Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Microsoft Edge's XSS Filter Appears to Be Broken

Featured Deal: Get 98% off the Ultimate Cisco Certification Bundle: Lifetime Access Deal

Photo

dealparty.com Infection

Started by JohnnyWadd , Sep 29 2010 07:32 PM

  • This topic is locked This topic is locked
41 replies to this topic

#1 JohnnyWadd

JohnnyWadd

  • Members
  • 24 posts
  • OFFLINE
    •  
  • Local time:05:44 AM

Posted 29 September 2010 - 07:32 PM

Been using BC for years to fix problems with my computers... it's seems now that I've finally met my match and must ask for help. I'm not finding much information on my current problem. Hope you guys can help. Let me start by saying that I'm in Intermediate to Advanced user... I know a fair amount about computers, so you need not use baby talk with me. Talk as you would to a peer... if I have questions, I'll ask.

Also, can you please tell me the problems that you see as you see them? It may keep me from having to ask next time.

In the past few days, I've been having problems with my browser redirecting to advertising websites when I click on links within a Google search. I haven't noticed this happen in any other forum... just Google search. That doesn't mean that it's not happening, though... obviously. I just may not have noticed. Occasionally, the link won't lead to my desired destination, instead sending me to an advertising website along the likes of www.dealparty.com, among others. I really hope I don't have a rootkit problem, but I guess we'll have to see.

I'm sure you'll be able to tell all of this from the scans, but I have Windows 7 and my preferred browser is Firefox.

The first thing I did was to run DDS. This went off without a hitch. The log of the results is as follows:

DDS (Ver_10-03-17.01) - NTFSX64
Run by JohnnyWadd at 18:59:37.41 on Wed 09/29/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4026.2256 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files (x86)\AVG\AVG9\avgchsva.exe
C:\Program Files (x86)\AVG\AVG9\avgrsa.exe
C:\Program Files (x86)\AVG\AVG9\avgcsrva.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\PLFSetI.exe
C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\FlashMute\flashmute.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
C:\Windows\System32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnect.exe
C:\Program Files (x86)\AVG\AVG9\avgnsa.exe
C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe
C:\Program Files (x86)\QUALCOMM\QDLService2k\QDLService2kAD.exe
C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\AVG\AVG9\avgtray.exe
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Vuze\Azureus.exe
C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe
C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Users\JohnnyWadd\Desktop\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://bing.zugo.com/?cfg=2-80-0-tLeS
mLocal Page = c:\windows\syswow64\blank.htm
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files (x86)\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~2\micros~1\office12\GR469A~1.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
BHO: {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - No File
TB: {0C8413C1-FAD1-446C-8584-BE50576F863E} - No File
uRun: [FlashMute] c:\program files (x86)\flashmute\FlashMute.exe
uRun: [Google Update] "c:\users\johnnywadd\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "c:\program files (x86)\windows live\messenger\msnmsgr.exe" /background
uRun: [Messenger (Yahoo!)] "c:\program files (x86)\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [ISUSScheduler] "c:\program files (x86)\common files\installshield\updateservice\issch.exe" -start
uRun: [Vhifefedahe] rundll32.exe "c:\users\johnnywadd\appdata\local\KBDP1081.dll",Startup
uRun: [Qgugufica] rundll32.exe "c:\users\johnnywadd\appdata\local\unanunan.dll",Startup
mRun: [LManager] c:\program files (x86)\launch manager\LManager.exe
mRun: [StartCCC] "c:\program files (x86)\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files (x86)\java\jre6\bin\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~2\avg\avg9\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [<NO NAME>]
mRun: [GrooveMonitor] "c:\program files (x86)\microsoft office\office12\GrooveMonitor.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~2\micros~1\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~2\micros~1\office12\GRA32A~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files (x86)\avg\avg9\avgpp.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~2\micros~1\office12\GR469A~1.DLL
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files (x86)\avg\avg9\avgssiea.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
mRun-x64: [IAAnotif] c:\program files (x86)\intel\intel matrix storage manager\iaanotif.exe
mRun-x64: [RtHDVCpl] c:\program files\realtek\audio\hda\RAVCpl64.exe -s
mRun-x64: [PLFSetI] c:\windows\PLFSetI.exe
mRun-x64: [ODDPwr] "c:\program files\acer\optical drive power management\ODDPwr.exe"
mRun-x64: [Acer ePower Management] c:\program files\acer\acer powersmart manager\ePowerTrayLauncher.exe
mRun-x64: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun-x64: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun-x64: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun-x64: [Persistence] c:\windows\system32\igfxpers.exe
AppInit_DLLs-X64: avgrssta.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\johnny~1\appdata\roaming\mozilla\firefox\profiles\6xtrucvk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files (x86)\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files (x86)\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files (x86)\opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files (x86)\opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files (x86)\veetle\player\npvlc.dll
FF - plugin: c:\program files (x86)\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files (x86)\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\users\johnnywadd\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name",

"chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description",

"chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PxHlpa64;PxHlpa64;c:\windows\system32\drivers\PxHlpa64.sys [2010-8-16 53488]
R1 AvgLdx64;AVG Free AVI Loader Driver x64;c:\windows\system32\drivers\avgldx64.sys [2010-1-16 269904]
R1 AvgMfx64;AVG Free On-access Scanner Minifilter Driver x64;c:\windows\system32\drivers\avgmfx64.sys [2010-1-16 35536]
R1 AvgTdiA;AVG Free Network Redirector x64;c:\windows\system32\drivers\avgtdia.sys [2010-1-16 317520]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 59904]
R2 avg9wd;AVG Free WatchDog;c:\program files (x86)\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
R2 ePowerSvc;Acer ePower Service;c:\program files\acer\acer powersmart manager\ePowerSvc.exe [2010-1-16 786976]
R2 MotoConnect Service;MotoConnect Service;c:\program files (x86)\motorola\motoconnectservice\MotoConnectService.exe [2010-5-19 91456]
R2 ODDPwrSvc;Acer ODD Power Service;c:\program files\acer\optical drive power management\ODDPWRSvc.exe [2010-1-16 158240]
R2 QDLService2kAD;Qualcomm Gobi 2000 Download Service (AD);c:\program files (x86)\qualcomm\qdlservice2k\QDLService2kAD.exe [2009-10-1 330488]
R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files (x86)\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2007-8-24 166384]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files (x86)\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2007-8-24 1083888]
R3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2010-1-19 448512]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files (x86)\roxio\digital home 10\RoxioUpnpService10.exe [2007-8-24 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files (x86)\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2007-8-24 309744]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\common files\macrovision shared\flexnet publisher\FNPLicensingService64.exe [2010-1-16

1038088]
S3 HTCAND64;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-10-26 32768]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C62x64.sys [2009-11-13 67072]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-6-19 20992]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-1-29 9216]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2009-10-27 30208]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\drivers\NETw5s64.sys [2009-9-15 6952960]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\drivers\NETw5v64.sys [2010-1-14 5435904]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files (x86)\roxio\digital home 10\RoxioUPnPRenderer10.exe [2007-8-24 72176]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-1-16 216064]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-20 1255736]

=============== Created Last 30 ================

2010-09-29 23:49:53 20 ----a-w- c:\users\johnnywadd\defogger_reenable
2010-09-29 21:17:20 676224 ----a-w- c:\windows\system32\OGACheckControl.dll
2010-09-29 21:04:23 0 d-----w- c:\program files\Microsoft Office
2010-09-29 21:04:10 0 d-----w- c:\program files (x86)\Microsoft Visual Studio 8
2010-09-29 14:19:26 0 d-----w- c:\program files\Microsoft SDKs
2010-09-29 14:19:04 0 d-----w- c:\program files\Business Objects
2010-09-29 14:16:23 0 d-----w- c:\windows\syswow64\js
2010-09-29 14:16:23 0 d-----w- c:\windows\syswow64\images
2010-09-29 14:16:23 0 d-----w- c:\windows\syswow64\html
2010-09-29 14:16:23 0 d-----w- c:\windows\syswow64\css
2010-09-29 14:16:23 0 d-----w- c:\program files (x86)\Business Objects
2010-09-29 14:12:27 0 d-----w- c:\program files\Microsoft SQL Server
2010-09-29 14:12:21 0 d-----w- c:\program files (x86)\Microsoft SQL Server
2010-09-29 14:12:09 0 d-----w- c:\program files\Microsoft Device Emulator
2010-09-29 14:12:09 0 d-----w- c:\program files (x86)\Microsoft Device Emulator
2010-09-29 14:11:29 0 d-----w- c:\program files (x86)\Windows Mobile 5.0 SDK R2
2010-09-29 14:10:56 0 d-----w- c:\program files (x86)\Microsoft Synchronization Services
2010-09-29 14:10:55 0 d-----w- c:\program files (x86)\Microsoft SQL Server Compact Edition
2010-09-29 14:02:14 0 d-----w- c:\programdata\PreEmptive Solutions
2010-09-29 13:54:51 0 d-----w- c:\windows\syswow64\1033
2010-09-29 13:52:17 0 d-----w- c:\program files (x86)\HTML Help Workshop
2010-09-29 13:52:17 0 d-----w- c:\program files (x86)\common files\Merge Modules
2010-09-29 13:52:17 0 d-----w- c:\program files (x86)\CE Remote Tools
2010-09-29 13:49:23 0 d-----w- c:\program files (x86)\Microsoft Web Designer Tools
2010-09-29 13:47:13 0 d-----w- c:\programdata\Microsoft Help
2010-09-29 13:46:59 0 d-----w- c:\windows\system32\1033
2010-09-29 13:46:58 0 d-----w- c:\program files\Microsoft Visual Studio 9.0
2010-09-15 17:38:35 0 d-----w- c:\program files (x86)\DVDFab 8
2010-09-12 18:11:52 0 d-----w- c:\program files (x86)\Veetle

==================== Find3M ====================

2010-09-15 17:41:34 99384 ----a-w- c:\users\johnny~1\appdata\roaming\inst.exe
2010-09-15 17:41:34 82816 ----a-w- c:\users\johnny~1\appdata\roaming\pcouffin.sys
2010-08-28 19:15:08 1786 ----a-w- c:\windows\syswow64\KGyGaAvL.sys
2010-07-15 15:18:01 13048 ----a-w- c:\windows\system32\avgrssta.dll
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-02-20 01:47:39 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-01-22 00:03:58 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-06-20 21:20:26 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 19:00:51.10 ===============

The next thing I did was to run gmer.exe. When I started the program, I was immediately shown the following warning:

"C:\Windows\system32\config\system: The system cannot find the file specified."

I clicked OK. When gmer.exe starts, a majority of the options from the right side cannot be checked... the program has the options unchecked by default and I am unable to change them. I don't know if this is because of my computer (i.e. my operating system) or because of the error message I received. The only options that I was able to check were:

Services
Registry
Files
Files > C:\
Files > ADS

All others could not be checked. I left these five options checked and tried to run the scan anyway. Before it scanned, I received another error message. It was as follows:

"C:\Windows\system32\config\system: The process cannot access the file because it is being using by another process."

I clicked OK and the scan continued. I didn't like the results, though. The program shot back with the following message:

"GMER hasn't found any system modification."

I'm thinking that it did so because of the previous error messages.

I'm going to try to run the scan again in safe mode. If it comes up with any different results, I'll post them.

One final thing before I go... I'm not able to attach the extra text file from the DDS scan. I think this is a problem on my end. My school has a content filter/blocker and I'm unable to access the BC website. So, I'm running through a proxy. I'm going to post the contents of that attachment in a subsequent post. Hope this is all right. If not, let me know and I'll try to attach it later when I get to another location.

I thank you in advance for all the help you can give.
Jon

Here are the contents of the text file resulting from the DDS scan. I was unable to attach the file to my original thread, so I'm posting the contents of Attach.txt here:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 1/16/2010 12:48:36 PM
System Uptime: 9/29/2010 6:52:04 PM (1 hours ago)

Motherboard: Acer | | Aspire 4810T
Processor: Intel® Core™2 Solo CPU U3500 @ 1.40GHz | CPU | 1400/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 286 GiB total, 17.456 GiB free.
G: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Atheros AR8131 PCI-E Gigabit Ethernet Controller
Device ID: PCI\VEN_1969&DEV_1063&SUBSYS_022B1025&REV_C0\4&1B513B8&0&00E0
Manufacturer: Atheros
Name: Atheros AR8131 PCI-E Gigabit Ethernet Controller
PNP Device ID: PCI\VEN_1969&DEV_1063&SUBSYS_022B1025&REV_C0\4&1B513B8&0&00E0
Service: L1C

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Intel® WiFi Link 5100 AGN
Device ID: PCI\VEN_8086&DEV_4232&SUBSYS_12018086&REV_00\4&114C7418&0&00E1
Manufacturer: Intel Corporation
Name: Intel® WiFi Link 5100 AGN
PNP Device ID: PCI\VEN_8086&DEV_4232&SUBSYS_12018086&REV_00\4&114C7418&0&00E1
Service: NETw5s64

==== System Restore Points ===================

RP91: 9/29/2010 1:37:38 PM - Configured Microsoft Visual Studio Web Authoring Component
RP92: 9/29/2010 3:47:59 PM - Removed Microsoft Office XP Professional with FrontPage
RP93: 9/29/2010 3:51:34 PM - Removed Microsoft Office Live Add-in 1.5
RP94: 9/29/2010 4:00:52 PM - Installed Microsoft Office Enterprise 2007

==== Installed Programs ======================

AC3Filter 1.63b
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
AIM 7
Avanquest update
AVG Free 9.0
AviSynth 2.5
Citrus Alarm Clock 1.0.5
Crystal Reports Basic for Visual Studio 2008
dBpoweramp AIFF Codec
dBpoweramp CLI Encoder
dBpoweramp Dalet Codec
dBpoweramp DirectShow Decoder
dBpoweramp FLAC Codec
dBpoweramp m4a Codec
dBpoweramp Midi Decoder
dBpoweramp Monkeys Audio Codec
dBPowerAMP Mp2 and BwfMp2 codec
dBpoweramp mp3 (Fraunhofer IIS) Codec
dBpoweramp Musepack Codec
dBpoweramp Music Converter
dBpoweramp Ogg Vorbis Codec
dBpoweramp OptimFROG Codec
dBPowerAMP Real Audio (Helix) Encoder
dBpoweramp Shorten Codec
dBpoweramp Speex Codec
dBPoweramp tooLame MP2 codec
dBpoweramp Wave64 Codec
dBpoweramp WavPack Codec
dBpoweramp Windows Media Audio 10 Codec
DirectXInstallService
dMC Power Pack
Download Updater (AOL LLC)
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVDFab 8.0.0.5 (25/08/2010)
EMC 10 Content
FlashMute
FLV Player 2.0 (build 25)
Google Chrome
Google Earth
Malwarebytes' Anti-Malware
Microsoft .NET Compact Framework 2.0 SP2
Microsoft .NET Compact Framework 3.5
Microsoft .NET Framework 1.1
Microsoft Choice Guard
Microsoft Document Explorer 2008
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visual Web Developer 2007
Microsoft Office Visual Web Developer MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Compact 3.5 Design Tools ENU
Microsoft SQL Server Compact 3.5 ENU
Microsoft SQL Server Compact 3.5 for Devices ENU
Microsoft SQL Server Database Publishing Wizard 1.2
Microsoft SQL Server Setup Support Files (English)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Visual Studio 2008 Professional Edition - ENU
Microsoft Visual Studio Web Authoring Component
Motorola Driver Installation
Motorola Phone Tools
Mozilla Firefox (3.6.3)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Opera 10.53
PE Builder 3.1.10a
pzizz
Real Alternative 2.0.2
RockNES X v2.0 & Games 1.0
Roxio Activation Module
Roxio BackOnTrack
Roxio Central Audio
Roxio Central Copy
Roxio Central Core
Roxio Central Data
Roxio Central Tools
Roxio CinePlayer
Roxio CinePlayer Decoder Pack
Roxio Disc Gallery
Roxio Easy Media Creator 10 Suite
Roxio File Backup
Roxio MediaShare
Roxio Update Manager
SeaTools for Windows
SopCast 3.0.3
StreamTorrent 1.0
VC Runtimes MSI
Veetle TV 0.9.17
Viewpoint Media Player
Visual C++ 8.0 Runtime Setup Package (x64)
Visual Studio 2005 Tools for Office Second Edition Runtime
Visual Studio Tools for the Office system 3.0 Runtime
Vuze
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Upload Tool
Windows Mobile 5.0 SDK R2 for Pocket PC
Windows Mobile 5.0 SDK R2 for Smartphone
WinRAR archiver
Xvid 1.2.2 final uninstall
Yahoo! Messenger
Yahoo! Software Update

==== Event Viewer Messages From Past Week ========

9/29/2010 6:53:47 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to

load: RxFilter
9/29/2010 6:53:11 PM, Error: Service Control Manager [7023] - The Network Security service terminated with the following

error: The specified module could not be found.
9/29/2010 2:24:30 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
9/28/2010 9:54:21 PM, Error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.2 with the

system having network hardware address 00-12-43-18-19-80. Network operations on this system may be disrupted as a result.
9/28/2010 3:12:02 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer

MDSPHARMA-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{C143B493-235D-47DB-8FDD-

50001CCB5303}. The master browser is stopping or an election is being forced.
9/28/2010 3:05:37 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer P-

DABOOO that believes that it is the master browser for the domain on transport NetBT_Tcpip_{C143B493-235D-47DB-8FDD-

50001CCB5303}. The master browser is stopping or an election is being forced.
9/23/2010 7:25:07 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer

MDSPHARMA-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{06065DFB-94F7-481D-A748-

32971C10B3CA}. The master browser is stopping or an election is being forced.

==== End Of File ===========================

Just tried to run GMER in safe mode...

...same story.

Thanks again for any help that you can provide.

Merged 3 posts. ~ OB

Edited by Orange Blossom, 29 September 2010 - 09:14 PM.

BC AdBot (Login to Remove)

 

#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,114 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:Romania
  • Local time:02:44 PM

Posted 04 October 2010 - 05:52 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download Rootkit Unhooker and save it to your Desktop
  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop
Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

#3 JohnnyWadd

JohnnyWadd
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
    •  
  • Local time:05:44 AM

Posted 04 October 2010 - 08:16 AM

Thanks for getting back to me. I followed your instructions... OTL went off without a hitch. Had a problem with RKUnhookerLE, though. Details are as follows:

Here are the logs for OTL:

OTL.txt:

OTL logfile created on: 10/4/2010 7:46:22 AM - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Users\JohnnyWadd\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 28.00% Memory free
8.00 Gb Paging File | 5.00 Gb Available in Paging File | 68.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 286.27 Gb Total Space | 31.43 Gb Free Space | 10.98% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JON
Current User Name: JohnnyWadd
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/10/04 07:45:53 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\JohnnyWadd\Desktop\OTL.exe
PRC - [2010/07/15 10:18:02 | 002,065,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG9\avgtray.exe
PRC - [2010/07/15 10:17:56 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe
PRC - [2010/05/27 01:16:57 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2010/04/28 13:45:50 | 000,835,952 | ---- | M] (Opera Software) -- C:\Program Files (x86)\Opera\opera.exe
PRC - [2010/04/09 00:29:18 | 000,232,896 | ---- | M] (Vuze Inc.) -- C:\Program Files (x86)\Vuze\Azureus.exe
PRC - [2010/04/02 16:19:36 | 000,091,456 | ---- | M] () -- C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe
PRC - [2010/04/02 16:19:32 | 000,279,360 | ---- | M] (Motorola) -- C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnect.exe
PRC - [2010/01/16 17:06:31 | 000,386,872 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Java\jre6\bin\jucheck.exe
PRC - [2010/01/16 15:38:15 | 000,200,704 | ---- | M] () -- C:\Windows\PLFSetI.exe
PRC - [2009/10/01 13:35:50 | 000,330,488 | ---- | M] (QUALCOMM, Inc.) -- C:\Program Files (x86)\QUALCOMM\QDLService2k\QDLService2kAD.exe
PRC - [2009/09/30 20:58:42 | 000,026,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
PRC - [2009/07/26 17:44:34 | 003,883,856 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
PRC - [2009/06/04 20:03:32 | 000,186,904 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2009/06/04 20:03:06 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2009/05/26 21:06:32 | 004,351,216 | ---- | M] (Yahoo! Inc.) -- C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
PRC - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2007/08/24 15:52:46 | 000,166,384 | ---- | M] (Sonic Solutions) -- C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
PRC - [2007/08/24 15:52:38 | 001,083,888 | ---- | M] (Sonic Solutions) -- C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
PRC - [2006/03/11 14:49:16 | 000,221,184 | ---- | M] () -- C:\Program Files (x86)\FlashMute\flashmute.exe


========== Modules (SafeList) ==========

MOD - [2010/10/04 07:45:53 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\JohnnyWadd\Desktop\OTL.exe
MOD - [2009/07/13 20:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\msscript.ocx
MOD - [2009/07/13 20:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - File not found [Auto | Stopped] -- C:\Windows\SysNative\FastUv32.dll -- (FastUserSwitchingCompatibility)
SRV:64bit: - [2010/01/16 17:22:56 | 001,038,088 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe -- (FLEXnet Licensing Service 64)
SRV:64bit: - [2009/10/02 16:24:36 | 000,786,976 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe -- (ePowerSvc)
SRV:64bit: - [2009/09/04 16:44:14 | 000,158,240 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe -- (ODDPwrSvc)
SRV:64bit: - [2009/08/18 12:48:02 | 002,291,568 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2008/07/29 13:20:28 | 004,737,024 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe -- (msvsmon90)
SRV - [2010/07/15 10:17:56 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/04/02 16:19:36 | 000,091,456 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe -- (MotoConnect Service)
SRV - [2010/01/16 17:09:25 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/10/01 13:35:50 | 000,330,488 | ---- | M] (QUALCOMM, Inc.) [Auto | Running] -- C:\Program Files (x86)\QUALCOMM\QDLService2k\QDLService2kAD.exe -- (QDLService2kAD) Qualcomm Gobi 2000 Download Service (AD)
SRV - [2009/06/04 20:03:06 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2007/08/24 15:53:16 | 000,362,992 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files (x86)\Roxio\Digital Home 10\RoxioUpnpService10.exe -- (Roxio Upnp Server 10)
SRV - [2007/08/24 15:53:14 | 000,072,176 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files (x86)\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe -- (Roxio UPnP Renderer 10)
SRV - [2007/08/24 15:52:48 | 000,309,744 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe -- (RoxLiveShare10)
SRV - [2007/08/24 15:52:46 | 000,166,384 | ---- | M] (Sonic Solutions) [Auto | Running] -- C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe -- (RoxWatch10)
SRV - [2007/08/24 15:52:38 | 001,083,888 | ---- | M] (Sonic Solutions) [On_Demand | Running] -- C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe -- (RoxMediaDB10)
SRV - [2006/10/27 00:47:54 | 000,065,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)


========== Driver Services (SafeList) ==========

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\RtsUCcid.sys -- (USBCCID)
DRV:64bit: - File not found [File_System | System | Stopped] -- C:\Windows\SysNative\DRIVERS\RxFilter.sys -- (RxFilter)
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\Rts516xIR.sys -- (RtsUIR)
DRV:64bit: - [2010/07/15 10:18:01 | 000,317,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgtdia.sys -- (AvgTdiA)
DRV:64bit: - [2010/07/15 10:17:04 | 000,269,904 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgldx64.sys -- (AvgLdx64)
DRV:64bit: - [2010/06/02 13:47:30 | 000,035,536 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\avgmfx64.sys -- (AvgMfx64)
DRV:64bit: - [2010/01/17 23:42:06 | 000,834,544 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\sptd.sys -- (sptd)
DRV:64bit: - [2010/01/16 19:13:09 | 000,082,816 | ---- | M] (VSO Software) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\pcouffin.sys -- (pcouffin)
DRV:64bit: - [2010/01/11 22:27:04 | 007,370,176 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2010/01/11 21:37:30 | 000,216,064 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV:64bit: - [2010/01/11 21:33:10 | 000,272,432 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
DRV:64bit: - [2010/01/11 21:28:22 | 005,435,904 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NETw5v64.sys -- (netw5v64) Intel®
DRV:64bit: - [2010/01/11 17:44:30 | 000,448,512 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\RTL8187.sys -- (RTL8187)
DRV:64bit: - [2009/11/13 10:47:38 | 000,067,072 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\L1C62x64.sys -- (L1C)
DRV:64bit: - [2009/10/27 12:10:18 | 000,030,208 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\motport.sys -- (motport)
DRV:64bit: - [2009/10/27 12:10:18 | 000,030,208 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\motmodem.sys -- (motmodem)
DRV:64bit: - [2009/10/26 16:54:22 | 000,032,768 | ---- | M] (HTC, Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ANDROIDUSB.sys -- (HTCAND64)
DRV:64bit: - [2009/09/15 20:40:42 | 006,952,960 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NETw5s64.sys -- (NETw5s64) Intel®
DRV:64bit: - [2009/07/13 20:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/13 20:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 20:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/19 17:07:44 | 000,020,992 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\motccgp.sys -- (motccgp)
DRV:64bit: - [2009/06/10 15:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/06/04 05:54:36 | 000,408,600 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2009/01/29 17:18:12 | 000,009,216 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\motccgpfl.sys -- (motccgpfl)
DRV:64bit: - [2008/01/19 01:10:30 | 000,154,168 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WimFltr.sys -- (WimFltr)
DRV:64bit: - [2007/07/26 03:00:00 | 000,053,488 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PxHlpa64.sys -- (PxHlpa64)
DRV - [2008/08/14 08:57:42 | 000,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysWow64\drivers\adfs.sys -- (adfs)
DRV - [2007/08/18 03:09:04 | 000,065,520 | ---- | M] (Sonic Solutions) [File_System | System | Stopped] -- C:\Windows\SysWOW64\drivers\RxFilter.sys -- (RxFilter)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2444697407-3714104137-341764235-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://bing.zugo.com/?cfg=2-80-0-tLeS
IE - HKU\S-1-5-21-2444697407-3714104137-341764235-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-2444697407-3714104137-341764235-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-2444697407-3714104137-341764235-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 4D 93 CE 5B 40 9D CA 01 [binary data]
IE - HKU\S-1-5-21-2444697407-3714104137-341764235-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://bing.zugo.com/?cfg=2-80-0-tLez
IE - HKU\S-1-5-21-2444697407-3714104137-341764235-1000\..\URLSearchHook: {CA3EB689-8F09-4026-AA10-B9534C691CE0} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-2444697407-3714104137-341764235-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.param.yahoo-fr: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-type: "${8}"
FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: {52E97ED8-7B1E-473B-A99B-789A91783CDD}:1.9.1


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010/10/03 00:44:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010/10/03 00:44:02 | 000,000,000 | ---D | M]

[2010/03/04 17:11:05 | 000,000,000 | ---D | M] -- C:\Users\JohnnyWadd\AppData\Roaming\Mozilla\Extensions
[2010/06/26 08:41:59 | 000,000,000 | ---D | M] -- C:\Users\JohnnyWadd\AppData\Roaming\Mozilla\Firefox\Profiles\6xtrucvk.default\extensions
[2010/03/04 17:10:50 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/01/16 17:12:56 | 000,000,854 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 activate.adobe.com
O2:64bit: - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssiea.dll (AVG Technologies CZ, s.r.o.)
O2:64bit: - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (no name) - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {0C8413C1-FAD1-446C-8584-BE50576F863E} - No CLSID value found.
O4:64bit: - HKLM..\Run: [Acer ePower Management] C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTrayLauncher.exe (Acer Incorporated)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [itype] c:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [ODDPwr] C:\Program Files\Acer\Optical Drive Power Management\ODDPwr.exe (Acer Incorporated)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [PLFSetI] C:\Windows\PLFSetI.exe ()
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files (x86)\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe File not found
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe File not found
O4 - HKU\S-1-5-21-2444697407-3714104137-341764235-1000..\Run: [FlashMute] C:\Program Files (x86)\FlashMute\flashmute.exe ()
O4 - HKU\S-1-5-21-2444697407-3714104137-341764235-1000..\Run: [ISUSScheduler] C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
O4 - HKU\S-1-5-21-2444697407-3714104137-341764235-1000..\Run: [JCFSE7V7Z1] C:\Users\JOHNNY~1\AppData\Local\Temp\Cxy.exe File not found
O4 - HKU\S-1-5-21-2444697407-3714104137-341764235-1000..\Run: [Messenger (Yahoo!)] C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKU\S-1-5-21-2444697407-3714104137-341764235-1000..\Run: [msnmsgr] C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2444697407-3714104137-341764235-1000..\Run: [Qgugufica] C:\Users\JohnnyWadd\AppData\Local\unanunan.DLL ( )
O4 - HKU\S-1-5-21-2444697407-3714104137-341764235-1000..\Run: [SMH2B46TDP] C:\Users\JOHNNY~1\AppData\Local\Temp\Cxz.exe File not found
O4 - HKU\S-1-5-21-2444697407-3714104137-341764235-1000..\Run: [Vhifefedahe] C:\Users\JohnnyWadd\AppData\Local\KBDP1081.DLL File not found
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\SysWow64\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\SysWow64\mctadmin.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\S-1-5-21-2444697407-3714104137-341764235-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 208.67.222.222 208.67.220.220
O18:64bit: - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgppa.dll (AVG Technologies CZ, s.r.o.)
O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O20:64bit: - AppInit_DLLs: (avgrssta.dll) - C:\Windows\SysNative\avgrssta.dll (AVG Technologies CZ, s.r.o.)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20:64bit: - Winlogon\Notify\igfxcui: DllName - Reg Error: Key error. - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (livessp) - C:\Windows\SysNative\livessp.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (livessp) - C:\Windows\SysWow64\livessp.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{cb164a7a-bed4-11df-8b9e-cd86f8f5d649}\Shell - "" = AutoRun
O33 - MountPoints2\{cb164a7a-bed4-11df-8b9e-cd86f8f5d649}\Shell\AutoRun\command - "" = E:\WD SmartWare.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/10/04 07:44:16 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Users\JohnnyWadd\Desktop\OTL.exe
[2010/10/03 00:37:14 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\VirtualDubMOD
[2010/10/01 22:47:55 | 000,000,000 | ---D | C] -- C:\WebSite2
[2010/10/01 20:47:10 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft IntelliType Pro
[2010/10/01 18:18:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Update
[2010/10/01 18:17:54 | 000,000,000 | -H-D | C] -- C:\Users\Public\Documents\Server
[2010/10/01 17:17:58 | 000,000,000 | ---D | C] -- C:\WebSite1
[2010/09/30 01:30:48 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\1033
[2010/09/30 01:11:51 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\1033
[2010/09/30 00:38:24 | 000,000,000 | ---D | C] -- C:\Users\JohnnyWadd\AppData\Local\Microsoft_Corporation
[2010/09/29 21:52:11 | 000,000,000 | ---D | C] -- C:\PornoDVDs
[2010/09/29 18:23:49 | 000,000,000 | R--D | C] -- C:\32788R22FWJFW
[2010/09/29 16:10:25 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Works
[2010/09/29 16:09:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Visual Studio
[2010/09/29 16:04:23 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Office
[2010/09/29 16:04:10 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Visual Studio 8
[2010/09/29 09:19:26 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft SDKs
[2010/09/29 09:19:04 | 000,000,000 | ---D | C] -- C:\Program Files\Business Objects
[2010/09/29 09:16:23 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\js
[2010/09/29 09:16:23 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\images
[2010/09/29 09:16:23 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\html
[2010/09/29 09:16:23 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\css
[2010/09/29 09:16:23 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Business Objects
[2010/09/29 09:12:27 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server
[2010/09/29 09:12:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft SQL Server
[2010/09/29 09:12:09 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Device Emulator
[2010/09/29 09:12:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Device Emulator
[2010/09/29 09:11:29 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Windows Mobile 5.0 SDK R2
[2010/09/29 09:10:56 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Synchronization Services
[2010/09/29 09:10:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
[2010/09/29 09:02:14 | 000,000,000 | ---D | C] -- C:\ProgramData\PreEmptive Solutions
[2010/09/29 08:55:30 | 000,000,000 | ---D | C] -- C:\Windows\symbols
[2010/09/29 08:52:17 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft SDKs
[2010/09/29 08:52:17 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Merge Modules
[2010/09/29 08:52:17 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\HTML Help Workshop
[2010/09/29 08:52:17 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\CE Remote Tools
[2010/09/29 08:52:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft.NET
[2010/09/29 08:52:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Visual Studio 9.0
[2010/09/29 08:49:23 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Web Designer Tools
[2010/09/29 08:48:47 | 000,000,000 | RH-D | C] -- C:\MSOCache
[2010/09/29 08:47:42 | 000,000,000 | ---D | C] -- C:\Users\JohnnyWadd\Documents\Visual Studio 2008
[2010/09/29 08:47:36 | 000,000,000 | ---D | C] -- C:\Users\JohnnyWadd\AppData\Local\Microsoft Help
[2010/09/29 08:47:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft Help
[2010/09/29 08:46:58 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Visual Studio 9.0
[2010/09/15 12:38:35 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\DVDFab 8
[2010/09/13 17:33:52 | 000,000,000 | ---D | C] -- C:\Users\JohnnyWadd\AppData\Local\{52E97ED8-7B1E-473B-A99B-789A91783CDD}
[2010/09/12 13:11:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Veetle
[2010/08/30 18:20:10 | 000,000,000 | ---D | C] -- C:\Users\JohnnyWadd\Desktop\Tunes
[2010/08/28 15:36:29 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Xvid
[2010/08/28 12:16:05 | 000,278,528 | ---- | C] (Real Networks, Inc) -- C:\Windows\SysWow64\pncrt.dll
[2010/08/28 12:16:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Real Alternative
[2010/08/28 12:05:14 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AviSynth 2.5
[2010/08/28 09:31:44 | 000,000,000 | ---D | C] -- C:\Completed Downloads
[2010/08/28 09:30:58 | 000,000,000 | ---D | C] -- C:\Azureus Downloads
[2010/08/24 14:02:30 | 000,305,432 | ---- | C] (Sheridan Software Systems, Inc.) -- C:\Windows\SysNative\THREED20.OCX
[2010/08/24 14:02:30 | 000,200,704 | ---- | C] (Sheridan Software Systems, Inc.) -- C:\Windows\SysNative\THREED32.OCX
[2010/08/24 14:02:30 | 000,057,344 | ---- | C] (Optimum X) -- C:\Windows\SysNative\Shortcut.exe
[2010/08/24 14:02:30 | 000,052,736 | ---- | C] (Outrider Systems, Inc.) -- C:\Windows\SysNative\SPIN32.OCX
[2010/08/24 13:47:28 | 000,305,432 | ---- | C] (Sheridan Software Systems, Inc.) -- C:\Windows\SysWow64\THREED20.OCX
[2010/08/24 13:47:28 | 000,200,704 | ---- | C] (Sheridan Software Systems, Inc.) -- C:\Windows\SysWow64\THREED32.OCX
[2010/08/24 13:47:28 | 000,057,344 | ---- | C] (Optimum X) -- C:\Windows\SysWow64\Shortcut.exe
[2010/08/24 13:47:28 | 000,052,736 | ---- | C] (Outrider Systems, Inc.) -- C:\Windows\SysWow64\SPIN32.OCX
[2010/08/16 14:23:52 | 000,000,000 | ---D | C] -- C:\Program Files\Roxio
[2010/08/16 14:23:26 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Sonic Shared
[2010/08/16 14:23:26 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\PX Storage Engine
[2010/08/16 14:23:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Roxio Shared
[2010/08/16 14:00:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\InterActual
[2010/08/16 13:55:37 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Roxio
[2010/08/16 13:53:46 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\URTTEMP
[2010/08/02 12:00:42 | 000,000,000 | ---D | C] -- C:\Users\JohnnyWadd\Desktop\The Big Lebowski
[2010/07/26 18:03:54 | 000,000,000 | ---D | C] -- C:\Users\JohnnyWadd\Documents\Clear Creek Rafting Trip
[2010/07/15 10:18:01 | 000,013,048 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\avgrssta.dll
[2010/01/16 19:13:09 | 000,082,816 | ---- | C] (VSO Software) -- C:\Users\JohnnyWadd\AppData\Roaming\pcouffin.sys
[2009/07/13 18:24:58 | 000,202,752 | ---- | C] ( ) -- C:\Users\JohnnyWadd\AppData\Local\unanunan.dll

========== Files - Modified Within 90 Days ==========

[2010/10/04 07:48:40 | 003,932,160 | -HS- | M] () -- C:\Users\JohnnyWadd\NTUSER.DAT
[2010/10/04 07:46:11 | 000,000,254 | -H-- | M] () -- C:\Windows\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2010/10/04 07:45:53 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\JohnnyWadd\Desktop\OTL.exe
[2010/10/04 07:45:40 | 000,049,351 | ---- | M] () -- C:\Users\JohnnyWadd\Desktop\RKUnhookerLE.EXE
[2010/10/04 07:44:47 | 000,000,120 | ---- | M] () -- C:\Users\JohnnyWadd\AppData\Local\Wholedulo.dat
[2010/10/04 07:44:47 | 000,000,000 | ---- | M] () -- C:\Users\JohnnyWadd\AppData\Local\Fjehebuxeyakiwi.bin
[2010/10/04 06:56:03 | 000,000,928 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2444697407-3714104137-341764235-1000UA.job
[2010/10/04 01:56:01 | 000,000,876 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2444697407-3714104137-341764235-1000Core.job
[2010/10/03 21:29:53 | 000,793,170 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/10/03 21:29:53 | 000,670,836 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/10/03 21:29:53 | 000,125,370 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/10/03 20:24:37 | 000,014,832 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/10/03 20:24:37 | 000,014,832 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/10/03 16:57:43 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/10/03 16:57:29 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/10/03 16:57:01 | 3166,015,488 | -HS- | M] () -- C:\hiberfil.sys
[2010/10/03 16:55:34 | 002,076,080 | -H-- | M] () -- C:\Users\JohnnyWadd\AppData\Local\IconCache.db
[2010/10/03 08:12:20 | 065,597,256 | ---- | M] () -- C:\Windows\SysNative\drivers\Avg\incavi.avm
[2010/10/01 21:24:26 | 003,066,232 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010/10/01 20:56:04 | 000,125,560 | ---- | M] () -- C:\Users\JohnnyWadd\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/10/01 20:11:47 | 000,744,580 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010/09/29 16:03:31 | 000,000,499 | ---- | M] () -- C:\Windows\win.ini
[2010/09/29 13:55:13 | 000,000,520 | ---- | M] () -- C:\Windows\ODBC.INI
[2010/09/15 12:41:34 | 000,099,384 | ---- | M] () -- C:\Users\JohnnyWadd\AppData\Roaming\inst.exe
[2010/09/15 12:41:34 | 000,082,816 | ---- | M] (VSO Software) -- C:\Users\JohnnyWadd\AppData\Roaming\pcouffin.sys
[2010/09/15 12:41:34 | 000,007,859 | ---- | M] () -- C:\Users\JohnnyWadd\AppData\Roaming\pcouffin.cat
[2010/09/15 12:41:34 | 000,001,167 | ---- | M] () -- C:\Users\JohnnyWadd\AppData\Roaming\pcouffin.inf
[2010/08/28 14:15:08 | 000,001,786 | ---- | M] () -- C:\Windows\SysWow64\KGyGaAvL.sys
[2010/08/28 09:33:38 | 000,001,848 | ---- | M] () -- C:\Users\JohnnyWadd\Application Data\Microsoft\Internet Explorer\Quick Launch\Vuze.lnk
[2010/08/16 14:17:09 | 000,000,282 | ---- | M] () -- C:\Windows\WININIT.INI
[2010/07/29 15:25:52 | 131,764,026 | ---- | M] () -- C:\Users\JohnnyWadd\Desktop\Clear Creek 3.zip
[2010/07/29 15:25:48 | 131,313,245 | ---- | M] () -- C:\Users\JohnnyWadd\Desktop\Clear Creek 4.zip
[2010/07/29 15:25:18 | 131,340,771 | ---- | M] () -- C:\Users\JohnnyWadd\Desktop\Clear Creek 2.zip
[2010/07/29 15:24:39 | 136,561,960 | ---- | M] () -- C:\Users\JohnnyWadd\Desktop\Clear Creek 1.zip
[2010/07/15 10:18:01 | 000,317,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgtdia.sys
[2010/07/15 10:18:01 | 000,013,048 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\avgrssta.dll
[2010/07/15 10:17:04 | 000,269,904 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgldx64.sys

========== Files Created - No Company Name ==========

[2010/10/04 07:44:08 | 000,049,351 | ---- | C] () -- C:\Users\JohnnyWadd\Desktop\RKUnhookerLE.EXE
[2010/10/01 18:20:39 | 000,000,254 | -H-- | C] () -- C:\Windows\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2010/09/29 16:17:20 | 000,676,224 | ---- | C] () -- C:\Windows\SysNative\OGACheckControl.dll
[2010/09/13 17:33:56 | 000,000,000 | ---- | C] () -- C:\Users\JohnnyWadd\AppData\Local\Fjehebuxeyakiwi.bin
[2010/09/13 17:33:55 | 000,000,120 | ---- | C] () -- C:\Users\JohnnyWadd\AppData\Local\Wholedulo.dat
[2010/08/28 15:36:30 | 000,819,200 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
[2010/08/28 15:36:30 | 000,180,224 | ---- | C] () -- C:\Windows\SysWow64\xvidvfw.dll
[2010/08/28 15:36:30 | 000,077,824 | ---- | C] () -- C:\Windows\SysWow64\xvid.ax
[2010/08/28 09:33:38 | 000,001,848 | ---- | C] () -- C:\Users\JohnnyWadd\Application Data\Microsoft\Internet Explorer\Quick Launch\Vuze.lnk
[2010/08/24 14:02:30 | 000,000,531 | ---- | C] () -- C:\Windows\SysNative\elevate.js
[2010/08/24 13:47:28 | 000,000,531 | ---- | C] () -- C:\Windows\SysWow64\elevate.js
[2010/08/16 13:22:54 | 000,000,282 | ---- | C] () -- C:\Windows\WININIT.INI
[2010/07/29 15:24:50 | 131,313,245 | ---- | C] () -- C:\Users\JohnnyWadd\Desktop\Clear Creek 4.zip
[2010/07/29 15:24:37 | 131,764,026 | ---- | C] () -- C:\Users\JohnnyWadd\Desktop\Clear Creek 3.zip
[2010/07/29 15:24:14 | 131,340,771 | ---- | C] () -- C:\Users\JohnnyWadd\Desktop\Clear Creek 2.zip
[2010/07/29 15:23:56 | 136,561,960 | ---- | C] () -- C:\Users\JohnnyWadd\Desktop\Clear Creek 1.zip
[2010/02/21 22:45:43 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2010/02/02 05:52:20 | 000,000,027 | ---- | C] () -- C:\Users\JohnnyWadd\AppData\Roaming\tmp123.txt
[2010/01/30 21:35:32 | 000,232,969 | ---- | C] () -- C:\Users\JohnnyWadd\AppData\Roaming\ldm.exe
[2010/01/17 23:59:08 | 000,744,580 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010/01/16 19:13:42 | 000,000,055 | ---- | C] () -- C:\Users\JohnnyWadd\AppData\Roaming\pcouffin.log
[2010/01/16 19:13:09 | 000,099,384 | ---- | C] () -- C:\Users\JohnnyWadd\AppData\Roaming\inst.exe
[2010/01/16 19:13:09 | 000,007,859 | ---- | C] () -- C:\Users\JohnnyWadd\AppData\Roaming\pcouffin.cat
[2010/01/16 19:13:09 | 000,001,167 | ---- | C] () -- C:\Users\JohnnyWadd\AppData\Roaming\pcouffin.inf
[2010/01/16 18:37:58 | 000,088,576 | ---- | C] () -- C:\Windows\SysWow64\OptimFROG.dll
[2010/01/16 17:45:46 | 000,001,786 | ---- | C] () -- C:\Windows\SysWow64\KGyGaAvL.sys
[2010/01/16 17:32:55 | 000,000,520 | ---- | C] () -- C:\Windows\ODBC.INI
[2010/01/16 15:38:47 | 000,000,074 | ---- | C] () -- C:\Windows\PidList.ini
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 16:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2007/08/21 05:22:58 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\px.ini

========== LOP Check ==========

[2010/01/16 19:27:25 | 000,000,000 | ---D | M] -- C:\Users\JohnnyWadd\AppData\Roaming\acccore
[2010/10/04 07:46:07 | 000,000,000 | ---D | M] -- C:\Users\JohnnyWadd\AppData\Roaming\Azureus
[2010/01/16 17:53:00 | 000,000,000 | ---D | M] -- C:\Users\JohnnyWadd\AppData\Roaming\Brainwave
[2010/01/17 23:54:48 | 000,000,000 | ---D | M] -- C:\Users\JohnnyWadd\AppData\Roaming\DAEMON Tools Lite
[2010/06/07 10:12:11 | 000,000,000 | ---D | M] -- C:\Users\JohnnyWadd\AppData\Roaming\dBpoweramp
[2010/03/07 17:22:45 | 000,000,000 | ---D | M] -- C:\Users\JohnnyWadd\AppData\Roaming\Opera
[2010/01/16 18:45:39 | 000,000,000 | ---D | M] -- C:\Users\JohnnyWadd\AppData\Roaming\StreamTorrent
[2010/05/11 23:26:01 | 000,000,000 | ---D | M] -- C:\Users\JohnnyWadd\AppData\Roaming\Teleca
[2010/09/15 12:41:35 | 000,000,000 | ---D | M] -- C:\Users\JohnnyWadd\AppData\Roaming\Vso
[2010/09/15 13:07:33 | 000,032,648 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/10/04 07:46:11 | 000,000,254 | -H-- | M] () -- C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job

========== Purity Check ==========


< End of report >





Extras.txt

OTL Extras logfile created on: 10/4/2010 7:46:22 AM - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Users\JohnnyWadd\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 28.00% Memory free
8.00 Gb Paging File | 5.00 Gb Available in Paging File | 68.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 286.27 Gb Total Space | 31.43 Gb Free Space | 10.98% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JON
Current User Name: JohnnyWadd
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2444697407-3714104137-341764235-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02AD9D20-03D2-4DE0-8793-E8253026AD86}" = EMCGadgets64
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{0A107E17-B5C5-DFE3-6EAA-E6A68A4B82FD}" = ATI Catalyst Install Manager
"{288D79EE-A2D1-42AF-9597-B0ADCC23A8ED}" = Microsoft SQL Server VSS Writer
"{295CFB7C-A57E-4313-93E7-68E7CE1D0332}" = Adobe WinSoft Linguistics Plugin x64
"{29C93182-34F6-3275-A18D-59326851CD57}" = Microsoft Windows SDK for Visual Studio 2008 .NET Framework Tools - enu
"{2BFA9B05-7418-4EDE-A6FC-620427BAAAA3}" = Crystal Reports Basic Runtime for Visual Studio 2008 (x64)
"{2D74E972-5A85-44DC-9193-8A302BA8C181}" = Photoshop Camera Raw_x64
"{31E8F586-4EF7-4500-844D-BA8756474FF1}" = Windows Automated Installation Kit
"{37DEBC1E-0A1F-448A-8DDD-A2FF4B1578EB}" = Motorola Driver Installation 4.6.0
"{5DE154DF-A55E-4FA5-BE59-32E78FCACF3E}" = Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
"{62EED300-E841-4083-A1D6-60B906271804}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Tools
"{64D5BBC6-5270-3711-AA39-31C1087AF4E6}" = Microsoft Visual Studio 2008 Remote Debugger - ENU
"{6631325A-9B1B-4EE7-8E64-8CC4A6F10643}" = Adobe Fonts All x64
"{6D10FB2C-82A9-40F2-91D0-7BE64CF0DAF2}" = Microsoft SQL Server 2008 R2 Setup (English)
"{727E94E5-584F-4463-B4F5-93D3779C610B}_x" = Option WWAN Driver Installer
"{79BF7CB8-1E09-489F-9547-DB3EE8EA3F16}" = Microsoft SQL Server Native Client
"{8875A1C0-6308-4790-8CF6-D34E89880052}" = Adobe Linguistics CS4 x64
"{887797BF-37A5-4199-B0C9-0D38D6196E9A}" = Adobe Anchor Service x64 CS4
"{8C8D673B-20FB-43E6-BCB7-9B3F78F2E762}" = Adobe Type Support x64 CS4
"{8DAA31EB-6830-4006-A99F-4DF8AB24714F}" = Adobe CSI CS4 x64
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007
"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{90BA8112-80B3-4617-A3C1-BD2771B60F74}" = Adobe CMaps x64 CS4
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{98C8DF59-BE5F-4EC2-9B12-FD2A54928EDB}" = Microsoft IntelliType Pro 8.0
"{9aa5f39c-a8de-46b0-919a-0248f8bc8490}" = Microsoft Windows SDK for Visual Studio 2008 SDK Reference Assemblies and IntelliSense
"{9B48B0AC-C813-4174-9042-476A887592C7}" = Windows Live ID Sign-in Assistant
"{A3454894-144A-4D80-B605-C128FE0D7329}" = Adobe Drive CS4 x64
"{A992BBAA-723D-4574-A07F-983BF8FAA3E1}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Win32 Tools
"{AA627A0F-E964-4DCD-86EE-81AA6D933DF4}" = Option WWAN Driver Installer
"{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
"{D1BA5DC5-1E32-56E0-41DB-FFBB846FD9CE}" = ccc-utility64
"{D3E39E77-0EB4-36FB-B97A-8C8AB21B9A45}" = Visual Studio .NET Prerequisites - English
"{D40172D6-CE2D-4B72-BF5F-26A04A900B7B}" = Adobe Photoshop CS4 (64 Bit)
"{DFFABE78-8173-4E97-9C5C-22FB26192FC5}" = Adobe PDF Library Files x64 CS4
"{EF8B1A2E-9CCB-3AB2-91E3-4EEDAB1294E1}" = Microsoft Device Emulator (64 bit) version 3.0 - ENU
"Microsoft Visual Studio 2008 Remote Debugger - ENU" = Microsoft Visual Studio 2008 Remote Debugger - ENU
"Recuva" = Recuva
"SynTPDeinstKey" = Synaptics Pointing Device Driver

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07473686-FC3A-4825-9CA9-97D269145F62}" = Motorola Phone Tools
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Central Data
"{098122AB-C605-4853-B441-C0A4EB359B75}" = DirectXInstallService
"{0C19D563-5F25-4621-BF10-01F741BD283F}" = Microsoft SQL Server Compact 3.5 SP1 Design Tools English
"{0DF3AE91-E533-3960-8516-B23737F8B7A2}" = Visual C++ 2008 x64 Runtime - (v9.0.30729)
"{0DF3AE91-E533-3960-8516-B23737F8B7A2}.vc_x64runtime_30729_01" = Visual C++ 2008 x64 Runtime - v9.0.30729.01
"{1A0D2EFC-C4FC-446A-8BC3-57A54CE5EADD}" = Opera 10.53
"{1B683082-8791-4D00-8ADE-6C8986FCCC68}" = Roxio CinePlayer
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Central Tools
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{22E23C71-C27A-3F30-8849-BB6129E50679}" = Visual C++ 2008 IA64 Runtime - (v9.0.30729)
"{22E23C71-C27A-3F30-8849-BB6129E50679}.vc_i64runtime_30729_01" = Visual C++ 2008 IA64 Runtime - v9.0.30729.01
"{241F2BF7-69EB-42A4-9156-96B2426C7504}" = Microsoft SQL Server Compact 3.5 for Devices ENU
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{291B3A3B-F808-45B8-8113-DF232FCB6C82}" = Microsoft .NET Compact Framework 3.5
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
"{2FDBBCEA-62DB-45F4-B6E5-0E1FB2A1F29D}" = Visual C++ 8.0 Runtime Setup Package (x64)
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}" = SQL Server System CLR Types
"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
"{3A9FC03D-C685-4831-94CF-4EDFD3749497}" = Microsoft SQL Server Compact 3.5 SP2 ENU
"{3E67A8DA-FE7B-4160-8465-F5571EA18753}" = Roxio Disc Gallery
"{52F6065D-27D0-4680-B2BC-C49C9A252459}" = Motorola Driver Installation
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{5A06423A-210C-49FB-950E-CB0EB8C5CEC7}" = Roxio BackOnTrack
"{60B2315F-680F-4EB3-B8DD-CCDC86A7CCAB}" = Roxio File Backup
"{6753B40C-0FBD-3BED-8A9D-0ACAC2DCD85D}" = Microsoft Document Explorer 2008
"{6C9F6D23-E9AD-43C9-B43A-011562AAF876}" = Windows Mobile 5.0 SDK R2 for Pocket PC
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Central Audio
"{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}" = Avanquest update
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Roxio CinePlayer Decoder Pack
"{8FB53850-246A-3507-8ADE-0060093FFEA6}" = Visual Studio Tools for the Office system 3.0 Runtime
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-0021-0000-0000-0000000FF1CE}" = Microsoft Office Visual Web Developer 2007
"{90120000-0021-0000-0000-0000000FF1CE}_VisualWebDeveloper_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0021-0409-0000-0000000FF1CE}" = Microsoft Office Visual Web Developer MUI (English) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{9509674F-3972-11DE-806D-005056806466}" = Google Earth
"{9656F3AC-6BA9-43F0-ABED-F214B5DAB27B}" = Windows Mobile 5.0 SDK R2 for Smartphone
"{98613C99-1399-416C-A07C-1EE1C585D872}" = SeaTools for Windows
"{9A33B83D-FFC4-44CF-BEEF-632DECEF2FCD}" = Microsoft SQL Server Database Publishing Wizard 1.3
"{9A9A1828-31D1-4590-A99F-022B7237AFAE}" = Roxio MediaShare
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AA467959-A1D6-4F45-90CD-11DC57733F32}" = Crystal Reports Basic for Visual Studio 2008
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.4
"{B158F76F-76AB-4115-A4F0-4C6EF6956093}_is1" = VirtualDubMOD 1.5.10.3 US
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Central Copy
"{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}" = Motorola Phone Tools
"{BF83EFE2-C9F0-40D4-841C-2066668C1D7A}" = Roxio Easy Media Creator 10 Suite
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D7DAD1E4-45F4-3B2B-899A-EA728167EC4F}" = Microsoft Visual Studio 2008 Professional Edition - ENU
"{EC877639-07AB-495C-BFD1-D63AF9140810}" = Roxio Activation Module
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Central Core
"{EDDF99D9-9FE3-4871-A7DB-D1522C51EE9A}" = Microsoft .NET Compact Framework 2.0 SP2
"{EF2AA69F-67E4-4721-89F9-04F4A177F9C5}" = Motorola Phone Tools
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F5E87B12-3C27-452F-8E78-21D42164FD83}" = Microsoft SQL Server 2008 Management Objects
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FDB46DE7-9045-47BB-970A-3E4ED5369E03}" = EMC 10 Content
"{FF29527A-44CD-3422-945E-981A13584000}" = VC Runtimes MSI
"8461-7759-5462-8226" = Vuze
"AC3Filter_is1" = AC3Filter 1.63b
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AIM_7" = AIM 7
"AVG9Uninstall" = AVG Free 9.0
"AviSynth" = AviSynth 2.5
"Citrus Alarm Clock_is1" = Citrus Alarm Clock 1.0.5
"dBpoweramp AIFF Codec" = dBpoweramp AIFF Codec
"dBpoweramp CLI Encoder" = dBpoweramp CLI Encoder
"dBpoweramp Dalet Codec" = dBpoweramp Dalet Codec
"dBpoweramp DirectShow Decoder" = dBpoweramp DirectShow Decoder
"dBpoweramp FLAC Codec" = dBpoweramp FLAC Codec
"dBpoweramp m4a Codec" = dBpoweramp m4a Codec
"dBpoweramp Midi Decoder" = dBpoweramp Midi Decoder
"dBpoweramp Monkeys Audio Codec" = dBpoweramp Monkeys Audio Codec
"dBPowerAMP Mp2 and BwfMp2 codec" = dBPowerAMP Mp2 and BwfMp2 codec
"dBpoweramp mp3 (Fraunhofer IIS) Codec" = dBpoweramp mp3 (Fraunhofer IIS) Codec
"dBpoweramp Musepack Codec" = dBpoweramp Musepack Codec
"dBpoweramp Music Converter" = dBpoweramp Music Converter
"dBpoweramp Ogg Vorbis Codec" = dBpoweramp Ogg Vorbis Codec
"dBpoweramp OptimFROG Codec" = dBpoweramp OptimFROG Codec
"dBPowerAMP Real Audio (Helix) Encoder" = dBPowerAMP Real Audio (Helix) Encoder
"dBpoweramp Shorten Codec" = dBpoweramp Shorten Codec
"dBpoweramp Speex Codec" = dBpoweramp Speex Codec
"dBPoweramp tooLame MP2 codec" = dBPoweramp tooLame MP2 codec
"dBpoweramp Wave64 Codec" = dBpoweramp Wave64 Codec
"dBpoweramp WavPack Codec" = dBpoweramp WavPack Codec
"dBpoweramp Windows Media Audio 10 Codec" = dBpoweramp Windows Media Audio 10 Codec
"dMC Power Pack" = dMC Power Pack
"DVD Decrypter" = DVD Decrypter (Remove Only)
"DVD Shrink_is1" = DVD Shrink 3.2
"DVDFab 8_is1" = DVDFab 8.0.0.5 (25/08/2010)
"ENTERPRISE" = Microsoft Office Enterprise 2007
"FLV Player" = FLV Player 2.0 (build 25)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft Document Explorer 2008" = Microsoft Document Explorer 2008
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Microsoft Visual Studio 2005 Tools for Office Runtime" = Visual Studio 2005 Tools for Office Second Edition Runtime
"Microsoft Visual Studio 2008 Professional Edition - ENU" = Microsoft Visual Studio 2008 Professional Edition - ENU
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"PE Builder_is1" = PE Builder 3.1.10a
"pzizz" = pzizz
"RealAlt_is1" = Real Alternative 2.0.2
"RockNES X v2.0 & Games" = RockNES X v2.0 & Games 1.0
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"SopCast" = SopCast 3.0.3
"StreamTorrent 1.0" = StreamTorrent 1.0
"Veetle TV" = Veetle TV 0.9.17
"ViewpointMediaPlayer" = Viewpoint Media Player
"Visual Studio Tools for the Office system 3.0 Runtime" = Visual Studio Tools for the Office system 3.0 Runtime
"VisualWebDeveloper" = Microsoft Visual Studio Web Authoring Component
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"Xvid_is1" = Xvid 1.2.2 final uninstall
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2444697407-3714104137-341764235-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"FlashMute" = FlashMute
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/23/2010 8:20:55 PM | Computer Name = Jon | Source = Google Update | ID = 20
Description =

Error - 9/25/2010 12:35:07 PM | Computer Name = Jon | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\Program Files (x86)\Common
Files\Adobe AIR\Versions\1.0\Adobe AIR.dll".Error in manifest or policy file "c:\Program
Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll" on line 3. The value
"MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute
"version" in element "assemblyIdentity" is invalid.

Error - 9/29/2010 4:47:23 PM | Computer Name = Jon | Source = Application Hang | ID = 1002
Description = The program WINWORD.EXE version 10.0.6856.0 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 1118 Start
Time: 01cb60175be9e77c Termination Time: 70 Application Path: C:\Program Files (x86)\Microsoft
Office\Office10\WINWORD.EXE Report Id: bf40c876-cc0a-11df-9566-e4f573ecbf46

Error - 9/30/2010 1:28:04 AM | Computer Name = Jon | Source = MsiInstaller | ID = 11935
Description =

Error - 10/1/2010 9:13:28 AM | Computer Name = Jon | Source = Google Update | ID = 20
Description =

Error - 10/1/2010 4:26:29 PM | Computer Name = Jon | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\Program Files (x86)\Common
Files\Adobe AIR\Versions\1.0\Adobe AIR.dll".Error in manifest or policy file "c:\Program
Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll" on line 3. The value
"MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute
"version" in element "assemblyIdentity" is invalid.

Error - 10/1/2010 9:40:42 PM | Computer Name = Jon | Source = MsiInstaller | ID = 11935
Description =

Error - 10/3/2010 1:36:31 AM | Computer Name = Jon | Source = Application Error | ID = 1000
Description = Faulting application name: VirtualDubMod.exe, version: 1.5.10.0, time
stamp: 0x430e275e Faulting module name: ntdll.dll, version: 6.1.7600.16559, time
stamp: 0x4ba9b29c Exception code: 0xc0000374 Fault offset: 0x000cdc9b Faulting process
id: 0x1d74 Faulting application start time: 0x01cb62bcaa7a7641 Faulting application
path: C:\Users\JohnnyWadd\Desktop\Hard Drive\New Executables\DVD bleep\.rmvb Conversion\VirtualDubMod_1_5_10_2_All_inclusive\VirtualDubMod.exe
Faulting
module path: C:\Windows\SysWOW64\ntdll.dll Report Id: 2ce54548-ceb0-11df-8bbf-911354fe9a3c

Error - 10/3/2010 1:40:12 AM | Computer Name = Jon | Source = Application Error | ID = 1000
Description = Faulting application name: VirtualDubMod.exe, version: 1.5.10.3, time
stamp: 0x4770e0b3 Faulting module name: ntdll.dll, version: 6.1.7600.16559, time
stamp: 0x4ba9b29c Exception code: 0xc0000374 Fault offset: 0x000cdc9b Faulting process
id: 0x15a4 Faulting application start time: 0x01cb62bd6ac36266 Faulting application
path: C:\Program Files (x86)\VirtualDubMOD\VirtualDubMod.exe Faulting module path:
C:\Windows\SysWOW64\ntdll.dll Report Id: b0c1a05e-ceb0-11df-8bbf-911354fe9a3c

Error - 10/3/2010 1:45:51 AM | Computer Name = Jon | Source = Application Error | ID = 1000
Description = Faulting application name: VirtualDubMod.exe, version: 1.5.10.3, time
stamp: 0x4770e0b3 Faulting module name: ntdll.dll, version: 6.1.7600.16559, time
stamp: 0x4ba9b29c Exception code: 0xc0000374 Fault offset: 0x000cdc9b Faulting process
id: 0x1dfc Faulting application start time: 0x01cb62be276f1d0f Faulting application
path: C:\Program Files (x86)\VirtualDubMOD\VirtualDubMod.exe Faulting module path:
C:\Windows\SysWOW64\ntdll.dll Report Id: 7a703c0d-ceb1-11df-8bbf-911354fe9a3c

[ Media Center Events ]
Error - 6/24/2010 5:44:58 AM | Computer Name = Jon | Source = MCUpdate | ID = 0
Description = 4:44:58 AM - Error connecting to the internet. 4:44:58 AM - Unable
to contact server..

Error - 6/24/2010 6:45:08 AM | Computer Name = Jon | Source = MCUpdate | ID = 0
Description = 5:45:07 AM - Error connecting to the internet. 5:45:07 AM - Unable
to contact server..

Error - 6/24/2010 7:45:15 AM | Computer Name = Jon | Source = MCUpdate | ID = 0
Description = 6:45:15 AM - Error connecting to the internet. 6:45:15 AM - Unable
to contact server..

Error - 6/29/2010 1:07:37 PM | Computer Name = Jon | Source = MCUpdate | ID = 0
Description = 12:07:36 PM - Error connecting to the internet. 12:07:36 PM - Unable
to contact server..

Error - 7/4/2010 4:06:03 AM | Computer Name = Jon | Source = MCUpdate | ID = 0
Description = 3:06:03 AM - Error connecting to the internet. 3:06:03 AM - Unable
to contact server..

Error - 7/19/2010 12:24:40 PM | Computer Name = Jon | Source = MCUpdate | ID = 0
Description = 11:24:39 AM - Error connecting to the internet. 11:24:39 AM - Unable
to contact server..

Error - 7/30/2010 4:42:35 AM | Computer Name = Jon | Source = MCUpdate | ID = 0
Description = 3:42:35 AM - Error connecting to the internet. 3:42:35 AM - Unable
to contact server..

Error - 7/30/2010 5:43:38 AM | Computer Name = Jon | Source = MCUpdate | ID = 0
Description = 4:43:37 AM - Error connecting to the internet. 4:43:37 AM - Unable
to contact server..

Error - 7/30/2010 6:44:14 AM | Computer Name = Jon | Source = MCUpdate | ID = 0
Description = 5:44:13 AM - Error connecting to the internet. 5:44:13 AM - Unable
to contact server..

Error - 7/30/2010 7:45:01 AM | Computer Name = Jon | Source = MCUpdate | ID = 0
Description = 6:45:01 AM - Error connecting to the internet. 6:45:01 AM - Unable
to contact server..

[ System Events ]
Error - 6/25/2010 11:19:10 AM | Computer Name = Jon | Source = Tcpip | ID = 4199
Description = The system detected an address conflict for IP address 192.168.1.102
with the system having network hardware address 90-4C-E5-37-B5-C8. Network operations
on this system may be disrupted as a result.

Error - 6/25/2010 6:31:19 PM | Computer Name = Jon | Source = BROWSER | ID = 8032
Description =

Error - 6/26/2010 11:08:37 AM | Computer Name = Jon | Source = volsnap | ID = 393252
Description = The shadow copies of volume C: were aborted because the shadow copy
storage could not grow due to a user imposed limit.

Error - 6/28/2010 8:02:28 AM | Computer Name = Jon | Source = NetBT | ID = 4321
Description = The name "WORKGROUP :1d" could not be registered on the interface
with IP address 192.168.1.3. The computer with the IP address 192.168.1.2 did not
allow the name to be claimed by this computer.

Error - 6/28/2010 8:07:38 AM | Computer Name = Jon | Source = NetBT | ID = 4321
Description = The name "WORKGROUP :1d" could not be registered on the interface
with IP address 192.168.1.3. The computer with the IP address 192.168.1.2 did not
allow the name to be claimed by this computer.

Error - 6/28/2010 8:12:48 AM | Computer Name = Jon | Source = NetBT | ID = 4321
Description = The name "WORKGROUP :1d" could not be registered on the interface
with IP address 192.168.1.3. The computer with the IP address 192.168.1.2 did not
allow the name to be claimed by this computer.

Error - 6/28/2010 8:17:58 AM | Computer Name = Jon | Source = NetBT | ID = 4321
Description = The name "WORKGROUP :1d" could not be registered on the interface
with IP address 192.168.1.3. The computer with the IP address 192.168.1.2 did not
allow the name to be claimed by this computer.

Error - 6/28/2010 8:23:33 AM | Computer Name = Jon | Source = NetBT | ID = 4321
Description = The name "WORKGROUP :1d" could not be registered on the interface
with IP address 192.168.1.4. The computer with the IP address 192.168.1.2 did not
allow the name to be claimed by this computer.

Error - 6/28/2010 11:31:06 PM | Computer Name = Jon | Source = Service Control Manager | ID = 7023
Description = The Network Security service terminated with the following error:
%%126

Error - 6/29/2010 9:31:35 PM | Computer Name = Jon | Source = bowser | ID = 8003
Description =


< End of report >



RKUnhookerLE was a different story, though... I was unable to get the program to run at all. I was given the following error message:

"Error loading driver, NTSTATUS code: 0xC000036B"

Tried downloading the program twice and got the same error both times. Any suggestions?

Thanks again for your help.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,114 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:Romania
  • Local time:02:44 PM

Posted 04 October 2010 - 09:41 AM

Hi, RKU doesn't work on 64 bit systems.
Please let me know how things are after the following fix.

OTL FIX
------------
We need to run an OTL Fix
  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    :otl
    O4 - HKU\S-1-5-21-2444697407-3714104137-341764235-1000..\Run: [JCFSE7V7Z1] C:\Users\JOHNNY~1\AppData\Local\Temp\Cxy.exe File not found
    O4 - HKU\S-1-5-21-2444697407-3714104137-341764235-1000..\Run: [Qgugufica] C:\Users\JohnnyWadd\AppData\Local\unanunan.DLL ( )
    O4 - HKU\S-1-5-21-2444697407-3714104137-341764235-1000..\Run: [SMH2B46TDP] C:\Users\JOHNNY~1\AppData\Local\Temp\Cxz.exe File not found
    O4 - HKU\S-1-5-21-2444697407-3714104137-341764235-1000..\Run: [Vhifefedahe] C:\Users\JohnnyWadd\AppData\Local\KBDP1081.DLL File not found
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1

    :commands
    [emptytemp]
  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

#5 JohnnyWadd

JohnnyWadd
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
    •  
  • Local time:05:44 AM

Posted 07 October 2010 - 12:28 AM

Here's the report... kinda wish you'd have told me what it was gonna do:

All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-2444697407-3714104137-341764235-1000\Software\Microsoft\Windows\CurrentVersion\Run\\JCFSE7V7Z1 deleted successfully.
Registry value HKEY_USERS\S-1-5-21-2444697407-3714104137-341764235-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Qgugufica deleted successfully.
C:\Users\JohnnyWadd\AppData\Local\unanunan.dll moved successfully.
Registry value HKEY_USERS\S-1-5-21-2444697407-3714104137-341764235-1000\Software\Microsoft\Windows\CurrentVersion\Run\\SMH2B46TDP deleted successfully.
Registry value HKEY_USERS\S-1-5-21-2444697407-3714104137-341764235-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Vhifefedahe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: JohnnyWadd
->Temp folder emptied: 1403998499 bytes
->Temporary Internet Files folder emptied: 77733101 bytes
->Java cache emptied: 37055561 bytes
->FireFox cache emptied: 50918376 bytes
->Google Chrome cache emptied: 134094880 bytes
->Opera cache emptied: 18767225 bytes
->Flash cache emptied: 65898 bytes

User: Mcx1-JON
->Temp folder emptied: 516 bytes
->Temporary Internet Files folder emptied: 650826 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3800622 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
RecycleBin emptied: 2171561 bytes

Total Files Cleaned = 1,649.00 mb


OTL by OldTimer - Version 3.2.14.1 log created on 10072010_001252

Files\Folders moved on Reboot...
C:\Users\JohnnyWadd\AppData\Local\Temp\swtlib-32\swt-gdip-win32-3650.dll moved successfully.
C:\Users\JohnnyWadd\AppData\Local\Temp\swtlib-32\swt-win32-3650.dll moved successfully.
C:\Users\JohnnyWadd\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Windows\temp\JET29BE.tmp moved successfully.

Registry entries deleted on Reboot...

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,114 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:Romania
  • Local time:02:44 PM

Posted 07 October 2010 - 05:05 AM

This script removed some malicious autostart entries and related files (in case they were still present) as well as all temporary files.

Please let me know how things are running now.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

#7 JohnnyWadd

JohnnyWadd
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
    •  
  • Local time:05:44 AM

Posted 07 October 2010 - 11:22 AM

Should I just play around and see how it goes? I'm wondering if I should assume that the adware/malware is gone...

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,114 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:Romania
  • Local time:02:44 PM

Posted 07 October 2010 - 11:46 AM

Yes, please see how everything runs now.

Launch Malwarebytes Antimalware, update it and run a full scan. Post me the resulting log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

#9 JohnnyWadd

JohnnyWadd
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
    •  
  • Local time:05:44 AM

Posted 07 October 2010 - 02:08 PM

Here you go:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4770

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

10/7/2010 1:43:18 PM
mbam-log-2010-10-07 (13-43-18).txt

Scan type: Full scan (C:\|)
Objects scanned: 351100
Time elapsed: 1 hour(s), 20 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{fe4c2c37-edc8-4c00-b864-3c38cf3ba834} (Adware.Adshot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\JCFSE7V7Z1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SMH2B46TDP (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qgugufica (Trojan.Agent.U) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\7bde84a2-f58f-46ec-9eac-f1f90fead080 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.StartPage) -> Bad: (http://bing.zugo.com/?cfg=2-80-0-tLeS) Good: (http://www.google.com) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Completed Downloads\Rosetta Stone\Rosetta.Stone.v3.2.11.Patch\rosetta.stone.3.2.11-patch.exe (Trojan.Agent) -> Not selected for removal.
C:\ProgramData\Update\seupd.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Users\JohnnyWadd\AppData\Roaming\ldm.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Users\JohnnyWadd\Desktop\Hard Drive\New Executables\DVD bleep\Burner\RecordNow Max\Extra Bullbleep\RecordNow Cracks\19128\Recnm45.exe (Trojan.Bancos) -> Not selected for removal.
C:\Users\JohnnyWadd\Desktop\Hard Drive\New Executables\DVD bleep\Burner\RecordNow Max\Extra Bullbleep\RecordNow Cracks\recordnowmaxv4.50patchdcz\Recnm45.exe (Trojan.Bancos) -> Not selected for removal.
C:\Users\JohnnyWadd\Desktop\Hard Drive\New Executables\Razr\CDMA Tools\CDMA Tools\CDMA Workshop 2.7\cdma workshop.exe (Trojan.Agent) -> Not selected for removal.
C:\Users\JohnnyWadd\Desktop\Hard Drive\New Executables\Razr\CDMA Tools\CDMA Workshop 2.7\cdma workshop.exe (Trojan.Agent) -> Not selected for removal.
C:\_OTL\MovedFiles\10072010_001252\C_Users\JohnnyWadd\AppData\Local\unanunan.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Users\JohnnyWadd\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Public\Documents\Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Public\Documents\Server\server.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,114 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:Romania
  • Local time:02:44 PM

Posted 07 October 2010 - 02:25 PM

Of course it is up to you what you remove and what not, but do not be surprised if you get reinfected in no time when keeping this kind of stuff on your computer. Cracks/keygens and the like are the main source of infections and are used to distribute all latest nasties.

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  12. Push the button.
  13. Push

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,114 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:Romania
  • Local time:02:44 PM

Posted 10 October 2010 - 05:10 AM

Hi, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

#12 JohnnyWadd

JohnnyWadd
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
    •  
  • Local time:05:44 AM

Posted 10 October 2010 - 01:01 PM

Having problems with this one...

...I'll keep trying.

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,114 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:Romania
  • Local time:02:44 PM

Posted 10 October 2010 - 02:30 PM

This is just a scan for leftovers. If it gives you troubles, just let me know. smile.gif

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

#14 JohnnyWadd

JohnnyWadd
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
    •  
  • Local time:05:44 AM

Posted 11 October 2010 - 12:31 AM

Okay... I did get it to work finally. Not sure what the problem was. It found one threat:

Target: C:\Users\Public\Documents\Server\hlp.dat
Threat: Win32/Bamital.EB. trojan
Action: cleaned by deleting - quarantined

What's next?!

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,114 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:Romania
  • Local time:02:44 PM

Posted 11 October 2010 - 04:29 AM

Hi, we need to do an additional scan for two possibly patched files.

OTL
-----
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    /md5start
    explorer.exe
    wininit.exe
    /md5stop
  5. Click the NONE button and then Push
  6. A report will open. Copy and Paste that report in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

Back to Virus, Trojan, Spyware, and Malware Removal Help


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Help
  4. Privacy Policy
  5. Rules ·