then please remove those sites from your trusted zone.

They can be accessed in Internet Explorer via Tools>>Internet Options>>Security>>Trusted Zone>>Sites. Remove if there are any there.



Step 1

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.

The automatic part won't work with Vista or W7. Please backup manually using ERUNT with the following instructions:
  1. Please locate the ERUNT icon on the desktop. If it is not there, click Start and type ERUNT into the search box.
  2. Right click the ERUNT icon in the desktop or the Start menu, and select Run as Administrator
  3. Click OK at the first message box.
  4. Ensure the checkboxes for both "system registry" and "current user registry" are checked. Leave the default save location in there.
  5. Click OK.
  6. Click Yes to create the new folder.
  7. You'll get a window saying "registry backup complete" once it's done. Click OK. If you get an error message, please STOP here and let me know. Do not proceed with any additional instructions until you check back with me.



Step 2

We need run an OTL Script
  1. Please download OTL from one of the following mirrors if you do not still have it.
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Paste the following code under the Custom Scans/Fixes box at the bottom. Do not include the word "Code".
    CODE
    :OTL
    DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:WindowsSysNativeNTACCESS.SYS -- (WEBNTACCESS)
    DRV:64bit: - File not found [Kernel | System | Stopped] -- C:WindowsSysNativeSAVRKBootTasks.sys -- (SAVRKBootTasks)
    DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:WindowsSysNativedriversrootrepeal.sys -- (rootrepeal)
    O4 - HKUS-1-5-19..RunOnce: [mctadmin] C:WindowsSysWow64mctadmin.exe File not found
    O4 - HKUS-1-5-20..RunOnce: [mctadmin] C:WindowsSysWow64mctadmin.exe File not found
    O4 - HKUS-1-5-21-1348487664-676021802-3389984467-1005..RunOnce: [mctadmin] C:WindowsSysWow64mctadmin.exe File not found
    O18:64bit: - ProtocolHandlergrooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found
    O18:64bit: - ProtocolHandlerms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
    O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
  5. Click the Run Fix button at the top.
  6. let the program run unhindered and reboot when it is done.
  7. You will get a log when it is done, please post that in your reply.
  8. Please then create a new OTL report....by the following
  9. Click the "Scan All Users" checkbox.
  10. Paste this into the custom scan box:
    dir C:\ProgramData\{90FF8911-FC06-4E49-8959-C3CF1CA226BB} /c
  11. Push the Quick Scan button.
  12. A report will open, copy and paste it in a reply here.



Step 3

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

etavares

Edited by etavares, 19 July 2010 - 07:52 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 ForzaDavide

ForzaDavide
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 19 July 2010 - 10:00 PM

trumpet.gif Hello ETAVARES,

And thank you again.
1)for your first question, I honestly didn't have a single second to write them down, it happened so fast.. BOOM!! icon_luke.gif Firewall disabled, MacAfee disabled, screen flickering... I got scarred unsure.gif and ran Avira Bootable Removal tool, the linux based shotgun method flamethrower.gif and "hit rename if cannot clean." I did it with latest deffinitions. No log was saved.

2)The news about 64-bit OS's and rootkits is great news!!!!
however, i was under the impression that you could get a rootkit form other 32-bit non-drivers(like an application, etc.) and still be infected... i also was under the pression that rootkits are near impossible to remove from within the system that which it infects?? Your take on that would be highly appreciated thumbup.gif

3)In regards to the scan: Yes, sorry, I screwed up that scan bigtime: i hit the scan button a couple of times.. and i couldin't find a way to stop it and might have clicked around several times to try to stop it.. wiht no success, hehehe sorry ohmy.gif

4)Heres the great part- I don't see, or feel , in ANY way, any effect or infection. I'm not gettign redirected to any sites, nor am I constrained in anyway. I am able to Run, Update, and Scan with any AV, anti-Malware, etc. programs. So I take this is very good news??

5)I will start these swcans immediately, thank you for your time! However- the first recommendation, about the trusted site zone, if its the "bullhorn" site, i need that for work and trust it very much, and need it for security and functionality reasons. So may i keep that... or for the sake of cleaning this infection, shoudl we just go ahead and Lock this system down, to be thorough. dry.gif

6) also, i have that second logn from the first run of OTL that i kinda screwed up, as stated eariler, did you want em to post that also, i believe it's called "EXTRA" ?

7) Ill get on those scans now.

Thank you again sir! I appreciate this tremendously!

Let me do that scan again, starting with the one you just requested. trumpet.gif

Edited by ForzaDavide, 20 July 2010 - 10:45 AM.


#8 ForzaDavide

ForzaDavide
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 19 July 2010 - 10:10 PM

Hello,
I successfly DLed, Installed, Ran and Backed up my Registry with ERunt. :D
Here is the First Log you requested..



========== OTL ==========
Service WEBNTACCESS stopped successfully!
Service WEBNTACCESS deleted successfully!
File C:WindowsSysNativeNTACCESS.SYS not found.
Service SAVRKBootTasks stopped successfully!
Service SAVRKBootTasks deleted successfully!
File C:WindowsSysNativeSAVRKBootTasks.sys not found.
Service rootrepeal stopped successfully!
Service rootrepeal deleted successfully!
File C:WindowsSysNativedriversrootrepeal.sys not found.
Registry value HKUS-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin not found.
Registry value HKUS-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin not found.
Registry value HKUS-1-5-21-1348487664-676021802-3389984467-1005\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\rooveLocalGWS\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88FED34C-F0CA-4636-A375-3CB6248B04CD}\ not found.
File {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\s-help\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{314111c7-a502-11d2-bbca-00c04f8ec294}\ not found.
File {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found not found.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.

OTL by OldTimer - Version 3.2.9.1 log created on 07192010_200609






I shall now Reboot, then run OTL, with All users, etc. as you described above, and will post that below. Thanks again!!! smile.gif





5 minutes later, here i Am , with an Error Upon restart, I added it as an Attachment, please view it, Says ERunt cannot create a restore point, therefore if i need ot restore the registry i need to do it with another OS.
-ADDED: ALso, after the restart, i get multi of that same message, like ten fo them, saying the same thing, so i blasted through clicking OK.. then the last one said somethign different but i misse dit. sorry. Lol


I shall move on to the scan and post what i find below, Thank you sir.

Attached Files


Edited by ForzaDavide, 19 July 2010 - 10:22 PM.


#9 ForzaDavide

ForzaDavide
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 19 July 2010 - 11:31 PM

Ok here is the OTL Scan log that was produced, it only provided one. Its attached below, ALONG with another Screenshot of a suspicous popup. You mentioned earlier:

" Let's clean up some orphaned registry entries and take a look at an odd directory. I think it's related to Lavasoft Adaware as it has a similar timestamp, but I'm always suspicious of hidden directories with limited google hits for the CLSID."

Well i got a MacAfee notification alerting me that Adaware was trying to access internet.. and you said it was suspicous, so i attached the notification. I ended up selecting "Block".


Heres my OTL log.



OTL logfile created on: 7/19/2010 8:23:09 PM - Run 3
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\David\Desktop
64bit- An unknown product (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 65.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 596.07 Gb Total Space | 49.00 Gb Free Space | 8.22% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 233.75 Gb Total Space | 32.68 Gb Free Space | 13.98% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DAVID-PC
Current User Name: David
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/07/19 20:12:11 | 000,407,336 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe
PRC - [2010/07/19 20:04:07 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\David\Desktop\OTL.exe
PRC - [2010/07/13 23:57:10 | 001,352,832 | ---- | M] (Lavasoft) -- C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/07/13 23:57:10 | 000,864,112 | ---- | M] (Lavasoft) -- C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/07/10 00:41:28 | 000,231,888 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe
PRC - [2010/05/10 18:03:39 | 001,238,352 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Steam\steam.exe
PRC - [2010/02/27 18:13:12 | 000,107,832 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrB.exe
PRC - [2010/02/27 18:12:52 | 000,066,872 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrA.exe
PRC - [2010/01/16 12:15:35 | 001,523,712 | ---- | M] (Nick Connors) -- C:\Users\David\AppData\Local\Microsoft\Windows Sidebar\Gadgets\GPUMonitor[1].gadget\GPUMonitor.exe
PRC - [2010/01/11 22:00:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2009/11/28 00:48:12 | 000,842,240 | ---- | M] (Acronis) -- C:\Program Files (x86)\Acronis\TrayMonitor\TrayMonitor.exe
PRC - [2009/11/27 21:00:02 | 000,382,368 | ---- | M] (Acronis) -- C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2009/11/27 20:57:30 | 001,865,560 | ---- | M] (Acronis) -- C:\Program Files (x86)\Common Files\Acronis\Agent\agent.exe
PRC - [2009/11/27 20:35:02 | 004,285,664 | ---- | M] (Acronis) -- C:\Program Files (x86)\Acronis\BackupAndRecovery\mms.exe
PRC - [2009/11/27 20:28:10 | 000,957,024 | ---- | M] (Acronis) -- C:\Program Files (x86)\Common Files\Acronis\Timounter\TimounterMonitor.exe
PRC - [2009/08/22 11:25:00 | 002,781,184 | ---- | M] () -- C:\Program Files (x86)\RivaTuner\RivaTuner.exe
PRC - [2009/08/04 18:29:54 | 000,219,360 | ---- | M] (DeviceVM, Inc.) -- C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe
PRC - [2009/08/04 18:29:52 | 000,346,320 | ---- | M] (DeviceVM, Inc.) -- C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe
PRC - [2009/07/30 18:51:02 | 000,068,136 | ---- | M] () -- C:\Program Files (x86)\GIGABYTE\EnergySaver\GSvr.exe
PRC - [2009/07/14 01:28:00 | 000,024,576 | ---- | M] (Creative Technology Ltd) -- C:\Windows\SysWOW64\Ctxfihlp.exe
PRC - [2009/07/14 01:22:08 | 001,263,616 | ---- | M] (Creative Technology Ltd) -- C:\Windows\SysWOW64\CTxfispi.exe
PRC - [2009/07/13 18:14:47 | 000,254,976 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
PRC - [2009/02/23 12:43:54 | 000,307,200 | ---- | M] (Creative Technology Ltd) -- C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe


========== Modules (SafeList) ==========

MOD - [2010/07/19 20:04:07 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\David\Desktop\OTL.exe
MOD - [2010/04/01 09:57:36 | 000,015,056 | ---- | M] (McAfee, Inc.) -- c:\Program Files (x86)\McAfee\SiteAdvisor\sahook.dll
MOD - [2009/07/13 18:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\msscript.ocx
MOD - [2009/07/13 18:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - File not found [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -d -f %ProgramFiles%\WinPcap\rpcapd.ini -- (rpcapd)
SRV:64bit: - File not found [Auto | Running] -- C:\Windows\SysNative\PnkBstrB.exe -- (PnkBstrB)
SRV:64bit: - File not found [Auto | Running] -- C:\Windows\SysNative\PnkBstrA.exe -- (PnkBstrA)
SRV:64bit: - [2010/06/29 10:49:27 | 000,128,752 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE -- (!SASCORE)
SRV:64bit: - [2010/04/27 17:16:24 | 000,244,840 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV:64bit: - [2010/04/27 17:16:24 | 000,148,520 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe -- (mfevtp)
SRV:64bit: - [2010/04/15 09:45:10 | 000,509,416 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV:64bit: - [2010/04/14 12:29:58 | 000,199,032 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV:64bit: - [2010/03/10 10:14:44 | 000,355,440 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV:64bit: - [2010/03/10 10:14:44 | 000,355,440 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV:64bit: - [2010/03/10 10:14:44 | 000,355,440 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV:64bit: - [2010/03/10 10:14:44 | 000,355,440 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV:64bit: - [2010/03/10 10:14:44 | 000,355,440 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV:64bit: - [2010/03/10 10:14:44 | 000,355,440 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV:64bit: - [2010/03/10 10:14:44 | 000,355,440 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV:64bit: - [2009/11/02 13:48:18 | 000,126,352 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\TurboBoost\TurboBoost.exe -- (TurboBoost)
SRV:64bit: - [2009/07/13 18:41:56 | 000,195,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\umrdp.dll -- (UmRdpService)
SRV:64bit: - [2009/07/13 18:41:54 | 000,017,920 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\StorSvc.dll -- (StorSvc)
SRV:64bit: - [2009/07/13 18:41:53 | 001,361,920 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\PeerDistSvc.dll -- (PeerDistSvc)
SRV:64bit: - [2009/07/13 18:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/13 18:40:24 | 000,689,152 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\cscsvc.dll -- (CscService)
SRV:64bit: - [2009/07/13 18:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2010/07/19 20:12:11 | 000,407,336 | ---- | M] (Valve Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/07/13 23:57:10 | 001,352,832 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/06/09 22:22:04 | 000,120,712 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe -- (LMIMaint)
SRV - [2010/03/18 14:27:14 | 000,138,576 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_64)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/02/27 18:13:12 | 000,107,832 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\PnkBstrB.exe -- (PnkBstrB)
SRV - [2010/02/27 18:12:52 | 000,066,872 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\PnkBstrA.exe -- (PnkBstrA)
SRV - [2010/02/05 20:43:53 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe -- (Creative ALchemy AL6 Licensing Service)
SRV - [2010/01/21 00:41:07 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe -- (Creative Audio Engine Licensing Service)
SRV - [2010/01/16 00:51:54 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\MT6Licensing.exe -- (Creative Media Toolbox 6 Licensing Service)
SRV - [2010/01/11 22:00:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2009/11/27 21:00:42 | 000,899,528 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2009/11/27 20:57:30 | 001,865,560 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files (x86)\Common Files\Acronis\Agent\agent.exe -- (AcronisAgent)
SRV - [2009/11/27 20:35:02 | 004,285,664 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files (x86)\Acronis\BackupAndRecovery\mms.exe -- (MMS)
SRV - [2009/11/06 14:13:20 | 000,276,584 | ---- | M] (NVIDIA) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneService.exe -- (nTuneService)
SRV - [2009/08/04 18:29:54 | 000,219,360 | ---- | M] (DeviceVM, Inc.) [Auto | Running] -- C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe -- (BCUService)
SRV - [2009/07/30 18:51:02 | 000,068,136 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\GIGABYTE\EnergySaver\GSvr.exe -- (GEST Service)
SRV - [2009/02/23 12:43:54 | 000,307,200 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe -- (CTAudSvcService)
SRV - [2008/10/25 12:44:08 | 000,065,888 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)
SRV - [2008/08/11 13:40:58 | 000,057,920 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe -- (LogMeIn)
SRV - [2007/01/11 05:02:00 | 000,126,464 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE -- (EPSON_PM_RPCV4_01) EPSON V3 Service4(01)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2010/06/21 10:44:12 | 000,069,152 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\Lbd.sys -- (Lbd)
DRV:64bit: - [2010/06/09 22:22:02 | 000,014,944 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\radpms.sys -- (radpms)
DRV:64bit: - [2010/06/09 22:21:50 | 000,087,456 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\Windows\SysNative\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV:64bit: - [2010/05/26 10:39:08 | 000,006,144 | ---- | M] (Sophos Plc) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\F9DD.tmp -- (MEMSWEEP2)
DRV:64bit: - [2010/04/27 17:16:24 | 000,528,616 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mfehidk.sys -- (mfehidk)
DRV:64bit: - [2010/04/27 17:16:24 | 000,440,688 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mfefirek.sys -- (mfefirek)
DRV:64bit: - [2010/04/27 17:16:24 | 000,279,752 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mfewfpk.sys -- (mfewfpk)
DRV:64bit: - [2010/04/27 17:16:24 | 000,189,880 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mfeavfk.sys -- (mfeavfk)
DRV:64bit: - [2010/04/27 17:16:24 | 000,121,504 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mfeapfk.sys -- (mfeapfk)
DRV:64bit: - [2010/04/27 17:16:24 | 000,093,840 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mferkdet.sys -- (mferkdet)
DRV:64bit: - [2010/04/27 17:16:24 | 000,075,288 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\mfenlfk.sys -- (mfenlfk)
DRV:64bit: - [2010/04/27 17:16:24 | 000,062,416 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\cfwids.sys -- (cfwids)
DRV:64bit: - [2010/02/17 11:23:05 | 000,014,920 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys -- (SASDIFSV)
DRV:64bit: - [2010/02/17 11:23:05 | 000,012,360 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\saskutil64.sys -- (SASKUTIL)
DRV:64bit: - [2010/02/06 19:54:40 | 000,082,816 | ---- | M] (VSO Software) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\pcouffin.sys -- (pcouffin)
DRV:64bit: - [2010/01/21 22:26:40 | 000,951,904 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\timntr.sys -- (timounter)
DRV:64bit: - [2010/01/21 22:23:59 | 000,265,824 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\snapman.sys -- (snapman)
DRV:64bit: - [2009/11/02 13:48:02 | 000,013,784 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\TurboB.sys -- (TurboB)
DRV:64bit: - [2009/09/15 14:59:30 | 000,042,088 | ---- | M] (NVIDIA Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvoclk64.sys -- (nvoclk64)
DRV:64bit: - [2009/08/28 20:42:52 | 000,049,152 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2009/07/30 04:58:42 | 000,236,544 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2009/07/14 03:54:52 | 001,613,336 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ha20x22k.sys -- (ha20x22k)
DRV:64bit: - [2009/07/14 03:54:38 | 001,568,792 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ha20x2k.sys -- (ha20x2k)
DRV:64bit: - [2009/07/14 03:54:28 | 000,118,296 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\emupia2k.sys -- (emupia)
DRV:64bit: - [2009/07/14 03:54:18 | 000,213,016 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV:64bit: - [2009/07/14 03:54:12 | 000,015,896 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV:64bit: - [2009/07/14 03:54:04 | 000,179,224 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ctoss2k.sys -- (ossrv)
DRV:64bit: - [2009/07/14 03:53:54 | 000,696,984 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV:64bit: - [2009/07/14 03:53:46 | 000,580,632 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ctac32k.sys -- (ctac32k)
DRV:64bit: - [2009/07/14 03:53:36 | 001,445,912 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CTEXFIFX.sys -- (CTEXFIFX.SYS)
DRV:64bit: - [2009/07/14 03:53:36 | 001,445,912 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CTEXFIFX.sys -- (CTEXFIFX)
DRV:64bit: - [2009/07/14 03:53:24 | 000,095,256 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CTHWIUT.sys -- (CTHWIUT.SYS)
DRV:64bit: - [2009/07/14 03:53:24 | 000,095,256 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CTHWIUT.sys -- (CTHWIUT)
DRV:64bit: - [2009/07/14 03:53:16 | 000,230,424 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CT20XUT.sys -- (CT20XUT.SYS)
DRV:64bit: - [2009/07/14 03:53:16 | 000,230,424 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CT20XUT.sys -- (CT20XUT)
DRV:64bit: - [2009/07/13 18:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/13 18:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/13 18:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 18:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 18:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 18:45:55 | 000,200,272 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vmbus.sys -- (vmbus)
DRV:64bit: - [2009/07/13 18:45:55 | 000,046,672 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\vmstorfl.sys -- (storflt)
DRV:64bit: - [2009/07/13 18:45:55 | 000,034,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\storvsc.sys -- (storvsc)
DRV:64bit: - [2009/07/13 18:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 16:42:58 | 000,006,656 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vms3cap.sys -- (s3cap)
DRV:64bit: - [2009/07/13 16:42:44 | 000,021,760 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VMBusHID.sys -- (VMBusHID)
DRV:64bit: - [2009/07/13 16:24:27 | 000,514,048 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\csc.sys -- (CSC)
DRV:64bit: - [2009/06/10 13:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 13:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 13:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 13:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 13:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/05/18 15:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/03/27 02:23:54 | 000,019,432 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\cpuz132_x64.sys -- (cpuz132)
DRV:64bit: - [2008/11/04 11:21:08 | 000,098,144 | ---- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\jraid.sys -- (JRAID)
DRV:64bit: - [2008/08/11 13:40:58 | 000,072,216 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV:64bit: - [2008/08/11 13:40:32 | 000,011,552 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\lmimirr.sys -- (lmimirr)
DRV:64bit: - [2007/11/06 13:23:14 | 000,040,464 | ---- | M] (CACE Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\npf.sys -- (NPF)
DRV:64bit: - [2007/08/20 12:05:02 | 000,012,744 | ---- | M] (EnTech Taiwan) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Entech64.sys -- (ENTECH64)
DRV - [2010/07/19 20:11:33 | 000,025,640 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\Windows\gdrv.sys -- (gdrv)
DRV - [2010/01/22 23:32:44 | 000,019,952 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files (x86)\RivaTuner\RivaTuner64.sys -- (RivaTuner64)
DRV - [2009/02/10 18:23:10 | 000,115,600 | ---- | M] (EZB Systems, Inc.) [File_System | System | Running] -- C:\Program Files (x86)\UltraISO\drivers\ISODrv64.sys -- (ISODrive)
DRV - [2008/08/11 13:41:00 | 000,015,928 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files (x86)\LogMeIn\x64\rainfo.sys -- (LMIInfo)
DRV - [2007/02/07 11:27:46 | 000,014,104 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | Boot | Running] -- C:\Windows\SysWOW64\speedfan.sys -- (speedfan)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1348487664-676021802-3389984467-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
IE - HKU\S-1-5-21-1348487664-676021802-3389984467-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-1348487664-676021802-3389984467-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-1348487664-676021802-3389984467-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 4D 75 3D E4 66 96 CA 01 [binary data]
IE - HKU\S-1-5-21-1348487664-676021802-3389984467-1001\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\S-1-5-21-1348487664-676021802-3389984467-1001\..\URLSearchHook: {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll (DeviceVM, Inc.)
IE - HKU\S-1-5-21-1348487664-676021802-3389984467-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1348487664-676021802-3389984467-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
IE - HKU\S-1-5-21-1348487664-676021802-3389984467-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-1348487664-676021802-3389984467-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-1348487664-676021802-3389984467-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 4D 75 3D E4 66 96 CA 01 [binary data]
IE - HKU\S-1-5-21-1348487664-676021802-3389984467-1005\..\URLSearchHook: {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll (DeviceVM, Inc.)
IE - HKU\S-1-5-21-1348487664-676021802-3389984467-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files (x86)\McAfee\SiteAdvisor [2010/06/22 08:05:50 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2009/06/10 14:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho64.dll ()
O2:64bit: - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100518134509.dll (McAfee, Inc.)
O2:64bit: - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20100518134509.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3:64bit: - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O4:64bit: - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4:64bit: - HKLM..\Run: [LogMeIn GUI] C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe (LogMeIn, Inc.)
O4:64bit: - HKLM..\Run: [NvCplDaemon] C:\Windows\SysNative\NvCpl.DLL (NVIDIA Corporation)
O4:64bit: - HKLM..\Run: [RivaTuner] C:\Program Files (x86)\RivaTuner\RivaTunerWrapper.exe ()
O4:64bit: - HKLM..\Run: [RivaTunerStartupDaemon] C:\Program Files (x86)\RivaTuner\RivaTunerWrapper.exe ()
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files (x86)\Common Files\Acronis\Timounter\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [BackupAndRecoveryMonitor.exe] C:\Program Files (x86)\Acronis\BackupAndRecovery\BackupAndRecoveryMonitor.exe (Acronis)
O4 - HKLM..\Run: [BCU] C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe (DeviceVM, Inc.)
O4 - HKLM..\Run: [CTxfiHlp] C:\Windows\SysWow64\Ctxfihlp.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe ()
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [TrayMonitor.exe] C:\Program Files (x86)\Acronis\TrayMonitor\TrayMonitor.exe (Acronis)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1348487664-676021802-3389984467-1001..\Run: [EPSON Stylus CX8400 Series] C:\Windows\SysWow64\spool\DRIVERS\x64\3\E_IATICEA.EXE File not found
O4 - HKU\S-1-5-21-1348487664-676021802-3389984467-1001..\Run: [Steam] c:\program files (x86)\steam\steam.exe (Valve Corporation)
O4 - HKU\S-1-5-21-1348487664-676021802-3389984467-1001..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKU\S-1-5-21-1348487664-676021802-3389984467-1005..\Run: [EPSON Stylus CX8400 Series] C:\Windows\SysWow64\spool\DRIVERS\x64\3\E_IATICEA.EXE File not found
O4 - HKU\S-1-5-21-1348487664-676021802-3389984467-1005..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1348487664-676021802-3389984467-1005..\Run: [Steam] c:\program files (x86)\steam\steam.exe (Valve Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\SysWow64\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\SysWow64\mctadmin.exe File not found
O4 - HKU\S-1-5-21-1348487664-676021802-3389984467-1005..\RunOnce: [InetReg] C:\Program Files (x86)\Creative\Product Registration\English\InetReg.exe (Creative Technology Ltd)
O4 - HKU\S-1-5-21-1348487664-676021802-3389984467-1005..\RunOnce: [mctadmin] C:\Windows\SysWow64\mctadmin.exe File not found
O4 - Startup: C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files (x86)\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-1348487664-676021802-3389984467-1001\..Trusted Domains: bullhorn.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1348487664-676021802-3389984467-1001\..Trusted Domains: bullhornstaffing.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1348487664-676021802-3389984467-1001\..Trusted Domains: com.tw ([asia.msi] http in Trusted sites)
O15 - HKU\S-1-5-21-1348487664-676021802-3389984467-1001\..Trusted Domains: com.tw ([global.msi] http in Trusted sites)
O15 - HKU\S-1-5-21-1348487664-676021802-3389984467-1001\..Trusted Domains: com.tw ([www.msi] http in Trusted sites)
O15 - HKU\S-1-5-21-1348487664-676021802-3389984467-1005\..Trusted Domains: bullhorn.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1348487664-676021802-3389984467-1005\..Trusted Domains: bullhornstaffing.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1348487664-676021802-3389984467-1005\..Trusted Domains: com.tw ([asia.msi] http in Trusted sites)
O15 - HKU\S-1-5-21-1348487664-676021802-3389984467-1005\..Trusted Domains: com.tw ([global.msi] http in Trusted sites)
O15 - HKU\S-1-5-21-1348487664-676021802-3389984467-1005\..Trusted Domains: com.tw ([www.msi] http in Trusted sites)
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} http://liveupdate.msi.com.tw/autobios/LOnline/install.cab (WebSDev Control)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creative.com/Web/softwareup...15111/CTPID.cab (Creative Software AutoUpdate Support Package)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 208.67.222.222 208.67.220.220
O18:64bit: - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
O18:64bit: - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{77beb626-025f-11df-a6ac-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{77beb626-025f-11df-a6ac-806e6f6e6963}\Shell\AutoRun\command - "" = D:\SETUP.EXE -- File not found
O33 - MountPoints2\{d2a557bf-0215-11df-8792-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{d2a557bf-0215-11df-8792-806e6f6e6963}\Shell\AutoRun\command - "" = D:\Run.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/07/19 20:06:09 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/07/19 20:03:01 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/07/19 20:01:48 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ERUNT
[2010/07/19 19:50:17 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Users\David\Desktop\erunt-setup.exe
[2010/07/18 12:43:30 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\David\Desktop\OTL.exe
[2010/07/18 09:32:26 | 000,000,000 | ---D | C] -- C:\Users\David\Documents\DVDFab
[2010/07/18 09:32:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\DVDFab 6
[2010/07/06 20:48:12 | 000,000,000 | ---D | C] -- C:\Users\David\AppData\Roaming\SUPERAntiSpyware.com
[2010/07/06 20:48:12 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010/07/06 20:48:00 | 000,000,000 | ---D | C] -- C:\ProgramData\!SASCORE
[2010/07/06 20:47:59 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/07/06 19:24:36 | 000,069,152 | ---- | C] (Lavasoft AB) -- C:\Windows\SysNative\drivers\Lbd.sys
[2010/07/06 19:22:20 | 000,000,000 | -H-D | C] -- C:\ProgramData\{90FF8911-FC06-4E49-8959-C3CF1CA226BB}
[2010/07/06 19:22:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2010/07/01 22:52:22 | 000,018,816 | ---- | C] (Sophos Plc) -- C:\Windows\SysWow64\SAVRKBootTasks.sys
[2010/07/01 20:55:03 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Sophos
[2010/07/01 17:29:51 | 000,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbam.sys
[2010/07/01 17:26:52 | 000,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Users\David\Desktop\HijackThis.exe
[2010/06/30 23:32:19 | 003,942,048 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\David\Desktop\TOY.exe
[2010/06/30 23:31:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Lavasoft
[2010/05/10 22:03:25 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\McAfee.com
[2010/05/10 22:03:17 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\McAfee
[2010/05/10 22:03:16 | 000,009,984 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfeclnk.sys
[2010/05/10 22:02:28 | 000,528,616 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfehidk.sys
[2010/05/10 22:02:28 | 000,440,688 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfefirek.sys
[2010/05/10 22:02:28 | 000,279,752 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfewfpk.sys
[2010/05/10 22:02:28 | 000,189,880 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfeavfk.sys
[2010/05/10 22:02:28 | 000,121,504 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfeapfk.sys
[2010/05/10 22:02:28 | 000,093,840 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mferkdet.sys
[2010/05/10 22:02:28 | 000,075,288 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfenlfk.sys
[2010/05/10 22:02:28 | 000,062,416 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\cfwids.sys
[2010/05/10 22:02:11 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee.com
[2010/05/10 22:02:11 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee
[2010/05/10 22:02:11 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\McAfee
[2010/05/10 22:02:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\McAfee
[2010/05/10 21:54:48 | 000,000,000 | ---D | C] -- C:\ProgramData\McAfee
[2010/04/30 03:00:32 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Wat
[2010/04/30 03:00:32 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\Wat
[2009/07/14 01:30:56 | 000,014,336 | ---- | C] ( ) -- C:\Windows\SysWow64\a3d.dll
[2 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/07/19 20:25:15 | 004,194,304 | -HS- | M] () -- C:\Users\David\ntuser.dat
[2010/07/19 20:20:42 | 000,028,124 | ---- | M] () -- C:\Users\David\Desktop\ERunt Error upon restart 3.jpg
[2010/07/19 20:19:56 | 000,026,752 | ---- | M] () -- C:\Users\David\Desktop\ERunt Error upon restart 2.jpg
[2010/07/19 20:19:01 | 000,013,648 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/07/19 20:19:01 | 000,013,648 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/07/19 20:14:13 | 000,140,478 | ---- | M] () -- C:\Users\David\Desktop\ERunt Error upon restart.png
[2010/07/19 20:14:01 | 000,039,158 | ---- | M] () -- C:\Users\David\Desktop\ERunt Error upon restart.jpg
[2010/07/19 20:13:51 | 000,001,828 | ---- | M] () -- C:\Users\Public\Desktop\McAfee Total Protection.lnk
[2010/07/19 20:11:31 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/07/19 20:11:30 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/07/19 20:11:28 | 3220,037,632 | -HS- | M] () -- C:\hiberfil.sys
[2010/07/19 20:10:34 | 000,062,308 | ---- | M] () -- C:\Windows\SysNative\BMXStateBkp-{00000002-00000000-00000000-00001102-0000000B-00431102}.rfx
[2010/07/19 20:10:34 | 000,062,308 | ---- | M] () -- C:\Windows\SysNative\BMXState-{00000002-00000000-00000000-00001102-0000000B-00431102}.rfx
[2010/07/19 20:10:34 | 000,000,820 | ---- | M] () -- C:\Windows\SysNative\DVCState-{00000002-00000000-00000000-00001102-0000000B-00431102}.rfx
[2010/07/19 20:10:15 | 001,836,645 | -H-- | M] () -- C:\Users\David\AppData\Local\IconCache.db
[2010/07/19 20:04:07 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\David\Desktop\OTL.exe
[2010/07/19 20:01:51 | 000,001,104 | ---- | M] () -- C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/07/19 20:01:48 | 000,000,924 | ---- | M] () -- C:\Users\David\Desktop\NTREGOPT.lnk
[2010/07/19 20:01:48 | 000,000,905 | ---- | M] () -- C:\Users\David\Desktop\ERUNT.lnk
[2010/07/19 19:50:18 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Users\David\Desktop\erunt-setup.exe
[2010/07/18 12:53:13 | 000,726,316 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/07/18 12:53:13 | 000,623,940 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/07/18 12:53:13 | 000,106,316 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/07/18 09:32:24 | 000,000,931 | ---- | M] () -- C:\Users\David\Desktop\DVDFab 6.lnk
[2010/07/17 11:01:12 | 000,072,903 | ---- | M] () -- C:\Users\David\Desktop\deal1.jpg
[2010/07/07 22:33:25 | 000,000,036 | ---- | M] () -- C:\Users\David\AppData\Local\housecall.guid.cache
[2010/07/06 21:59:35 | 000,001,009 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/06 20:48:00 | 000,001,808 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/07/06 19:22:18 | 000,001,166 | ---- | M] () -- C:\Users\David\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk
[2010/07/06 19:22:18 | 000,001,142 | ---- | M] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2010/07/05 23:10:26 | 000,413,312 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010/07/01 22:55:19 | 000,033,280 | ---- | M] () -- C:\Windows\SysWow64\drivers\rootrepeal.sys
[2010/06/21 10:44:12 | 000,069,152 | ---- | M] (Lavasoft AB) -- C:\Windows\SysNative\drivers\Lbd.sys
[2010/06/21 10:44:11 | 000,015,880 | ---- | M] () -- C:\Windows\SysNative\lsdelete.exe
[2010/06/09 22:22:02 | 000,014,944 | ---- | M] (LogMeIn, Inc.) -- C:\Windows\SysNative\drivers\radpms.sys
[2010/06/09 22:21:50 | 000,087,456 | ---- | M] (LogMeIn, Inc.) -- C:\Windows\SysNative\LMIRfsClientNP.dll
[2010/06/09 22:21:49 | 000,080,768 | ---- | M] (LogMeIn, Inc.) -- C:\Windows\SysNative\LMIinit.dll
[2010/06/09 22:21:49 | 000,033,152 | ---- | M] (LogMeIn, Inc.) -- C:\Windows\SysNative\LMIport.dll
[2010/06/09 03:18:32 | 000,524,288 | -HS- | M] () -- C:\Users\David\ntuser.dat{614ab40e-70ea-11df-8c08-00241dc4abaf}.TMContainer00000000000000000002.regtrans-ms
[2010/06/09 03:18:32 | 000,524,288 | -HS- | M] () -- C:\Users\David\ntuser.dat{614ab40e-70ea-11df-8c08-00241dc4abaf}.TMContainer00000000000000000001.regtrans-ms
[2010/06/09 03:18:32 | 000,065,536 | -HS- | M] () -- C:\Users\David\ntuser.dat{614ab40e-70ea-11df-8c08-00241dc4abaf}.TM.blf
[2010/06/05 23:06:12 | 000,000,221 | ---- | M] () -- C:\Users\David\Desktop\Shattered Horizon.url
[2010/05/26 10:45:04 | 000,018,816 | ---- | M] (Sophos Plc) -- C:\Windows\SysWow64\SAVRKBootTasks.sys
[2010/05/19 13:17:09 | 000,000,162 | -H-- | M] () -- C:\Users\David\Documents\~$rsuation Speech Outline Formatted Nice FINAL COPY Proofed.docx
[2010/05/18 21:52:30 | 000,022,485 | ---- | M] () -- C:\Users\David\Documents\Persuation Speech Final Copy for NOTECARDs.docx
[2010/05/18 20:57:36 | 000,023,227 | ---- | M] () -- C:\Users\David\Documents\Persuation Speech Outline Formatted Nice FINAL COPY Proofed.docx
[2010/05/18 20:48:04 | 000,023,026 | ---- | M] () -- C:\Users\David\Documents\Persuation Speech Outline Formatted Nice.docx
[2010/05/18 19:37:07 | 000,015,872 | ---- | M] () -- C:\Users\David\Documents\Full sentence outline Final Persuasive Speech.docx
[2010/05/18 19:04:03 | 000,013,203 | ---- | M] () -- C:\Users\David\Documents\Sources Cited Page for Persuasion FINAL speech.docx
[2010/05/17 20:26:53 | 000,022,752 | ---- | M] () -- C:\Users\David\Documents\Persuasion speech.docx
[2010/05/16 20:02:47 | 002,468,838 | ---- | M] () -- C:\Users\David\Desktop\Sanzio_01 Raphael-most famous- vatican.jpg
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010/04/29 15:39:28 | 000,024,664 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2010/04/27 17:16:24 | 000,528,616 | ---- | M] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfehidk.sys
[2010/04/27 17:16:24 | 000,440,688 | ---- | M] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfefirek.sys
[2010/04/27 17:16:24 | 000,279,752 | ---- | M] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfewfpk.sys
[2010/04/27 17:16:24 | 000,189,880 | ---- | M] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfeavfk.sys
[2010/04/27 17:16:24 | 000,121,504 | ---- | M] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfeapfk.sys
[2010/04/27 17:16:24 | 000,093,840 | ---- | M] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mferkdet.sys
[2010/04/27 17:16:24 | 000,075,288 | ---- | M] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfenlfk.sys
[2010/04/27 17:16:24 | 000,062,416 | ---- | M] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\cfwids.sys
[2010/04/27 17:16:24 | 000,009,984 | ---- | M] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfeclnk.sys
[2 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/19 20:20:42 | 000,028,124 | ---- | C] () -- C:\Users\David\Desktop\ERunt Error upon restart 3.jpg
[2010/07/19 20:19:56 | 000,026,752 | ---- | C] () -- C:\Users\David\Desktop\ERunt Error upon restart 2.jpg
[2010/07/19 20:14:12 | 000,140,478 | ---- | C] () -- C:\Users\David\Desktop\ERunt Error upon restart.png
[2010/07/19 20:13:59 | 000,039,158 | ---- | C] () -- C:\Users\David\Desktop\ERunt Error upon restart.jpg
[2010/07/19 20:01:51 | 000,001,104 | ---- | C] () -- C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/07/19 20:01:48 | 000,000,924 | ---- | C] () -- C:\Users\David\Desktop\NTREGOPT.lnk
[2010/07/19 20:01:48 | 000,000,905 | ---- | C] () -- C:\Users\David\Desktop\ERUNT.lnk
[2010/07/18 09:32:24 | 000,000,931 | ---- | C] () -- C:\Users\David\Desktop\DVDFab 6.lnk
[2010/07/17 11:03:12 | 000,072,903 | ---- | C] () -- C:\Users\David\Desktop\deal1.jpg
[2010/07/07 22:33:25 | 000,000,036 | ---- | C] () -- C:\Users\David\AppData\Local\housecall.guid.cache
[2010/07/06 21:59:35 | 000,001,009 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/06 20:48:00 | 000,001,808 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/07/06 19:34:48 | 000,015,880 | ---- | C] () -- C:\Windows\SysNative\lsdelete.exe
[2010/07/06 19:22:18 | 000,001,166 | ---- | C] () -- C:\Users\David\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk
[2010/07/06 19:22:18 | 000,001,142 | ---- | C] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2010/07/06 00:23:32 | 000,050,155 | ---- | C] () -- C:\Users\David\Desktop\GTA4 Text Msg Cars.jpg
[2010/07/06 00:23:32 | 000,049,569 | ---- | C] () -- C:\Users\David\Desktop\GTA4 stuntjumps.jpg
[2010/07/01 21:12:14 | 000,033,280 | ---- | C] () -- C:\Windows\SysWow64\drivers\rootrepeal.sys
[2010/06/05 23:06:12 | 000,000,221 | ---- | C] () -- C:\Users\David\Desktop\Shattered Horizon.url
[2010/06/05 14:36:51 | 000,524,288 | -HS- | C] () -- C:\Users\David\ntuser.dat{614ab40e-70ea-11df-8c08-00241dc4abaf}.TMContainer00000000000000000002.regtrans-ms
[2010/06/05 14:36:51 | 000,524,288 | -HS- | C] () -- C:\Users\David\ntuser.dat{614ab40e-70ea-11df-8c08-00241dc4abaf}.TMContainer00000000000000000001.regtrans-ms
[2010/06/05 14:36:51 | 000,065,536 | -HS- | C] () -- C:\Users\David\ntuser.dat{614ab40e-70ea-11df-8c08-00241dc4abaf}.TM.blf
[2010/05/19 13:17:09 | 000,000,162 | -H-- | C] () -- C:\Users\David\Documents\~$rsuation Speech Outline Formatted Nice FINAL COPY Proofed.docx
[2010/05/18 20:50:40 | 000,022,485 | ---- | C] () -- C:\Users\David\Documents\Persuation Speech Final Copy for NOTECARDs.docx
[2010/05/18 20:48:34 | 000,023,227 | ---- | C] () -- C:\Users\David\Documents\Persuation Speech Outline Formatted Nice FINAL COPY Proofed.docx
[2010/05/18 19:19:49 | 000,023,026 | ---- | C] () -- C:\Users\David\Documents\Persuation Speech Outline Formatted Nice.docx
[2010/05/18 18:09:05 | 000,013,203 | ---- | C] () -- C:\Users\David\Documents\Sources Cited Page for Persuasion FINAL speech.docx
[2010/05/18 15:00:30 | 000,015,872 | ---- | C] () -- C:\Users\David\Documents\Full sentence outline Final Persuasive Speech.docx
[2010/05/17 18:38:36 | 000,001,828 | ---- | C] () -- C:\Users\Public\Desktop\McAfee Total Protection.lnk
[2010/05/16 20:04:28 | 002,468,838 | ---- | C] () -- C:\Users\David\Desktop\Sanzio_01 Raphael-most famous- vatican.jpg
[2010/05/10 19:30:07 | 000,022,752 | ---- | C] () -- C:\Users\David\Documents\Persuasion speech.docx
[2010/01/29 12:39:42 | 000,237,568 | ---- | C] () -- C:\Windows\SysWow64\rmc_rtspdl.dll
[2010/01/25 12:58:06 | 000,462,848 | ---- | C] () -- C:\Windows\SysWow64\ractrlkeyhook.dll
[2010/01/24 13:31:08 | 000,000,097 | ---- | C] () -- C:\Windows\SysWow64\PICSDK.ini
[2010/01/16 00:18:51 | 000,166,912 | ---- | C] () -- C:\Windows\SysWow64\APOMngr.DLL
[2010/01/16 00:18:51 | 000,073,728 | ---- | C] () -- C:\Windows\SysWow64\CmdRtr.DLL
[2010/01/15 21:53:07 | 000,000,010 | ---- | C] () -- C:\Windows\GSetup.ini
[2009/07/14 02:14:20 | 000,027,839 | ---- | C] () -- C:\Windows\SysWow64\instwdm.ini
[2009/07/14 02:14:16 | 000,000,054 | ---- | C] () -- C:\Windows\SysWow64\ctzapxx.ini
[2009/07/14 01:28:04 | 000,002,560 | ---- | C] () -- C:\Windows\SysWow64\CtxfiRes.dll
[2009/07/13 16:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 14:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/05/26 13:12:38 | 000,000,285 | ---- | C] () -- C:\Windows\SysWow64\kill.ini
[2008/02/01 09:18:14 | 000,009,216 | ---- | C] () -- C:\Windows\SysWow64\drivers\FlashSys.sys
[2007/11/06 13:19:28 | 000,053,299 | ---- | C] () -- C:\Windows\SysWow64\pthreadVC.dll

========== LOP Check ==========

[2010/02/06 19:40:48 | 000,000,000 | ---D | M] -- C:\Users\David\AppData\Roaming\Foxit
[2010/01/29 12:23:27 | 000,000,000 | ---D | M] -- C:\Users\David\AppData\Roaming\PPLive
[2010/04/01 18:54:57 | 000,000,000 | ---D | M] -- C:\Users\David\AppData\Roaming\The Creative Assembly
[2010/07/18 12:44:40 | 000,000,000 | ---D | M] -- C:\Users\David\AppData\Roaming\uTorrent
[2010/07/18 09:32:28 | 000,000,000 | ---D | M] -- C:\Users\David\AppData\Roaming\Vso
[2009/07/13 22:08:49 | 000,029,142 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< dir C:\ProgramData\{90FF8911-FC06-4E49-8959-C3CF1CA226BB} /c >
Volume in drive C has no label.
Volume Serial Number is A409-1023
Directory of C:\PROGRAMDATA\{90FF8911-FC06-4E49-8959-C3CF1CA226BB}
07/06/2010 07:24 PM 462 Ad-AwareInstall.dat
06/21/2010 10:52 AM 2,978,768 Ad-AwareInstall.exe
07/06/2010 07:22 PM 9 Ad-AwareInstall.lan
06/21/2010 10:52 AM 1,866,752 Ad-AwareInstall.msi
07/06/2010 07:22 PM 5,279 Ad-AwareInstall.par
06/21/2010 10:52 AM 24,037,753 Ad-AwareInstall.res
07/06/2010 07:22 PM 90 instance.dat
06/21/2010 10:52 AM 473,050 mia.lib
8 File(s) 29,362,163 bytes
0 Dir(s) 52,620,853,248 bytes free
< End of report >

Attached Files


Edited by ForzaDavide, 19 July 2010 - 11:38 PM.


#10 ForzaDavide

ForzaDavide
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 19 July 2010 - 11:41 PM

For the Final STEP of your last post, you asked me to scan with the ESEY Online Scan..
I can install it and download deffinitions, but when the scan starts, it immediatly finsished and says no threats found, 00:00:00 scan time.... so to me it looks like it didn't scan anything.. but its says completed and shows a big green check mark. Here,check out the screenshot below:
Next step?

Attached Files


Edited by ForzaDavide, 19 July 2010 - 11:43 PM.


#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:19 PM

Posted 20 July 2010 - 08:03 PM

Hello, ForzaDavide.

64-bit is fine for now...although that may change...if someone puts enough energy towards creating a 64bit rootkit, I am sure there is a workaround. There's just not enough demand for something like that, given the ease of making 32bit rootkits. So, it's possible, just not seen yet. With a rootkit, we always provide a warning....we can remove what we know, but there's always a chance we don't see something, so we do recommend a reformat and install. However...even a clean computer has the same risk...you just never know completely and have to use common sense and normal caution.

Yes...not having signs of an infection is a good thing. I'm not seeing much, which is the good news.

No need to clear a trusted zone if you do trust it. I just have to provide the warning.

Yes, please post Extra.txt if you have it, even if older. It allows me to look for rogue programs and outdated software with known security holes.

Thanks for the ERUNT warning on boot. ERUNT can't do automatic backing up on anything other than XP. You can uninstall ERUNT now. We're done with registry fixes.

As for adware...that's a legitmate program I do trust. Look at the bottom of the OTL log...you'll see the contents of that folder. It's just a temporary directory. You can delete manually if you want. I'm always annoyed by leftover files!
You can delete this directorY: C:\ProgramData\{90FF8911-FC06-4E49-8959-C3CF1CA226BB}

As for the antivirus scan...let's try a different one.


Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#12 ForzaDavide

ForzaDavide
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 21 July 2010 - 01:22 AM

Thats all Tripple great news! thumbup.gif
Thank you again for your time..
Ill attach the 2nd "Extras" file below, in adition to the screenshot and log of the completed BitDefender which i successfully ran and the great news is that it found nothing!
thumbup.gif
If i may ask you, after confirming now that i am 100% infection free, what was i infected with in the first place based on the original logs? Was it simply a trojan? virus? if so which ones? questionmark.gif

Thanks again for your help!!!
guitar.gif



BitDefender Online Scanner - Real Time Virus Report



Generated at: Tue, Jul 20, 2010 - 23:11:15


--------------------------------------------------------------------------------





Scan Info



Scanned Files
504643

Infected Files
0








Virus Detected



No virus found.











--------------------------------------------------------------------------------



This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.

















here is the Extra.txt generated by the first time OTL scan.














OTL Extras logfile created on: 7/18/2010 12:46:08 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\David\Desktop
64bit- An unknown product (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 62.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 596.07 Gb Total Space | 53.48 Gb Free Space | 8.97% Space Free | Partition Type: NTFS
Drive D: | 4.11 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 233.75 Gb Total Space | 32.68 Gb Free Space | 13.98% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DAVID-PC
Current User Name: David
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{350AA351-21FA-3270-8B7A-835434E766AD}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022
"{39F4C6F9-618A-4E5B-8FB2-6BD661174E32}" = Intel® Turbo Boost Technology Monitor
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007
"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
"{9EFC40E3-5F31-4F75-8445-286273F74D8E}" = Apple Mobile Device Support
"{B812FCC0-6192-4BFA-A9C6-1E8578F255DA}" = iTunes
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{DAE239CE-EB9D-4EB3-B0D4-528D6BAA48FD}" = Bonjour
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"CPUID HWMonitor_is1" = CPUID HWMonitor 1.15
"EPSON Printer and Utilities" = EPSON Printer Software
"KLiteCodecPack64_is1" = K-Lite Codec Pack (64-bit) v3.1.1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"WinRAR archiver" = WinRAR archiver

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{0665E2D2-2CF0-47C3-A0BA-11DCEFB0636F}" = Acronis Backup & Recovery 10 Upgrade Tool
"{07F6BABF-0653-41A0-BCB7-8C2148AD2F1A}" = Acronis Backup & Recovery 10 Tray Monitor
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{34F93E31-E1A0-421C-8E86-BCF7C4193A91}" = LogMeIn
"{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}" = Gigabyte Raid Configurer
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{4FB3E151-3AFE-458B-8DE8-D8913CCB2527}" = Acronis Backup & Recovery 10 Standalone Management Console
"{5B363E1D-8C36-4458-BAE4-D5081999E094}" = Browser Configuration Utility
"{6734459C-512F-4DAD-93ED-BC07A88F0A5B}" = inSSIDer
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6B2C675E-8040-431B-99C4-137DF4FBF75A}" = Thermal Analysis Tool
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7353BAE6-5E49-46C4-A9B5-8A269A313789}" = Crysis WARHEAD®
"{75D84EF7-0D8C-4e70-B3FA-7B42A5D4E0EB}" = Mass Effect 2
"{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}" = NVIDIA Performance
"{7ED169D4-5053-4166-93DF-53B12AE6C539}" = Energy Saver Advance B9.0730.1
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-002A-0000-1000-0000000FF1CE}_ENTERPRISE_{E64BA721-2310-4B55-BE5A-2925F9706192}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-002A-0409-1000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0116-0409-1000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90859A61-C317-48B9-8E31-4B742611FD19}" = Acronis Backup & Recovery 10 Agent
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{BB406CEB-6207-4512-9BB2-89950DC9D6B6}_is1" = ConvertXtoDVD 2.2.3.258h
"{BEE64C14-BEF1-4610-8A68-A16EAA47B882}" = Futuremark SystemInfo
"{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}" = Creative MediaSource 5
"{C40C3C3D-97CF-44B5-836C-766E374464B3}" = 3DMark Vantage
"{C4FFCD8D-3A06-E243-2747-2CE771A8B7D4}" = EA Download Manager UI
"{CB64E215-F6BB-4BB4-8039-9F800C80B211}" = Acronis Backup & Recovery 10 Universal Restore
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E10DB5DA-E576-40EA-A7FC-1CB2A7B283A6}" = NVIDIA PhysX
"{E9CFBE78-ED91-4FCF-9E6F-210E477E527D}" = NVIDIA System Monitor
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1A14CB2-A048-45A6-AFDA-3571296E1D76}" = Creative Media Toolbox 6
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FE361859-B039-4E17-96AC-D111183DCF99}" = Acronis Backup & Recovery 10 Bootable Components and Media Builder
"Ad-Aware" = Ad-Aware
"Ad-Aware SE Personal" = Ad-Aware SE Personal
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adrianne" = Adrianne demo by NVIDIA (remove only)
"ALchemy" = Creative ALchemy
"Alt.Binz" = Alt.Binz 0.25.0
"AudioCS" = Creative Audio Control Panel
"Cascades" = Cascades demo by NVIDIA (remove only)
"com.ea.Vault.919CACB699904AC5D41B606703500DD39747C02D.1" = EA Download Manager UI
"Console Launcher" = Creative Console Launcher
"Creative Software AutoUpdate" = Creative Software AutoUpdate
"Creative Sound Blaster Properties x64 Edition" = Creative Sound Blaster Properties x64 Edition
"Crysis WARHEAD®" = Crysis WARHEAD®
"Diagnostics 4_5" = Creative Diagnostics
"DVDFab 6_is1" = DVDFab 6.2.0.5 (11/11/2009)
"EA Download Manager" = EA Download Manager
"ENTERPRISE" = Microsoft Office Enterprise 2007
"EPSON Scanner" = EPSON Scan
"Foxit Reader" = Foxit Reader
"HijackThis" = HijackThis 2.0.2
"InstallShield_{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}" = NVIDIA Performance
"InstallShield_{E9CFBE78-ED91-4FCF-9E6F-210E477E527D}" = NVIDIA System Monitor
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Medusa" = Medusa demo by NVIDIA (remove only)
"MSC" = McAfee Total Protection
"Nero7Lite_is1" = Nero 7 Lite 7.11.6.0
"No Hope" = No Hope
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"OpenAL" = OpenAL
"PPLive" = PPLive 1.9
"PunkBusterSvc" = PunkBuster Services
"QuickPar" = QuickPar 0.9
"RivaTuner" = RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.5.4
"SpeedFan" = SpeedFan (remove only)
"Steam App 10180" = Call of Duty: Modern Warfare 2
"Steam App 10190" = Call of Duty: Modern Warfare 2 - Multiplayer
"Steam App 18110" = Shattered Horizon
"Steam App 19900" = Far Cry 2
"Steam App 21910" = World in Conflict: Soviet Assault
"Steam App 400" = Portal
"Steam App 4700" = Medieval II: Total War
"Steam App 4780" = Medieval II: Total War Kingdoms
"UltraISO_is1" = UltraISO Premium V9.35
"Uninstaller_B4736000_Creative Media Toolbox 6" = Creative Media Toolbox 6 (Shared Components)
"uTorrent" = µTorrent
"VLC media player" = VLC media player 1.0.5
"WinPcapInst" = WinPcap 4.0.2

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >









Any further scans, we need to, or can do? What would be a better way of protecting myself from what i was infected with above, if we know at all???

Thanks again!!! You, and this website, have been a tremendous help! icon_thumb.gif







hug.gif

my fav is: icon_luke.gif


.

Attached Files


Edited by ForzaDavide, 21 July 2010 - 01:40 PM.


#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:19 PM

Posted 21 July 2010 - 05:51 PM

Hello, ForzaDavide.

Honestly...I have no idea what you were infected with. It was all removed early on before you posted here. I just removed some old stuff that wasn't malware related.

I do like the Star Wars smiley too!

Your logs look clean. With that in mind, please go ahead and do Steps 1 and 2 below to ensure you don't accidentally get infected from this again. I've also listed optional items below that that are completely up to you. You did ask about how to prevent infection. Using a P2P connection like uTorrent is a high risk activity unless you know exactly what/where you're connecting and downloading files from. It's a very common and easy attack vector for malware. The other important note is that no antivirus provides 100% protection. New threats emerge every second and find new ways to attack that heuristics alone can't identify. Most are only about 50-60% effective for new (<2 week old) threats...but most are > 90% effective for > 2 week old threats. Just don't think you can run two real-time scanners at once. That's a recipe for system slowdown and potential instability as they fight for access to files.

So, let's clean up.





Step 1

Next, we need to remove the other tools we have used.
  • Please download OTC by OldTimer and save it to you desktop
  • If that link doesn't work, try this one.
  • Doubleclick the icon to start the program.
  • Then, click the big button.
  • You will get a prompt saying Begin Cleanup Process. Click Yes.
  • Restart your computer when prompted.



Step 2

We need to purge your system restore so malware is not accidently restored. First, let's create a new restore point.
  1. Go to Start and type in SystemsPropertiesProtection and run that program.
  2. Select the System Protection tab.
  3. Press Create.
  4. Give the restore point a name and press create.
  5. You'll see it work, then say that it was created sucessfully.


Now, we need to remove the old, infected points using DiskCleanup.
  1. Click on Start --> My Computer
  2. Right-click on C: and select Properties.
  3. Click on Disk Cleanup.
  4. Double-click Files from all users on this computer.
  5. Click on More Options tab and press Clean Up... under System Restore and Shadow Copies.
  6. Click OK.
  7. You'll get a couple of prompts asking if you're sure you want do to this, select Yes for them.
  8. Disk cleanup will remove those restore points and close itself.

Optional Items

Please take the time to read below to secure your machine and take the necessary steps to keep it that way.


System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance. If you are running Windows Vista or Windows 7, please right-click on the icon, and select "Run As Administrator"; otherwise it won't work.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware

Protect yourself from malicious sites
Please download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  1. Double-click the Downloaded installer and install the tool to a location of your choice
  2. Via the Startmenu, navigate to HostsMan and run the program.
    1. Click "Hosts" in the menu
    2. Click "Manage Updates" in the submenu
    3. Out of the three, select atleast one of the three (I have MVPS Host as my main one)
    4. Click "Add Update." After that you will only need to click on the following button to retrieve updates:
  3. Click the X to exit the program.
  4. Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


Keep Windows Up to Date
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls

Install an AntiSpyware Program

A highly recommended AntiSpyware program isMalwarebytes Anti-Malware. You can download the free version..

Installing this program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Update all these programs regularly
Make sure you update all your programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Good luck!

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:19 PM

Posted 26 July 2010 - 06:13 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. smile.gif

If you are the topic starter, and need this topic reopened, please contact me via PM with the address of this thread.

Everyone else please begin a new topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users