Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit removed, but system is still screwed...


  • This topic is locked This topic is locked
5 replies to this topic

#1 kisk

kisk

  • Members
  • 339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Huntsville, AL
  • Local time:09:44 AM

Posted 25 September 2010 - 12:06 PM

Vista SP1 x86

Never worked on a rootkit like this before.

Infected my MBR which I was able to restore but now I can't get into Windows, Stop [0x8e, 0xc5] (safe mode works)
Have ruled out memory with MEMTest86+ 4.10


For some reason, I can no longer get Windows (normal mode) to produce a dump since last night.
Here is the winDBG code from the last dump:


Debugging Info
CODE
Loading Dump File [X:\Mini092410-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*C:\Windows\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista Kernel Version 6001 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 6001.18488.x86fre.vistasp1_gdr.100608-0458
Machine Name:
Kernel base = 0x82035000 PsLoadedModuleList = 0x8214cc70
Debug session time: Fri Sep 24 21:43:16.235 2010 (UTC - 5:00)
System Uptime: 0 days 0:00:48.032
Loading Kernel Symbols
...............................................................
................................................................
.
Loading User Symbols
Loading unloaded module list
..
Unable to load image \SystemRoot\System32\Drivers\aswSP.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for aswSP.SYS
*** ERROR: Module load completed but symbols could not be loaded for aswSP.SYS
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000007F, {8, 805d3130, 0, 0}

*** WARNING: Unable to verify timestamp for ybnly.sys
*** ERROR: Module load completed but symbols could not be loaded for ybnly.sys
Probably caused by : aswSP.SYS ( aswSP+102ee )

Followup: MachineOwner
---------

1: kd>
1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

UNEXPECTED_KERNEL_MODE_TRAP_M (1000007f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault).  The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
        use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
        use .trap on that value
Else
        .trap on the appropriate frame will show where the trap was taken
        (on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: 805d3130
Arg3: 00000000
Arg4: 00000000

Debugging Details:
------------------


BUGCHECK_STR:  0x7f_8

CUSTOMER_CRASH_COUNT:  2

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from 8d1396c7 to 8d1342ee

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
8a029024 8d1396c7 00000000 86cb03e0 87f134c0 aswSP+0x102ee
8a029038 827216d2 86cb03e0 87f134c0 87f13650 aswSP+0x156c7
8a02903c 86cb03e0 87f134c0 87f13650 acbbaa10 ybnly+0x26d2
8a029040 87f134c0 87f13650 acbbaa10 87f134c0 0x86cb03e0
8a029044 87f13650 acbbaa10 87f134c0 827216d2 0x87f134c0
8a029048 acbbaa10 87f134c0 827216d2 86cb03e0 0x87f13650
8a02904c 87f134c0 827216d2 86cb03e0 87f134c0 0xacbbaa10
8a029050 827216d2 86cb03e0 87f134c0 87f13650 0x87f134c0
8a029054 86cb03e0 87f134c0 87f13650 acbbaa10 ybnly+0x26d2
8a029058 87f134c0 87f13650 acbbaa10 87f134c0 0x86cb03e0
8a02905c 87f13650 acbbaa10 87f134c0 827216d2 0x87f134c0
8a029060 acbbaa10 87f134c0 827216d2 86cb03e0 0x87f13650
8a029064 87f134c0 827216d2 86cb03e0 87f134c0 0xacbbaa10
8a029068 827216d2 86cb03e0 87f134c0 87f13650 0x87f134c0
8a02906c 86cb03e0 87f134c0 87f13650 acbbaa10 ybnly+0x26d2
8a029070 87f134c0 87f13650 acbbaa10 87f134c0 0x86cb03e0
8a029074 87f13650 acbbaa10 87f134c0 827216d2 0x87f134c0
8a029078 acbbaa10 87f134c0 827216d2 86cb03e0 0x87f13650
8a02907c 87f134c0 827216d2 86cb03e0 87f134c0 0xacbbaa10
8a029080 827216d2 86cb03e0 87f134c0 87f13650 0x87f134c0
8a029084 86cb03e0 87f134c0 87f13650 acbbaa10 ybnly+0x26d2
8a029088 87f134c0 87f13650 acbbaa10 87f134c0 0x86cb03e0
8a02908c 87f13650 acbbaa10 87f134c0 827216d2 0x87f134c0
8a029090 acbbaa10 87f134c0 827216d2 86cb03e0 0x87f13650
8a029094 87f134c0 827216d2 86cb03e0 87f134c0 0xacbbaa10
8a029098 827216d2 86cb03e0 87f134c0 87f13650 0x87f134c0
8a02909c 86cb03e0 87f134c0 87f13650 acbbaa10 ybnly+0x26d2
8a0290a0 87f134c0 87f13650 acbbaa10 87f134c0 0x86cb03e0
8a0290a4 87f13650 acbbaa10 87f134c0 827216d2 0x87f134c0
8a0290a8 acbbaa10 87f134c0 827216d2 86cb03e0 0x87f13650
8a0290ac 87f134c0 827216d2 86cb03e0 87f134c0 0xacbbaa10
8a0290b0 827216d2 86cb03e0 87f134c0 87f13650 0x87f134c0
8a0290b4 86cb03e0 87f134c0 87f13650 acbbaa10 ybnly+0x26d2
8a0290b8 87f134c0 87f13650 acbbaa10 87f134c0 0x86cb03e0
8a0290bc 87f13650 acbbaa10 87f134c0 827216d2 0x87f134c0
8a0290c0 acbbaa10 87f134c0 827216d2 86cb03e0 0x87f13650
8a0290c4 87f134c0 827216d2 86cb03e0 87f134c0 0xacbbaa10
8a0290c8 827216d2 86cb03e0 87f134c0 87f13650 0x87f134c0
8a0290cc 86cb03e0 87f134c0 87f13650 acbbaa10 ybnly+0x26d2
8a0290d0 87f134c0 87f13650 acbbaa10 87f134c0 0x86cb03e0
8a0290d4 87f13650 acbbaa10 87f134c0 827216d2 0x87f134c0
8a0290d8 acbbaa10 87f134c0 827216d2 86cb03e0 0x87f13650
8a0290dc 87f134c0 827216d2 86cb03e0 87f134c0 0xacbbaa10
8a0290e0 827216d2 86cb03e0 87f134c0 87f13650 0x87f134c0
8a0290e4 86cb03e0 87f134c0 87f13650 acbbaa10 ybnly+0x26d2
8a0290e8 87f134c0 87f13650 acbbaa10 87f134c0 0x86cb03e0
8a0290ec 87f13650 acbbaa10 87f134c0 827216d2 0x87f134c0
8a0290f0 acbbaa10 87f134c0 827216d2 86cb03e0 0x87f13650
8a0290f4 87f134c0 827216d2 86cb03e0 87f134c0 0xacbbaa10
8a0290f8 827216d2 86cb03e0 87f134c0 87f13650 0x87f134c0
8a0290fc 86cb03e0 87f134c0 87f13650 acbbaa10 ybnly+0x26d2
8a029100 87f134c0 87f13650 acbbaa10 87f134c0 0x86cb03e0
8a029104 87f13650 acbbaa10 87f134c0 827216d2 0x87f134c0
8a029108 acbbaa10 87f134c0 827216d2 86cb03e0 0x87f13650
8a02910c 87f134c0 827216d2 86cb03e0 87f134c0 0xacbbaa10
8a029110 827216d2 86cb03e0 87f134c0 87f13650 0x87f134c0
8a029114 86cb03e0 87f134c0 87f13650 acbbaa10 ybnly+0x26d2
8a029118 87f134c0 87f13650 acbbaa10 87f134c0 0x86cb03e0
8a02911c 87f13650 acbbaa10 87f134c0 827216d2 0x87f134c0
8a029120 acbbaa10 87f134c0 827216d2 86cb03e0 0x87f13650
8a029124 87f134c0 827216d2 86cb03e0 87f134c0 0xacbbaa10
8a029128 827216d2 86cb03e0 87f134c0 87f13650 0x87f134c0
8a02912c 86cb03e0 87f134c0 87f13650 acbbaa10 ybnly+0x26d2
8a029130 87f134c0 87f13650 acbbaa10 87f134c0 0x86cb03e0
8a029134 87f13650 acbbaa10 87f134c0 827216d2 0x87f134c0
8a029138 acbbaa10 87f134c0 827216d2 86cb03e0 0x87f13650
8a02913c 87f134c0 827216d2 86cb03e0 87f134c0 0xacbbaa10
8a029140 827216d2 86cb03e0 87f134c0 87f13650 0x87f134c0
8a029144 86cb03e0 87f134c0 87f13650 acbbaa10 ybnly+0x26d2
8a029148 87f134c0 87f13650 acbbaa10 87f134c0 0x86cb03e0
8a02914c 87f13650 acbbaa10 87f134c0 827216d2 0x87f134c0
8a029150 acbbaa10 87f134c0 827216d2 86cb03e0 0x87f13650
8a029154 87f134c0 827216d2 86cb03e0 87f134c0 0xacbbaa10
8a029158 827216d2 86cb03e0 87f134c0 87f13650 0x87f134c0
8a02915c 86cb03e0 87f134c0 87f13650 acbbaa10 ybnly+0x26d2


STACK_COMMAND:  kb

FOLLOWUP_IP:
aswSP+102ee
8d1342ee 53              push    ebx

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  aswSP+102ee

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: aswSP

IMAGE_NAME:  aswSP.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  4c865191

FAILURE_BUCKET_ID:  0x7f_8_aswSP+102ee

BUCKET_ID:  0x7f_8_aswSP+102ee

Followup: MachineOwner
---------



aswSP.SYS is part of AVAST 5, but I've removed it and I'm still getting BSOD'd.
ybnly.sys was identified by MalwareBytes as Trojan.Agent




HJT Report
CODE
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:04:28 PM, on 9/25/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18943)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
F:\Tools\_Cleaners\HijackThis v2.0.4\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=HSN&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6320
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Gateway\traybar.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-18\..\Run: [MqqZ] C:\Windows\cmd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Mqqoc] C:\Windows\debug.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Mqqsc] C:\Windows\drweb.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Mquuf] C:\Windows\spoolsv.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MquuN] C:\Windows\spoolsv .exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Mque] C:\Windows\user.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MqqE0] C:\Windows\cmd    .exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MquuKc] C:\Windows\spoolsv  .exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MqqEj] C:\Windows\cmd     .exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MqqEgc] C:\Windows\cmd      .exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MqqEgK] C:\Windows\cmd       .exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MquuKK] C:\Windows\spoolsv   .exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MqqEg0] C:\Windows\cmd        .exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MquuK0] C:\Windows\spoolsv    .exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MqqEgj] C:\Windows\cmd         .exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MqqZ] C:\Windows\cmd.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe (User 'Default user')
O4 - .DEFAULT User Startup: idxiga.exe (User 'Default user')
O4 - Startup: AutorunsDisabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.taylorbeanonline.com/scriptx/smsx.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

--
End of file - 5788 bytes





DDS Log

CODE
DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Conrad at 11:48:10.05 on Sat 09/25/2010
Internet Explorer: 8.0.6001.18943
Microsoft Windows Vista Home Premium   6.0.6001.1.1252.1.1033.18.2038.1632 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\wmiprvse.exe
F:\Tools\_Anti-Rootkits\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=HSN&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6320
BHO: AutorunsDisabled - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: LimeWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for gateway\traybar.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [hpqSRMon] c:\program files\hewlett-packard\digital imaging\bin\hpqSRMon.exe
dRun: [MqqZ] c:\windows\cmd.exe
dRun: [Mqqoc] c:\windows\debug.exe
dRun: [Mqqsc] c:\windows\drweb.exe
dRun: [Mquuf] c:\windows\spoolsv.exe
dRun: [MquuN] c:\windows\spoolsv .exe
dRun: [Mque] c:\windows\user.exe
dRun: [MqqE0] c:\windows\cmd    .exe
dRun: [MquuKc] c:\windows\spoolsv  .exe
dRun: [MqqEj] c:\windows\cmd     .exe
dRun: [MqqEgc] c:\windows\cmd      .exe
dRun: [MqqEgK] c:\windows\cmd       .exe
dRun: [MquuKK] c:\windows\spoolsv   .exe
dRun: [MqqEg0] c:\windows\cmd        .exe
dRun: [MquuK0] c:\windows\spoolsv    .exe
dRun: [MqqEgj] c:\windows\cmd         .exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10b.exe
StartupFolder: c:\users\conrad\appdata\roaming\micros~1\windows\startm~1\programs\startup\autoru~1\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\users\conrad\appdata\roaming\micros~1\windows\startm~1\programs\startup\autoru~1\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~3.0_0\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://www.taylorbeanonline.com/scriptx/smsx.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\conrad\appdata\roaming\mozilla\firefox\profiles\lkfueb4z.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.search.selectedengine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://pmh.bingstart.com/?cfg=2-207-0-1w0WQ
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=LMW2&o=16046&locale=en_US&q=
FF - component: c:\users\conrad\appdata\roaming\mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\components\gvtlf.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type",                  5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size",  4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-6-10 347648]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\elrawdsk.sys [2008-10-1 12800]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-20 136176]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 Normandy;Normandy SR2;c:\windows\system32\drivers\Normandy.sys [2010-9-24 34560]
S3 PTDUBus;PANTECH UM175 Composite Device Driver;c:\windows\system32\drivers\PTDUBus.sys [2010-2-9 54416]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2010-2-9 160272]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2010-2-9 160272]
S3 PTDUWFLT;PTDUWWAN Filter Driver;c:\windows\system32\drivers\PTDUWFLT.sys [2010-2-9 11920]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2010-2-9 113680]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-1-20 16896]
S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2008-1-20 19968]

=============== Created Last 30 ================

2010-09-25 16:35:53    54016    ----a-w-    c:\windows\system32\drivers\fehvshpu.sys
2010-09-25 16:18:23    50256    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2010-09-25 16:18:17    38848    ----a-w-    c:\windows\avastSS.scr
2010-09-25 15:17:03    83090    ----a-w-    C:\cc_20100925_101700.reg
2010-09-25 05:13:23    0    d-----w-    c:\windows\pss
2010-09-25 04:55:52    116    ----a-w-    c:\windows\system32\Partizan.RRI
2010-09-25 04:47:28    2    --shatr-    c:\windows\winstart.bat
2010-09-25 04:47:20    37600    ----a-w-    c:\windows\system32\Partizan.exe
2010-09-25 04:47:20    35816    ----a-w-    c:\windows\system32\drivers\Partizan.sys
2010-09-25 04:47:08    12808    ----a-w-    c:\windows\system32\drivers\UnHackMeDrv.sys
2010-09-25 04:47:05    0    d-----w-    c:\program files\UnHackMe
2010-09-25 04:08:40    0    d-sh--w-    C:\$RECYCLE.BIN
2010-09-25 03:48:53    268435456    --sha-w-    c:\windows\system32\temppf.sys
2010-09-25 03:07:42    77312    ----a-w-    C:\gmer-mbr.exe
2010-09-25 02:27:50    0    d-----w-    c:\programdata\Alwil Software
2010-09-25 00:38:52    98816    ----a-w-    c:\windows\sed.exe
2010-09-25 00:38:52    77312    ----a-w-    c:\windows\MBR.exe
2010-09-25 00:38:52    256512    ----a-w-    c:\windows\PEV.exe
2010-09-25 00:38:52    161792    ----a-w-    c:\windows\SWREG.exe
2010-09-24 23:52:37    34560    ----a-w-    c:\windows\system32\drivers\Normandy.sys
2010-09-24 22:55:13    94764    ----a-w-    c:\windows\system32\B55Xa.com
2010-09-24 02:11:10    112    ----a-w-    c:\programdata\UcUn58q.dat
2010-09-24 02:00:55    0    d-----w-    c:\programdata\Update
2010-09-20 00:11:36    501760    ----a-w-    c:\windows\system32\usp10.dll
2010-09-20 00:11:34    126464    ----a-w-    c:\windows\system32\spoolsv.exe
2010-09-20 00:11:32    317952    ----a-w-    c:\windows\system32\MP4SDECD.DLL
2010-09-20 00:11:30    738816    ----a-w-    c:\windows\system32\inetcomm.dll

==================== Find3M  ====================

2010-06-21 21:05:27    51200    ----a-w-    c:\windows\inf\infpub.dat
2010-06-21 21:05:27    143360    ----a-w-    c:\windows\inf\infstrng.dat
2010-06-21 21:03:10    86016    ----a-w-    c:\windows\inf\infstor.dat
2008-07-04 08:07:12    665600    ----a-w-    c:\windows\inf\drvindex.dat
2008-01-21 02:43:21    174    --sha-w-    c:\program files\desktop.ini
2006-11-02 12:42:02    30674    ----a-w-    c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02    30674    ----a-w-    c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02    287440    ----a-w-    c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02    287440    ----a-w-    c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21    287440    ----a-w-    c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21    287440    ----a-w-    c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19    30674    ----a-w-    c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19    30674    ----a-w-    c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 11:51:35.54 ===============



Thanks!

Just booted into MiniXP (Hiren's) and ran SuperAntiSpyware just for kicks and it said the Malwarebytes executable was infected... lol what is going on with this system??

EDIT: Posts merged ~BP

Edited by Budapest, 25 September 2010 - 05:29 PM.

Posted Image

BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:44 PM

Posted 30 September 2010 - 10:06 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 kisk

kisk
  • Topic Starter

  • Members
  • 339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Huntsville, AL
  • Local time:09:44 AM

Posted 30 September 2010 - 02:48 PM

Thanks for the time, myrti.

Again, can't get into normal mode so everything is being done in safe mode.

Here are the OLT logs

OTL logfile created on: 9/30/2010 2:32:26 PM - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Users\Conrad\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18943)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 81.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 221.97 Gb Total Space | 191.28 Gb Free Space | 86.17% Space Free | Partition Type: NTFS
Drive D: | 10.92 Gb Total Space | 3.43 Gb Free Space | 31.45% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 7.50 Gb Total Space | 4.08 Gb Free Space | 54.43% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KELLIB1112
Current User Name: Conrad
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/09/30 14:30:28 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Conrad\Desktop\OTL.exe
PRC - [2008/10/29 01:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/09/30 14:30:28 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Conrad\Desktop\OTL.exe
MOD - [2008/01/20 21:24:37 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2008/01/20 21:23:44 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe -- (RoxLiveShare9)
SRV - [2010/03/18 13:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2008/01/20 21:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/12/10 23:15:04 | 000,012,800 | ---- | M] (Agere Systems) [Auto | Stopped] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2007/11/06 21:16:54 | 000,217,088 | ---- | M] (Hewlett-Packard Co.) [On_Demand | Stopped] -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqcxs08.dll -- (hpqcxs08)
SRV - [2007/11/06 21:16:54 | 000,139,264 | ---- | M] (Hewlett-Packard Co.) [Auto | Stopped] -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqddsvc.dll -- (hpqddsvc)
SRV - [2007/08/29 16:58:47 | 000,181,800 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2007/07/12 18:36:12 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\SymIM.sys -- (SymIMMP)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\RimUsb.sys -- (RimUsb)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\igdkmd32.sys -- (igfx)
DRV - [2010/09/26 14:38:48 | 000,034,560 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Normandy.sys -- (Normandy)
DRV - [2010/03/04 13:50:14 | 000,261,152 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2009/08/12 06:13:32 | 000,160,272 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTDUMdm.sys -- (PTDUMdm)
DRV - [2009/08/12 06:13:32 | 000,113,680 | ---- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTDUWWAN.sys -- (PTDUWWAN)
DRV - [2009/08/12 06:13:32 | 000,054,416 | ---- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTDUBus.sys -- (PTDUBus)
DRV - [2009/08/12 06:13:28 | 000,160,272 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTDUVsp.sys -- (PTDUVsp)
DRV - [2009/08/12 06:13:28 | 000,011,920 | ---- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTDUWFLT.sys -- (PTDUWFLT)
DRV - [2009/06/10 05:52:58 | 000,347,648 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTL8187B.sys -- (RTL8187B)
DRV - [2009/05/25 16:43:58 | 000,032,408 | ---- | M] (Smith Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMSIVZAM5.sys -- (SMSIVZAM5)
DRV - [2008/09/03 10:41:16 | 000,012,800 | ---- | M] (EldoS Corporation) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\elrawdsk.sys -- (ElRawDisk)
DRV - [2008/02/29 03:13:38 | 001,202,560 | ---- | M] (Agere Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2008/01/20 21:23:27 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
DRV - [2008/01/20 21:23:27 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2008/01/20 21:23:27 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2008/01/20 21:23:27 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDScan.sys -- (WSDScan)
DRV - [2008/01/20 21:23:26 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2008/01/20 21:23:26 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2008/01/20 21:23:26 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2008/01/20 21:23:25 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2008/01/20 21:23:25 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2008/01/20 21:23:24 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2008/01/20 21:23:24 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2008/01/20 21:23:24 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2008/01/20 21:23:23 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2008/01/20 21:23:23 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2008/01/20 21:23:23 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2008/01/20 21:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2008/01/20 21:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2008/01/20 21:23:23 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2008/01/20 21:23:22 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2008/01/20 21:23:21 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2008/01/20 21:23:21 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2008/01/20 21:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2008/01/20 21:23:21 | 000,016,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV - [2008/01/20 21:23:20 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2008/01/20 21:23:00 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008/01/20 21:23:00 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008/01/20 21:23:00 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2007/09/27 19:33:26 | 000,056,832 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTSTOR.sys -- (RTSTOR)
DRV - [2007/09/06 21:26:04 | 000,330,240 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/07/12 18:35:02 | 000,305,176 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2007/05/23 19:37:40 | 000,011,776 | ---- | M] (Chicony Electronics Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\UVCFTR_S.SYS -- (UVCFTR)
DRV - [2007/04/26 04:38:40 | 000,186,680 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2006/11/02 04:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 04:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 04:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 04:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 04:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 04:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 04:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 04:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 04:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 04:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 04:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 03:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 03:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 03:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 03:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 03:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 03:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 02:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 02:30:56 | 002,589,184 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw2v32.sys -- (NETw2v32) Intel®
DRV - [2006/11/02 02:30:56 | 000,194,048 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\yk60x86.sys -- (yukonwlh)
DRV - [2005/05/26 11:01:18 | 000,021,344 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lgusbbus.sys -- (usbbus)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TB&M=M-6320


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch...TB&M=M-6320
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch...TB&M=M-6320
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2049713850-2973613794-1107490296-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-2049713850-2973613794-1107490296-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.yahoo.com/
IE - HKU\S-1-5-21-2049713850-2973613794-1107490296-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 2
IE - HKU\S-1-5-21-2049713850-2973613794-1107490296-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.selectedengine: "Bing"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://pmh.bingstart.com/?cfg=2-207-0-1w0WQ"
FF - prefs.js..extensions.enabledItems: textlinks@gamevance.com:1.0.0
FF - prefs.js..extensions.enabledItems: searchtoolbar@zugo.com:1.2
FF - prefs.js..extensions.enabledItems: toolbar@ask.com:3.6.8.107
FF - prefs.js..keyword.URL: "http://websearch.ask.com/redirect?client=ff&src=kw&tb=LMW2&o=16046&locale=en_US&q="


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/09/24 19:35:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/09/24 19:35:00 | 000,000,000 | ---D | M]

[2010/04/01 14:32:49 | 000,000,000 | ---D | M] -- C:\Users\Conrad\AppData\Roaming\Mozilla\Extensions
[2009/04/23 20:49:00 | 000,000,000 | ---D | M] -- C:\Users\Conrad\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org
[2010/09/24 21:17:44 | 000,000,000 | ---D | M] -- C:\Users\Conrad\AppData\Roaming\Mozilla\Firefox\Profiles\lkfueb4z.default\extensions
[2010/07/09 00:54:09 | 000,000,000 | ---D | M] -- C:\Users\Conrad\AppData\Roaming\Mozilla\Firefox\Profiles\lkfueb4z.default\extensions\searchtoolbar@zugo.com
[2010/07/16 13:49:57 | 000,000,000 | ---D | M] -- C:\Users\Conrad\AppData\Roaming\Mozilla\Firefox\Profiles\lkfueb4z.default\extensions\toolbar@ask.com
[2010/07/16 13:50:21 | 000,002,425 | ---- | M] () -- C:\Users\Conrad\AppData\Roaming\Mozilla\Firefox\Profiles\lkfueb4z.default\searchplugins\askcom.xml
[2010/07/09 00:54:13 | 000,001,949 | ---- | M] () -- C:\Users\Conrad\AppData\Roaming\Mozilla\Firefox\Profiles\lkfueb4z.default\searchplugins\bing-zugo.xml
[2010/06/03 16:23:15 | 000,003,359 | ---- | M] () -- C:\Users\Conrad\AppData\Roaming\Mozilla\Firefox\Profiles\lkfueb4z.default\searchplugins\search-results.xml
[2010/04/01 14:31:40 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/09/26 14:47:00 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKU\S-1-5-21-2049713850-2973613794-1107490296-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKU\S-1-5-21-2049713850-2973613794-1107490296-1000\..\Toolbar\WebBrowser: (LimeWire Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O4 - HKLM..\Run: [Camera Assistant Software] C:\Program Files\Camera Assistant Software for Gateway\traybar.exe (Chicony)
O4 - HKLM..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe File not found
O4 - HKLM..\Run: [hpqSRMon] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe (Hewlett-Packard)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe File not found
O4 - HKLM..\Run: [Persistence] C:\Windows\System32\igfxpers.exe File not found
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [MqqE0] C:\Windows\cmd .exe File not found
O4 - HKU\.DEFAULT..\Run: [MqqEg0] C:\Windows\cmd .exe File not found
O4 - HKU\.DEFAULT..\Run: [MqqEgc] C:\Windows\cmd .exe File not found
O4 - HKU\.DEFAULT..\Run: [MqqEgj] C:\Windows\cmd .exe File not found
O4 - HKU\.DEFAULT..\Run: [MqqEgK] C:\Windows\cmd .exe File not found
O4 - HKU\.DEFAULT..\Run: [MqqEj] C:\Windows\cmd .exe File not found
O4 - HKU\.DEFAULT..\Run: [Mqqoc] C:\Windows\debug.exe File not found
O4 - HKU\.DEFAULT..\Run: [Mqqsc] C:\Windows\drweb.exe File not found
O4 - HKU\.DEFAULT..\Run: [MqqZ] C:\Windows\cmd.exe File not found
O4 - HKU\.DEFAULT..\Run: [Mque] C:\Windows\user.exe File not found
O4 - HKU\.DEFAULT..\Run: [Mquuf] C:\Windows\spoolsv.exe File not found
O4 - HKU\.DEFAULT..\Run: [MquuK0] C:\Windows\spoolsv .exe File not found
O4 - HKU\.DEFAULT..\Run: [MquuKc] C:\Windows\spoolsv .exe File not found
O4 - HKU\.DEFAULT..\Run: [MquuKK] C:\Windows\spoolsv .exe File not found
O4 - HKU\.DEFAULT..\Run: [MquuN] C:\Windows\spoolsv .exe File not found
O4 - HKU\S-1-5-18..\Run: [MqqE0] C:\Windows\cmd .exe File not found
O4 - HKU\S-1-5-18..\Run: [MqqEg0] C:\Windows\cmd .exe File not found
O4 - HKU\S-1-5-18..\Run: [MqqEgc] C:\Windows\cmd .exe File not found
O4 - HKU\S-1-5-18..\Run: [MqqEgj] C:\Windows\cmd .exe File not found
O4 - HKU\S-1-5-18..\Run: [MqqEgK] C:\Windows\cmd .exe File not found
O4 - HKU\S-1-5-18..\Run: [MqqEj] C:\Windows\cmd .exe File not found
O4 - HKU\S-1-5-18..\Run: [Mqqoc] C:\Windows\debug.exe File not found
O4 - HKU\S-1-5-18..\Run: [Mqqsc] C:\Windows\drweb.exe File not found
O4 - HKU\S-1-5-18..\Run: [MqqZ] C:\Windows\cmd.exe File not found
O4 - HKU\S-1-5-18..\Run: [Mque] C:\Windows\user.exe File not found
O4 - HKU\S-1-5-18..\Run: [Mquuf] C:\Windows\spoolsv.exe File not found
O4 - HKU\S-1-5-18..\Run: [MquuK0] C:\Windows\spoolsv .exe File not found
O4 - HKU\S-1-5-18..\Run: [MquuKc] C:\Windows\spoolsv .exe File not found
O4 - HKU\S-1-5-18..\Run: [MquuKK] C:\Windows\spoolsv .exe File not found
O4 - HKU\S-1-5-18..\Run: [MquuN] C:\Windows\spoolsv .exe File not found
O4 - HKU\.DEFAULT..\RunOnce: [FlashPlayerUpdate] C:\Windows\System32\Macromed\Flash\FlashUtil10b.exe (Adobe Systems, Inc.)
O4 - HKU\S-1-5-18..\RunOnce: [FlashPlayerUpdate] C:\Windows\System32\Macromed\Flash\FlashUtil10b.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Users\Conrad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled [2010/09/25 10:15:59 | 000,000,000 | -H-D | M]
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2049713850-2973613794-1107490296-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2049713850-2973613794-1107490296-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} https://www.taylorbeanonline.com/scriptx/smsx.cab (MeadCo ScriptX)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_04)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.10.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKU\.DEFAULT Winlogon: Shell - (\hotfix.exe) - File not found
O20 - HKU\S-1-5-18 Winlogon: Shell - (\hotfix.exe) - File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - File not found
O24 - Desktop WallPaper: C:\Users\Conrad\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Conrad\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2010/01/15 18:29:42 | 000,000,112 | ---- | M] () - F:\Autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*


SafeBootMin: AppMgmt - C:\Windows\System32\appmgmts.dll File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - Service
SafeBootMin: NTDS - File not found
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: sacsvr - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} -
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 11.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} -
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Macromedia Shockwave Flash
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

Drivers32: msacm.clmp3enc - C:\Program Files\CyberLink\Power2Go\CLMP3Enc.ACM (CyberLink Corp.)
Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.siren - C:\Windows\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.VP60 - C:\Windows\System32\vp6vfw.dll (On2.com)
Drivers32: vidc.VP61 - C:\Windows\System32\vp6vfw.dll (On2.com)
Drivers32: vidc.VP62 - C:\Windows\System32\vp6vfw.dll (On2.com)

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - File not found
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/09/30 14:30:27 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Users\Conrad\Desktop\OTL.exe
[2010/09/30 08:13:24 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/09/27 17:23:49 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/09/26 20:03:51 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/09/26 20:03:51 | 000,000,000 | ---D | C] -- C:\Users\Conrad\AppData\Local\temp
[2010/09/26 19:55:01 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010/09/26 19:54:39 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/09/26 19:54:37 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/09/26 19:34:12 | 000,000,000 | -HSD | C] -- C:\found.003
[2010/09/26 17:38:13 | 000,000,000 | ---D | C] -- C:\MGTools
[2010/09/26 17:17:02 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/09/26 15:40:14 | 000,000,000 | ---D | C] -- C:\Users\Conrad\AppData\Roaming\SUPERAntiSpyware.com
[2010/09/26 15:40:14 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010/09/25 12:34:04 | 000,000,000 | ---D | C] -- C:\Program Files\trend micro
[2010/09/25 12:34:03 | 000,000,000 | ---D | C] -- C:\rsit
[2010/09/25 11:18:17 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\Windows\avastSS.scr
[2010/09/25 00:13:23 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2010/09/24 23:47:20 | 000,037,600 | ---- | C] (Greatis Software) -- C:\Windows\System32\Partizan.exe
[2010/09/24 23:47:20 | 000,035,816 | ---- | C] (Greatis Software) -- C:\Windows\System32\drivers\Partizan.sys
[2010/09/24 23:47:09 | 000,000,000 | ---D | C] -- C:\Users\Conrad\Documents\RegRun2
[2010/09/24 23:47:08 | 000,012,808 | ---- | C] (Greatis Software, LLC.) -- C:\Windows\System32\drivers\UnHackMeDrv.sys
[2010/09/24 23:47:08 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\regruninfo
[2010/09/24 23:47:05 | 000,000,000 | ---D | C] -- C:\Program Files\UnHackMe
[2010/09/24 21:27:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Alwil Software
[2010/09/24 21:27:50 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/09/24 19:38:52 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/09/24 19:38:52 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/09/24 19:38:52 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/09/24 19:37:51 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/09/24 19:37:42 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/09/23 21:00:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Update
[2010/09/19 19:11:32 | 000,317,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MP4SDECD.DLL

========== Files - Modified Within 30 Days ==========

[2010/09/30 14:30:55 | 000,707,392 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/09/30 14:30:55 | 000,606,420 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/09/30 14:30:55 | 000,104,430 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/09/30 14:30:28 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Conrad\Desktop\OTL.exe
[2010/09/30 14:26:14 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/09/30 14:26:04 | 268,435,456 | -HS- | M] () -- C:\Windows\System32\temppf.sys
[2010/09/30 13:04:27 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/09/30 13:04:26 | 000,000,680 | ---- | M] () -- C:\Users\Conrad\AppData\Local\d3d9caps.dat
[2010/09/30 13:04:25 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/09/27 19:08:37 | 003,670,016 | -HS- | M] () -- C:\Users\Conrad\ntuser.dat
[2010/09/26 17:15:49 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/09/26 14:47:00 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/09/26 14:38:48 | 000,034,560 | ---- | M] () -- C:\Windows\System32\drivers\Normandy.sys
[2010/09/26 14:31:45 | 000,000,691 | ---- | M] () -- C:\Users\Conrad\AppData\Roaming\GetValue.vbs
[2010/09/26 14:31:45 | 000,000,035 | ---- | M] () -- C:\Users\Conrad\AppData\Roaming\SetValue.bat
[2010/09/26 12:56:43 | 003,854,198 | R--- | M] () -- C:\Users\Conrad\Desktop\ComboFix.exe
[2010/09/26 12:45:30 | 000,001,588 | ---- | M] () -- C:\Users\Conrad\Desktop\ybn.reg
[2010/09/25 15:46:49 | 000,000,829 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/25 11:50:42 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2010/09/25 10:17:06 | 000,083,090 | ---- | M] () -- C:\cc_20100925_101700.reg
[2010/09/24 23:56:01 | 000,000,116 | ---- | M] () -- C:\Windows\System32\Partizan.RRI
[2010/09/24 23:49:33 | 000,001,688 | ---- | M] () -- C:\Windows\System32\autoexec.nt
[2010/09/24 23:49:33 | 000,000,002 | RHS- | M] () -- C:\Windows\winstart.bat
[2010/09/24 23:47:20 | 000,037,600 | ---- | M] (Greatis Software) -- C:\Windows\System32\Partizan.exe
[2010/09/24 23:47:20 | 000,035,816 | ---- | M] (Greatis Software) -- C:\Windows\System32\drivers\Partizan.sys
[2010/09/24 23:47:09 | 000,000,406 | ---- | M] () -- C:\Windows\tasks\UnHackMe Task Scheduler.job
[2010/09/24 23:47:08 | 000,000,763 | ---- | M] () -- C:\Users\Conrad\Desktop\UnHackMe.lnk
[2010/09/24 22:36:24 | 000,524,288 | -HS- | M] () -- C:\Users\Conrad\ntuser.dat{a5ce47fe-9f35-11de-94d4-7a8020000200}.TMContainer00000000000000000001.regtrans-ms
[2010/09/24 22:36:24 | 000,065,536 | -HS- | M] () -- C:\Users\Conrad\ntuser.dat{a5ce47fe-9f35-11de-94d4-7a8020000200}.TM.blf
[2010/09/24 22:33:23 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/09/24 22:33:23 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/09/24 21:52:02 | 000,077,312 | ---- | M] () -- C:\gmer-mbr.exe
[2010/09/24 21:44:11 | 192,305,195 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/09/24 21:16:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/09/24 19:34:58 | 000,000,112 | ---- | M] () -- C:\ProgramData\UcUn58q.dat
[2010/09/24 19:30:07 | 000,397,456 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/09/24 18:00:00 | 000,000,446 | ---- | M] () -- C:\Windows\tasks\ParetoLogic Registration3.job
[2010/09/24 18:00:00 | 000,000,444 | ---- | M] () -- C:\Windows\tasks\ParetoLogic Registration.job
[2010/09/23 21:03:19 | 000,000,949 | ---- | M] () -- C:\Users\Conrad\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2010/09/17 20:26:42 | 000,000,954 | ---- | M] () -- C:\Users\Conrad\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/09/01 14:18:44 | 000,012,808 | ---- | M] (Greatis Software, LLC.) -- C:\Windows\System32\drivers\UnHackMeDrv.sys
[2010/09/01 14:00:31 | 000,000,382 | ---- | M] () -- C:\Windows\tasks\DriverCure.job

========== Files Created - No Company Name ==========

[2010/09/26 19:48:46 | 000,000,680 | ---- | C] () -- C:\Users\Conrad\AppData\Local\d3d9caps.dat
[2010/09/26 14:31:45 | 000,000,691 | ---- | C] () -- C:\Users\Conrad\AppData\Roaming\GetValue.vbs
[2010/09/26 14:31:45 | 000,000,035 | ---- | C] () -- C:\Users\Conrad\AppData\Roaming\SetValue.bat
[2010/09/26 12:45:30 | 000,001,588 | ---- | C] () -- C:\Users\Conrad\Desktop\ybn.reg
[2010/09/25 15:46:49 | 000,000,829 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/25 10:17:03 | 000,083,090 | ---- | C] () -- C:\cc_20100925_101700.reg
[2010/09/24 23:55:52 | 000,000,116 | ---- | C] () -- C:\Windows\System32\Partizan.RRI
[2010/09/24 23:47:28 | 000,000,002 | RHS- | C] () -- C:\Windows\winstart.bat
[2010/09/24 23:47:09 | 000,000,406 | ---- | C] () -- C:\Windows\tasks\UnHackMe Task Scheduler.job
[2010/09/24 23:47:08 | 000,000,763 | ---- | C] () -- C:\Users\Conrad\Desktop\UnHackMe.lnk
[2010/09/24 22:48:53 | 268,435,456 | -HS- | C] () -- C:\Windows\System32\temppf.sys
[2010/09/24 22:07:42 | 000,077,312 | ---- | C] () -- C:\gmer-mbr.exe
[2010/09/24 19:38:52 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010/09/24 19:38:52 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/09/24 19:38:52 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/09/24 19:38:52 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/09/24 19:38:52 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/09/24 19:35:01 | 003,854,198 | R--- | C] () -- C:\Users\Conrad\Desktop\ComboFix.exe
[2010/09/24 18:52:37 | 000,034,560 | ---- | C] () -- C:\Windows\System32\drivers\Normandy.sys
[2010/09/23 21:11:10 | 000,000,112 | ---- | C] () -- C:\ProgramData\UcUn58q.dat
[2010/09/17 20:26:42 | 000,000,954 | ---- | C] () -- C:\Users\Conrad\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/02/09 14:59:01 | 000,000,000 | ---- | C] () -- C:\Windows\PNTINFO.INI
[2009/12/03 09:27:28 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2009/10/06 09:49:18 | 000,020,480 | ---- | C] () -- C:\Windows\System32\eSPDLDLG.dll
[2009/10/06 09:49:17 | 000,118,784 | ---- | C] () -- C:\Windows\System32\eSPDLD.dll
[2009/10/06 09:49:17 | 000,040,960 | ---- | C] () -- C:\Windows\System32\gsscan.dll
[2009/10/06 09:47:43 | 000,012,710 | ---- | C] () -- C:\Windows\HUD1_9.ini
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/04/07 16:16:47 | 000,303,104 | ---- | C] () -- C:\Windows\System32\eST3snm.dll
[2009/04/07 15:47:25 | 000,286,720 | ---- | C] () -- C:\Windows\System32\eSTsnmp.dll
[2009/04/07 15:44:40 | 000,147,456 | R--- | C] () -- C:\Windows\eSINLD.dll
[2009/04/07 15:44:39 | 000,024,576 | R--- | C] () -- C:\Windows\SPortLG.dll
[2009/04/07 15:44:39 | 000,020,480 | R--- | C] () -- C:\Windows\eSINLDLG.dll
[2009/04/07 15:44:38 | 000,286,720 | R--- | C] () -- C:\Windows\eSTsnmp.dll
[2009/04/07 15:44:09 | 000,009,269 | R--- | C] () -- C:\Windows\R2_9.ini
[2009/04/07 15:44:09 | 000,001,148 | R--- | C] () -- C:\Windows\V_eS282.ini
[2008/10/03 11:00:07 | 000,000,058 | ---- | C] () -- C:\Windows\mchguid.ini
[2008/10/01 22:47:27 | 000,000,432 | ---- | C] () -- C:\Windows\System32\iolo.ini
[2008/10/01 22:43:26 | 000,074,703 | ---- | C] () -- C:\Windows\System32\mfc45.dll
[2008/08/10 21:39:08 | 000,000,000 | ---- | C] () -- C:\Users\Conrad\AppData\Local\rx_image.Cache
[2008/07/25 09:41:57 | 000,006,466 | ---- | C] () -- C:\Users\Conrad\AppData\Roaming\PrimoPDFSet.xml
[2008/07/25 09:41:57 | 000,000,310 | ---- | C] () -- C:\Users\Conrad\AppData\Roaming\APUSet.xml
[2008/07/25 09:40:40 | 000,176,235 | ---- | C] () -- C:\Windows\System32\Primomonnt.dll
[2008/07/17 22:43:18 | 000,038,430 | ---- | C] () -- C:\Users\Conrad\AppData\Roaming\Comma Separated Values (DOS).ADR
[2008/07/07 09:49:55 | 000,001,386 | ---- | C] () -- C:\ProgramData\hpzinstall.log
[2008/07/02 13:09:22 | 000,028,672 | ---- | C] () -- C:\Users\Conrad\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/07/02 11:30:59 | 000,000,058 | ---- | C] () -- C:\ProgramData\mchguid.ini
[2008/07/02 11:29:52 | 000,002,157 | ---- | C] () -- C:\Windows\winpoint.ini
[2008/05/06 21:29:33 | 001,953,696 | ---- | C] () -- C:\Windows\System32\igklg400.dll
[2008/05/06 21:29:33 | 001,533,360 | ---- | C] () -- C:\Windows\System32\igklg450.dll
[2008/05/06 21:29:33 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1409.dll
[2008/05/06 21:29:33 | 000,104,636 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.dll
[2008/05/06 21:24:26 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2008/04/28 11:13:33 | 000,000,310 | ---- | C] () -- C:\Windows\primopdf.ini
[2008/02/11 19:55:18 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1437.dll
[2007/08/24 11:50:24 | 000,010,875 | ---- | C] () -- C:\Windows\ESOA.INI
[2007/08/24 11:50:24 | 000,000,053 | ---- | C] () -- C:\Windows\PRSRVDLL.INI
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2010/09/24 21:52:02 | 000,077,312 | ---- | M] () -- C:\gmer-mbr.exe


< MD5 for: AGP440.SYS >
[2008/01/20 21:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\ERDNT\cache\agp440.sys
[2008/01/20 21:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\drivers\agp440.sys
[2008/01/20 21:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/20 21:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008/01/20 21:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys
[2006/11/02 04:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2008/01/20 21:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\ERDNT\cache\atapi.sys
[2008/01/20 21:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\drivers\atapi.sys
[2008/01/20 21:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/20 21:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 04:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006/11/02 04:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\ERDNT\cache\cngaudit.dll
[2006/11/02 04:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 04:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: IASTOR.SYS >
[2007/07/12 18:35:02 | 000,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys
[2007/07/12 18:35:02 | 000,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\Windows\System32\drivers\iaStor.sys
[2007/07/12 18:35:02 | 000,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_cfa1dde4\iaStor.sys
[2007/07/12 18:35:44 | 000,381,976 | ---- | M] (Intel Corporation) MD5=CEB53BB804B41C52AB0782505C8E2994 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys

< MD5 for: IASTORV.SYS >
[2008/01/20 21:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\drivers\iaStorV.sys
[2008/01/20 21:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2008/01/20 21:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
[2006/11/02 04:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2008/01/20 21:24:05 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\ERDNT\cache\netlogon.dll
[2008/01/20 21:24:05 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\System32\netlogon.dll
[2008/01/20 21:24:05 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

< MD5 for: NVRAID.SYS >
[2008/01/20 21:23:21 | 000,102,968 | ---- | M] (NVIDIA Corporation) MD5=2EDF9E7751554B42CBB60116DE727101 -- C:\Windows\System32\drivers\nvraid.sys
[2008/01/20 21:23:21 | 000,102,968 | ---- | M] (NVIDIA Corporation) MD5=2EDF9E7751554B42CBB60116DE727101 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvraid.sys
[2008/01/20 21:23:21 | 000,102,968 | ---- | M] (NVIDIA Corporation) MD5=2EDF9E7751554B42CBB60116DE727101 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvraid.sys
[2006/11/02 04:50:24 | 000,088,680 | ---- | M] (NVIDIA Corporation) MD5=E69E946F80C1C31C53003BFBF50CBB7C -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvraid.sys

< MD5 for: NVSTOR.SYS >
[2006/11/02 04:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/20 21:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\drivers\nvstor.sys
[2008/01/20 21:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2008/01/20 21:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< MD5 for: SCECLI.DLL >
[2008/01/20 21:24:50 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\ERDNT\cache\scecli.dll
[2008/01/20 21:24:50 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\System32\scecli.dll
[2008/01/20 21:24:50 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 06:31:42 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtmsft.dll
[2009/03/08 06:31:37 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtrans.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/01/20 22:14:18 | 016,846,848 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2008/01/20 22:14:08 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2008/01/20 22:14:18 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 05:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 05:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %systemroot%\system32\drivers\*.sys /90 >
[2010/09/26 14:38:48 | 000,034,560 | ---- | M] () -- C:\Windows\System32\drivers\Normandy.sys
[2010/09/24 23:47:20 | 000,035,816 | ---- | M] (Greatis Software) -- C:\Windows\System32\drivers\Partizan.sys
[2010/09/01 14:18:44 | 000,012,808 | ---- | M] (Greatis Software, LLC.) -- C:\Windows\System32\drivers\UnHackMeDrv.sys

========== Files - Unicode (All) ==========
[2010/04/12 12:36:05 | 000,000,190 | ---- | M] ()(C:\w?X)r) -- C:\wX)r
[2010/04/12 12:36:05 | 000,000,190 | ---- | C] ()(C:\w?X)r) -- C:\wX)r
[2010/03/16 20:06:16 | 000,000,190 | ---- | M] ()(C:\0w.?v) -- C:\0w.v
[2010/03/16 20:06:16 | 000,000,190 | ---- | C] ()(C:\0w.?v) -- C:\0w.v
[2010/03/16 20:03:11 | 000,000,190 | ---- | M] ()(C:\0w?Őv) -- C:\0wŐv
[2010/03/16 20:03:11 | 000,000,190 | ---- | C] ()(C:\0w?Őv) -- C:\0wŐv
[2010/03/11 14:51:53 | 000,000,184 | ---- | M] ()(C:\?w) -- C:\w
[2010/03/11 14:51:53 | 000,000,184 | ---- | C] ()(C:\?w) -- C:\w
[2010/02/24 11:19:23 | 000,000,191 | ---- | M] ()(C:\ wA?s) -- C:\ wAˈs
[2010/02/24 11:19:23 | 000,000,191 | ---- | C] ()(C:\ wA?s) -- C:\ wAˈs
[2010/02/12 12:23:31 | 000,000,193 | ---- | M] ()(C:\?wv) -- C:\wv
[2010/02/12 12:23:31 | 000,000,193 | ---- | C] ()(C:\?wv) -- C:\wv
[2010/02/11 16:12:42 | 000,000,191 | ---- | M] ()(C:\?wntt) -- C:\wntt
[2010/02/11 16:12:42 | 000,000,191 | ---- | C] ()(C:\?wntt) -- C:\wntt
[2010/02/11 15:46:05 | 000,000,366 | ---- | M] ()(C:\?w) -- C:\w
[2010/02/11 15:35:16 | 000,000,366 | ---- | C] ()(C:\?w) -- C:\w
[2010/02/11 15:34:48 | 000,000,191 | ---- | M] ()(C:\?wҷs) -- C:\wҷs
[2010/02/11 15:34:48 | 000,000,191 | ---- | C] ()(C:\?wҷs) -- C:\wҷs

========== Alternate Data Streams ==========

@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:A2947BEA
< End of report >



----------------------------------------------------------------------------



OTL Extras logfile created on: 9/30/2010 2:32:26 PM - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Users\Conrad\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18943)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 81.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 221.97 Gb Total Space | 191.28 Gb Free Space | 86.17% Space Free | Partition Type: NTFS
Drive D: | 10.92 Gb Total Space | 3.43 Gb Free Space | 31.45% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 7.50 Gb Total Space | 4.08 Gb Free Space | 54.43% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KELLIB1112
Current User Name: Conrad
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2049713850-2973613794-1107490296-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 0
"DisableNotifications" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{2229213A-D229-4D8F-B292-ED1C0570EA6E}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{2D2020FB-4E1F-48CF-891F-4481955CBDC1}" = lport=10243 | protocol=6 | dir=in | app=system |
"{36D8FCDF-54E1-4378-9C7E-1AC18E22D8CF}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=c:\windows\system32\spoolsv.exe |
"{5B544B6D-4622-4510-B87B-1E9B60FBE9E4}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{5C0AC66E-F722-4B07-AB44-DBC12330F840}" = lport=2869 | protocol=6 | dir=in | app=system |
"{6A94ECD5-58AF-433C-9965-EF9B9EE604E1}" = rport=138 | protocol=17 | dir=out | app=system |
"{76C231A3-01C4-4925-90F7-7013D90B12B0}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=file and printer sharing (spooler service - rpc-epmap) |
"{81F5DDB3-4913-4B6F-AE97-09A03A3DE9ED}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{85B07BF0-CC2A-402D-8F5C-65EBD444A6A7}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{8D19A1F9-0EC0-4CB6-8C39-0AEEAD04523A}" = lport=2869 | protocol=6 | dir=in | app=system |
"{98C3C5BA-7D93-406E-BF51-07DE6AC8F783}" = rport=139 | protocol=6 | dir=out | app=system |
"{9B6FD6E8-6578-4C5C-ACC8-D0EFE2DDE209}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{AE5F6DCF-98D3-4477-91BD-DFEFD3B60944}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{BEA15802-E5BC-4ED8-9252-6414187C583D}" = rport=137 | protocol=17 | dir=out | app=system |
"{C0CD645D-E03E-412B-BF3A-BEAC497FBEA2}" = lport=137 | protocol=17 | dir=in | app=system |
"{C866806A-0DD8-4257-9A1E-B6B8FF64E9C7}" = lport=139 | protocol=6 | dir=in | app=system |
"{D1F34778-B759-41E2-879E-4AE4723C9240}" = lport=138 | protocol=17 | dir=in | app=system |
"{DFC0F8E7-D3C6-4280-AF35-C984321063FE}" = rport=10243 | protocol=6 | dir=out | app=system |
"{E199B960-62D6-479A-ABB9-411FFDE717B2}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{E62474C5-27A8-4EA6-80E8-BEC16B67ACE6}" = rport=445 | protocol=6 | dir=out | app=system |
"{F1877B6C-8717-4543-8079-6AB503EB16B4}" = lport=445 | protocol=6 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{244CBAAA-1588-4949-B4E1-253722319016}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{2C42E4BE-CABF-4F04-B55A-22CD62E99CEE}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{3BEE4CF7-0A71-4953-97D1-CF18CEC368DE}" = protocol=1 | dir=in | name=file and printer sharing (echo request - icmpv4-in) |
"{4C3EE231-6706-493E-BE5C-DBA0538A6EC5}" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"{580D23E9-62E3-48AF-906A-2027DA73BE4E}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{77F30333-04F0-4BC6-B4DF-764E63B4DBE9}" = protocol=58 | dir=in | name=file and printer sharing (echo request - icmpv6-in) |
"{7A09884F-7100-4129-B53A-1B36FCF76291}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{848FBB74-2EFB-486E-BA53-5E09A04BCB0A}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{8831BAE0-85F8-4F1A-8615-768F69FC8D9B}" = protocol=1 | dir=out | name=file and printer sharing (echo request - icmpv4-out) |
"{982AE621-E62A-4B8F-9842-EFCD34835701}" = protocol=6 | dir=in | app=c:\program files\frostwire\frostwire.exe |
"{98F142EE-E355-443F-A897-5AF92DC1DD63}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{9EC1D451-5748-43FE-A1DE-EBB8FB6B5F68}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{A53C27DF-1387-4998-B2C2-44580E867E45}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{A6B85FEB-992A-4F59-9677-914FD3D89BBE}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe |
"{B1090B99-E847-495D-9141-A3BD09FF45D2}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{B3051CC5-DEA0-4D80-999A-07731D20902C}" = protocol=6 | dir=out | app=system |
"{CFEEB568-E0E6-4F90-848C-D21099A04C03}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{D9370FC8-B41B-4E45-9A68-6C67CD2BA5F7}" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"{D9DEE4FD-F145-4BE2-8D96-627972EADB9D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{E1EBA3F7-3169-4581-8336-92CE5CF73E50}" = protocol=17 | dir=in | app=c:\program files\frostwire\frostwire.exe |
"{EAB14B7B-774C-48D4-805A-F28307D8486D}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{F12DBFB3-E2A5-4C99-8E8B-8CA24E2607AD}" = protocol=58 | dir=out | name=file and printer sharing (echo request - icmpv6-out) |
"TCP Query User{104DA1EA-92AF-466F-8407-12D97B235A71}E:\client\setup.exe" = protocol=6 | dir=in | app=e:\client\setup.exe |
"TCP Query User{1D8B532C-8FA4-48CA-B233-BC8DF7EB1299}C:\program files\limewire\limewire.exe" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"UDP Query User{6F48B80C-9D35-4C2C-87A8-E24DDCE58626}C:\program files\limewire\limewire.exe" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"UDP Query User{7909089B-526E-445F-B643-BFE0B57F524D}E:\client\setup.exe" = protocol=17 | dir=in | app=e:\client\setup.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07D8511D-C9FE-4A93-933F-EAA5C8F20095}" = IDT Audio
"{0A5825FD-0FB7-4e45-9037-858D463F2943}" = BPDSoftware
"{0E9404D1-EE63-46C7-8B99-2389614F081B}" = TOSHIBA e-STUDIO282 Series Client
"{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox
"{11B83AD3-7A46-4C2E-A568-9505981D4C6F}" = HP Update
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{18669FF9-C8FE-407a-9F70-E674896B1DB4}" = GPBaseService
"{195F2C6C-A343-4b10-B1A4-3F00AB9E9DD9}" = Fax
"{1E0D8F69-A6AB-4934-9B2D-159D9F97BA4A}" = ParetoLogic DriverCure
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F6CA293-60B5-422E-80A6-C765B7BFA6D5}" = Google Apps Sync™ for Microsoft Outlook 1.9.449.1159
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2951A232-69BA-4925-BB9A-CEEB72B18B4F}" = BPDSoftware_Ini
"{2CD2C0DB-81C3-416B-9FA6-589B9235359B}" = OpenOffice.org 2.4
"{3248F0A8-6813-11D6-A77B-00B0D0160040}" = Java™ 6 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE
"{36FDBE6E-6684-462b-AE98-9A39A1B200CC}" = HPProductAssistant
"{39098402-3F7A-4257-A4AE-FC1181D1B40B}" = Camera Assistant Software for Gateway
"{398E8625-6F3A-4C54-B54C-28F0ABB89774}" = BPD_HPSU
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go 5.0
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4E31CC05-1C65-4B9B-B902-45B23A280D38}" = TOSHIBA e-STUDIO350-450 Series Client
"{5109C064-813E-4e87-B0DE-C8AF7B5BC02B}" = SmartWebPrintingOC
"{52A69E11-7CEB-4a7d-9607-68BA4F39A89B}" = DeviceDiscovery
"{572F2A62-70CD-4429-8758-6D4D6DC696E1}" = 4500_Help
"{5ACE69F0-A3E8-44eb-88C1-0A841E700180}" = TrayApp
"{5BB4D7C1-52F2-4BFD-9E40-0D419E2E3021}" = bpd_scan
"{5F00DF7E-418B-4CD9-8EC5-781156BCC49E}" = Microsoft Money Shared Libraries
"{5F283360-B979-46F2-A359-365FE8492E75}" = Point 6.1a
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{6697D99E-E550-4498-B793-4A8DD8A1821F}" = ProductContext
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{679EC478-3FF9-4987-B2FF-C2C2B27532A2}" = DocProc
"{687FEF8A-8597-40b4-832C-297EA3F35817}" = BufferChm
"{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}" = HP Photo and Imaging 2.0 - All-in-One Drivers
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7F3BCF8A-8E02-4659-AF25-F9AB66BD6718}" = Gateway Recovery Center Installer
"{80533B67-C407-485D-8B5D-63BB8ED9D878}" = Scan
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
"{8E9DB7EF-5DD3-499E-BA2A-A1F3153A4DF8}" = Adobe Flash Player 9 ActiveX
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}_SMALLBUSINESSR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}_SMALLBUSINESSR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91120000-00CA-0000-0000-0000000FF1CE}" = Microsoft Office Small Business 2007
"{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9867A917-5D17-40DE-83BA-BEA5293194B1}" = HP Photo and Imaging 2.0 - All-in-One
"{A0B9F8DF-C949-45ed-9808-7DC5C0C19C81}" = Status
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A5AB9D5E-52E2-440e-A3ED-9512E253C81A}" = SolutionCenter
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.4
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B8DBED1E-8BC3-4d08-B94A-F9D7D88E9BBF}" = HPSSupply
"{BAD0FA60-09CF-4411-AE6A-C2844C8812FA}" = HP Photosmart Essential 2.5
"{C13AF9C7-8E06-4354-B629-DF6192CE4A66}" = PANTECH UM175 Driver
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg
"{CD0773D5-C18E-495c-B39B-21A96415EDD5}" = HP Officejet J4500 Series
"{CDC85536-A0EF-4401-82A6-25D8EFC7EFAC}" = VZAccess Manager
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D142FE39-3386-4d82-9AD3-36D4A92AC3C2}" = DocMgr
"{D2E0F0CC-6BE0-490b-B08B-9267083E34C9}" = MarketResearch
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{D99A8E3A-AE5A-4692-8B19-6F16D454E240}" = Destination Component
"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
"{DD68AE74-98BA-4ABE-B11E-30F39206ECE8}" = Point 7.2
"{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{EE5EEDAF-F932-462B-A2CB-EEBDF819D5F5}" = Gateway Connect
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F3CA9611-CD42-4562-ADAB-A554CF8E17F1}" = Microsoft WSE 2.0 SP3 Runtime
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FDEC11CC-4BD6-4a8c-A398-3CCD8E43EACA}" = J4500
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Agere Systems Soft Modem" = Agere Systems HDA Modem
"HDMI" = Intel® Graphics Media Accelerator Driver
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"HP Document Manager" = HP Document Manager 1.0
"HP Imaging Device Functions" = HP Imaging Device Functions 10.0
"HP Photosmart Essential" = HP Photosmart Essential 2.5
"HP Smart Web Printing" = HP Smart Web Printing
"HP Solution Center & Imaging Support Tools" = HP Solution Center 10.0
"HPExtendedCapabilities" = HP Customer Participation Program 10.0
"HPOCR" = OCR Software by I.R.I.S. 10.0
"iCopyExpert_is1" = iCopyExpert 3.1.2
"LimeWire" = LimeWire 5.5.10
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MeridianLink Site Security Certificate" = MeridianLink Site Security Certificate
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Money2007b" = Microsoft Money Essentials
"Mozilla Firefox (3.6.10)" = Mozilla Firefox (3.6.10)
"PrimoPDF4.0.2.5" = PrimoPDF
"Quicken WillMaker Plus 2008" = Quicken WillMaker Plus 2008
"Shop for HP Supplies" = Shop for HP Supplies
"SMALLBUSINESSR" = Microsoft Office Small Business 2007
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"The Weather Channel Desktop 6" = The Weather Channel Desktop 6
"WildTangent gateway Master Uninstall" = Gateway Games
"WinLiveSuite_Wave3" = Windows Live Essentials

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2049713850-2973613794-1107490296-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"2c777a09c05bdfb6" = Point
"GoToMeeting" = GoToMeeting 4.5.0.457

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

Posted Image

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:44 PM

Posted 01 October 2010 - 04:15 AM

Hi,

is the blue screen still referencing Avast file? Or has that changed.
What did Superantispyware detect in the malwarebytes executable?

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    CODE
    :otl

    O4 - HKU\.DEFAULT..\Run: [MqqE0] C:\Windows\cmd .exe File not found
    O4 - HKU\.DEFAULT..\Run: [MqqEg0] C:\Windows\cmd .exe File not found
    O4 - HKU\.DEFAULT..\Run: [MqqEgc] C:\Windows\cmd .exe File not found
    O4 - HKU\.DEFAULT..\Run: [MqqEgj] C:\Windows\cmd .exe File not found
    O4 - HKU\.DEFAULT..\Run: [MqqEgK] C:\Windows\cmd .exe File not found
    O4 - HKU\.DEFAULT..\Run: [MqqEj] C:\Windows\cmd .exe File not found
    O4 - HKU\.DEFAULT..\Run: [Mqqoc] C:\Windows\debug.exe File not found
    O4 - HKU\.DEFAULT..\Run: [Mqqsc] C:\Windows\drweb.exe File not found
    O4 - HKU\.DEFAULT..\Run: [MqqZ] C:\Windows\cmd.exe File not found
    O4 - HKU\.DEFAULT..\Run: [Mque] C:\Windows\user.exe File not found
    O4 - HKU\.DEFAULT..\Run: [Mquuf] C:\Windows\spoolsv.exe File not found
    O4 - HKU\.DEFAULT..\Run: [MquuK0] C:\Windows\spoolsv .exe File not found
    O4 - HKU\.DEFAULT..\Run: [MquuKc] C:\Windows\spoolsv .exe File not found
    O4 - HKU\.DEFAULT..\Run: [MquuKK] C:\Windows\spoolsv .exe File not found
    O4 - HKU\.DEFAULT..\Run: [MquuN] C:\Windows\spoolsv .exe File not found
    O4 - HKU\S-1-5-18..\Run: [MqqE0] C:\Windows\cmd .exe File not found
    O4 - HKU\S-1-5-18..\Run: [MqqEg0] C:\Windows\cmd .exe File not found
    O4 - HKU\S-1-5-18..\Run: [MqqEgc] C:\Windows\cmd .exe File not found
    O4 - HKU\S-1-5-18..\Run: [MqqEgj] C:\Windows\cmd .exe File not found
    O4 - HKU\S-1-5-18..\Run: [MqqEgK] C:\Windows\cmd .exe File not found
    O4 - HKU\S-1-5-18..\Run: [MqqEj] C:\Windows\cmd .exe File not found
    O4 - HKU\S-1-5-18..\Run: [Mqqoc] C:\Windows\debug.exe File not found
    O4 - HKU\S-1-5-18..\Run: [Mqqsc] C:\Windows\drweb.exe File not found
    O4 - HKU\S-1-5-18..\Run: [MqqZ] C:\Windows\cmd.exe File not found
    O4 - HKU\S-1-5-18..\Run: [Mque] C:\Windows\user.exe File not found
    O4 - HKU\S-1-5-18..\Run: [Mquuf] C:\Windows\spoolsv.exe File not found
    O4 - HKU\S-1-5-18..\Run: [MquuK0] C:\Windows\spoolsv .exe File not found
    O4 - HKU\S-1-5-18..\Run: [MquuKc] C:\Windows\spoolsv .exe File not found
    O4 - HKU\S-1-5-18..\Run: [MquuKK] C:\Windows\spoolsv .exe File not found
    O4 - HKU\S-1-5-18..\Run: [MquuN] C:\Windows\spoolsv .exe File not found
    O20 - HKU\.DEFAULT Winlogon: Shell - (\hotfix.exe) - File not found
    O20 - HKU\S-1-5-18 Winlogon: Shell - (\hotfix.exe) - File not found
    [2010/09/23 21:00:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Update
    :files
    C:\Windows\tasks\at*.job
  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply.

    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
    If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
================================Follow up scan=================================
  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 kisk

kisk
  • Topic Starter

  • Members
  • 339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Huntsville, AL
  • Local time:09:44 AM

Posted 03 October 2010 - 11:40 AM

Topic can be closed.

Thanks for the help but was taking too long for a client so I decided just to nuke and pave.

Thanks again for your time smile.gif
Posted Image

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:44 PM

Posted 04 October 2010 - 07:54 AM

Since this topic appears to be resolved, I will now close it. Thanks for letting us know.

If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users