Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with a redirect (Windows 7 64 bit)


  • This topic is locked This topic is locked
46 replies to this topic

#1 Max Hennings

Max Hennings

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 10 December 2010 - 11:58 AM

Hello "Bleeping Computer.com" moderators,

I have been struggling to get rid of nasty redirect infection for some time now. I was able to notice the infection when my links form Google and other website internal links were being redirected to sites like Bing and other strange search engine sites. While I have been able to remove it partially using various anti-malware it is always able to reinfect after a restart. I only use firefox as my browser. I am on a windows 7 (64 bit) machine and I am up to date according to windows update. I have always used Mbam as my "as needed" spy-ware remover but I haven't had any issues on windows 7 until now. Unfortunately I was fairly careless prior to being infected and had turned off my firewall and did not have my usual AVG anti virus software installed. Since I realized that I was infected I have installed and used Microsoft Security Essentials, SUPERAntiSpyware, Avast antivirus, SpyHunter, HitmanPro 3.5 in addition to having Mbam already on my system. I am able to run each program and update the definitions. In terms of being able to remove it only SUPERAntiSpyware and HitmanPro 3.5 have been able to detect it and remove it but it is always able to come back. Mbam has yet to be able to detect the infection and SpyHunter seems to find infections that aren't related to the redirect issue.

After reading the post preparation guide I have enable my firewall, and disable my CD emulation software.

Anyways I would really appreciate some help getting rid of this thing for good and some advice as to keep it from happening again without slowing down my system too much or interfering with gaming and torrent downloading.

I'll be in and out today but I'll try to reply and follow instructions as quickly as possible.

Thanks to everyone that can help

The following is my DDS.txt post

DDS (Ver_10-12-05.01) - NTFS_AMD64
Run by Max Hennings at 11:36:27.74 on Fri 12/10/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4086.2731 [GMT -5:00]

SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\PROGRA~2\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files (x86)\DAODB\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\Portrait Displays\Pivot Software\wpCtrl.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Portrait Displays\Pivot Software\floater.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\Max Hennings\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.daemon-search.com/startpage
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [Steam] "c:\program files (x86)\steam\steam.exe" -silent
uRun: [EA Core] "C:\Program Files (x86)\Electronic Arts\EADM\Core.exe" -silent
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
mRun: [PivotSoftware] "C:\Program Files (x86)\Portrait Displays\Pivot Software\wpctrl.exe"
mRun: [DT HSP] C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe -HSP
mRun: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [ATICustomerCare] "c:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
mRun-x64: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
mRun-x64: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
mRun-x64: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
mRun-x64: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey

================= FIREFOX ===================

FF - ProfilePath - C:\Users\MAXHEN~1\AppData\Roaming\Mozilla\Firefox\Profiles\jeby41nk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2010-12-7 121936]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2010-3-25 173984]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2010-2-17 14920]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2010-2-17 12360]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2010-6-29 128752]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2010-10-22 203776]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2010-12-7 20048]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2010-12-7 61008]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-12-7 40384]
R2 MSSQL$BWDATOOLSET;SQL Server (BWDATOOLSET);C:\Program Files (x86)\DAODB\MSSQL.1\MSSQL\Binn\sqlservr.exe [2009-5-27 29262680]
R2 qmpehsoe;TeamViewer;C:\Windows\system32\svchost.exe -k netsvcs [2009-7-13 27136]
R2 SpyHunter 4 Service;SpyHunter 4 Service;C:\PROGRA~2\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [2010-5-18 327064]
R3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atikmdag.sys [2010-10-27 8012288]
R3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2010-10-27 287232]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2010-10-22 116240]
R3 avast! Mail Scanner;avast! Mail Scanner;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-12-7 40384]
R3 avast! Web Scanner;avast! Web Scanner;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-12-7 40384]
R3 MBfilt;MBfilt;C:\Windows\System32\drivers\MBfilt64.sys [2009-12-16 25600]
R3 rt61x64;Linksys Wireless-G PCI Adapter Driver;C:\Windows\System32\drivers\WMP54Gv41x64.sys [2010-4-7 446304]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-6-23 344680]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;C:\Games\Dragon Age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]
S3 esgiguard;esgiguard;C:\Program Files (x86)\Enigma Software Group\SpyHunter\esgiguard.sys [2010-1-27 5248]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\System32\drivers\MpNWMon.sys [2010-3-25 40832]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2009-10-16 50176]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-4-6 1255736]

=============== Created Last 30 ================

2010-12-10 05:52:19 8199504 ----a-w- C:\PROGRA~3\Microsoft\Microsoft Antimalware\Definition Updates\{A5C5F889-BAF1-4B3B-AA62-E2EC0A0F3050}\mpengine.dll
2010-12-08 04:09:34 61008 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2010-12-08 04:09:21 38848 ----a-w- C:\Windows\avastSS.scr
2010-12-08 04:09:16 -------- d-----w- C:\PROGRA~3\Alwil Software
2010-12-08 03:59:34 12872 ----a-w- C:\Windows\System32\bootdelete.exe
2010-12-08 03:54:26 19528 ----a-w- C:\Windows\System32\drivers\hitmanpro35.sys
2010-12-08 03:54:24 -------- d-----w- C:\Program Files\Hitman Pro 3.5
2010-12-08 03:54:05 -------- d-----w- C:\PROGRA~3\Hitman Pro
2010-12-02 05:06:13 -------- d-----w- C:\Users\MAXHEN~1\AppData\Roaming\SUPERAntiSpyware.com
2010-12-02 05:06:13 -------- d-----w- C:\PROGRA~3\SUPERAntiSpyware.com
2010-12-02 05:05:41 -------- d-----w- C:\PROGRA~3\!SASCORE
2010-12-02 05:05:39 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2010-12-02 04:39:50 110080 ----a-r- C:\Users\MAXHEN~1\AppData\Roaming\Microsoft\Installer\{4FC9DA9D-F608-454E-8191-D7EFFDCC5726}\IconF7A21AF7.exe
2010-12-02 04:39:50 110080 ----a-r- C:\Users\MAXHEN~1\AppData\Roaming\Microsoft\Installer\{4FC9DA9D-F608-454E-8191-D7EFFDCC5726}\IconD7F16134.exe
2010-12-02 04:39:49 -------- d-----w- C:\sh4ldr
2010-12-02 04:39:49 -------- d-----w- C:\Program Files (x86)\Enigma Software Group
2010-12-02 04:39:01 -------- d-----w- C:\Windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2010-12-02 03:59:42 -------- d-----w- C:\Windows\3636C9237AD64DE3978A09609AEE8ECF.TMP
2010-11-28 00:06:43 -------- d-----w- C:\Users\MAXHEN~1\AppData\Local\Gas Powered Games
2010-11-24 02:41:02 189520 ----a-w- C:\Windows\SysWow64\drivers\tmcomm.sys
2010-11-24 00:17:22 7680 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll
2010-11-24 00:17:22 7680 ----a-w- C:\Program Files (x86)\Internet Explorer\iecompat.dll
2010-11-21 06:35:53 8199504 ----a-w- C:\PROGRA~3\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-11-20 16:32:19 -------- d-----w- C:\Program Files (x86)\Microsoft Antimalware
2010-11-20 16:32:17 -------- d-----w- C:\Program Files\Microsoft Security Essentials
2010-11-20 16:30:53 -------- d-----w- C:\Program Files\Microsoft IntelliPoint
2010-11-20 09:12:58 8199504 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{09B3FBE1-3CC5-422D-A78C-8D3B887936B5}\mpengine.dll
2010-11-16 21:52:54 -------- d-----w- C:\PROGRA~3\mHnMm02097
2010-11-16 21:52:43 0 ----a-w- C:\Windows\SysWow64\lsp92FC.tmp
2010-11-10 21:29:41 -------- d-----w- C:\Users\MAXHEN~1\AppData\Local\LucasArts

==================== Find3M ====================

2010-11-29 22:42:06 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2010-10-27 09:00:16 8012288 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2010-10-27 08:25:38 21422592 ----a-w- C:\Windows\System32\atio6axx.dll
2010-10-27 08:08:18 16281600 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2010-10-27 07:55:32 143360 ----a-w- C:\Windows\System32\atiapfxx.exe
2010-10-27 07:55:24 547328 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2010-10-27 07:54:24 645120 ----a-w- C:\Windows\System32\aticfx64.dll
2010-10-27 07:52:18 450560 ----a-w- C:\Windows\System32\ATIDEMGX.dll
2010-10-27 07:52:14 478208 ----a-w- C:\Windows\System32\atieclxx.exe
2010-10-27 07:51:38 203776 ----a-w- C:\Windows\System32\atiesrxx.exe
2010-10-27 07:50:30 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2010-10-27 07:50:16 423424 ----a-w- C:\Windows\System32\atipdl64.dll
2010-10-27 07:50:10 356352 ----a-w- C:\Windows\SysWow64\atipdlxx.dll
2010-10-27 07:49:58 278528 ----a-w- C:\Windows\SysWow64\Oemdspif.dll
2010-10-27 07:49:54 16384 ----a-w- C:\Windows\System32\atimuixx.dll
2010-10-27 07:49:50 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2010-10-27 07:49:46 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2010-10-27 07:46:58 4020736 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2010-10-27 07:38:04 4744704 ----a-w- C:\Windows\System32\atidxx64.dll
2010-10-27 07:35:30 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2010-10-27 07:35:28 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2010-10-27 07:35:20 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2010-10-27 07:35:18 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2010-10-27 07:35:08 6815744 ----a-w- C:\Windows\System32\aticaldd64.dll
2010-10-27 07:33:52 5441536 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2010-10-27 07:28:22 4094464 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2010-10-27 07:22:04 5218304 ----a-w- C:\Windows\System32\atiumd64.dll
2010-10-27 07:15:00 58880 ----a-w- C:\Windows\System32\coinst.dll
2010-10-27 07:14:58 349184 ----a-w- C:\Windows\System32\atiadlxx.dll
2010-10-27 07:14:52 249856 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2010-10-27 07:14:44 14848 ----a-w- C:\Windows\System32\atig6pxx.dll
2010-10-27 07:14:42 12800 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2010-10-27 07:14:42 12800 ----a-w- C:\Windows\System32\atiglpxx.dll
2010-10-27 07:14:38 31744 ----a-w- C:\Windows\System32\atig6txx.dll
2010-10-27 07:14:32 27136 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2010-10-27 07:14:24 287232 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2010-10-27 07:13:44 39936 ----a-w- C:\Windows\System32\atiuxp64.dll
2010-10-27 07:13:36 30720 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2010-10-27 07:13:30 37888 ----a-w- C:\Windows\System32\atiu9p64.dll
2010-10-27 07:13:24 28672 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2010-10-27 07:12:56 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2010-10-27 06:57:04 3221504 ----a-w- C:\Windows\System32\atiumd6a.dll
2010-10-27 06:50:10 3460096 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2010-10-27 06:37:18 53760 ----a-w- C:\Windows\System32\atimpc64.dll
2010-10-27 06:37:18 53760 ----a-w- C:\Windows\System32\amdpcom64.dll
2010-10-27 06:37:14 52736 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2010-10-27 06:37:14 52736 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2010-10-22 21:42:47 332800 ----a-w- C:\Windows\System32\ATIODE.exe
2010-10-22 21:41:53 116240 ----a-w- C:\Windows\System32\drivers\AtihdW76.sys
2010-10-22 21:41:28 51200 ----a-w- C:\Windows\System32\ATIODCLI.exe
2010-10-19 20:51:33 270720 ------w- C:\Windows\System32\MpSigStub.exe
2010-10-15 21:33:37 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2010-10-14 06:36:52 15451288 ----a-w- C:\Windows\SysWow64\xlive.dll
2010-10-14 06:36:50 13642904 ----a-w- C:\Windows\SysWow64\xlivefnt.dll

============= FINISH: 11:39:32.21 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:10 PM

Posted 18 December 2010 - 06:00 AM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



Regards,
Georgi :hello:

cXfZ4wS.png


#3 Max Hennings

Max Hennings
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 20 December 2010 - 05:56 PM

Hi Georgi,

I'm glad someone was able to reply to my post I was starting to get a little worried. Unfortunately when I posted my problem I had hope I would be able to get a reply before I left my university for home during winter break. Now I am away from the my infected desktop until the 5th of January. Is there anyway that I could save my place in line and get back to you on Jan 5th? In my original post I followed all the prepost directions including producing a DDS log and the other attached log. I also used your tool to disable my CD emulation. While you asked me to produce a GMER log I am fairly certain you cannont do this on 64bit windows. However if I am wrong please provide instructions on how to do so and I will once I am back at my desktop.

Thanks again for your help and I hope you have a happy holiday season.

-Max

#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:10 PM

Posted 20 December 2010 - 06:47 PM

Hi Max,


Thanks for letting us know. :)
There are no problems. The topic will remains open as long as needed.
I'll keep an eye on it.


Happy Holiday too. :cold:


Regards,
Georgi :hello:

cXfZ4wS.png


#5 Max Hennings

Max Hennings
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 05 January 2011 - 12:21 AM

Hi,

Just wanted to let you know that I am back and ready to fix this issue. Let me know what steps you need me to take.

Thanks,

-Max

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:10 AM

Posted 05 January 2011 - 09:27 AM

Hi

Please run the following program:

  • Download OTL and save it to your desktop.
  • Double click on the Posted Image icon to run it.
  • Make sure all other windows are closed and to let it run uninterrupted.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
    Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Max Hennings

Max Hennings
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 05 January 2011 - 12:20 PM

Here are the OTL.txt results:

OTL logfile created on: 1/5/2011 12:15:00 PM - Run 1
OTL by OldTimer - Version 3.2.20.1 Folder = C:\Users\Max Hennings\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 66.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 596.16 Gb Total Space | 318.42 Gb Free Space | 53.41% Space Free | Partition Type: NTFS
Drive D: | 698.64 Gb Total Space | 495.32 Gb Free Space | 70.90% Space Free | Partition Type: NTFS
Drive E: | 6.28 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: BLACKICE | User Name: Max Hennings | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/01/05 12:09:50 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Max Hennings\Desktop\OTL.exe
PRC - [2010/12/31 15:06:35 | 003,395,600 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/12/31 15:06:34 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/12/02 00:01:03 | 000,069,632 | ---- | M] () -- C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DTSRVC.exe
PRC - [2010/11/16 16:36:26 | 001,242,448 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Steam\Steam.exe
PRC - [2010/05/18 17:06:42 | 000,327,064 | ---- | M] (Enigma Software Group USA, LLC.) -- C:\Program Files (x86)\Enigma Software Group\SpyHunter\SH4Service.exe
PRC - [2010/04/16 10:33:40 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2009/05/27 05:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\DAODB\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2007/02/09 15:17:30 | 000,694,008 | ---- | M] () -- C:\Program Files (x86)\Portrait Displays\Pivot Software\Floater.exe
PRC - [2007/02/09 15:17:26 | 000,694,008 | ---- | M] () -- C:\Program Files (x86)\Portrait Displays\Pivot Software\wpCtrl.exe


========== Modules (SafeList) ==========

MOD - [2011/01/05 12:09:50 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Max Hennings\Desktop\OTL.exe
MOD - [2010/08/21 00:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll
MOD - [2007/02/09 15:16:08 | 000,245,760 | ---- | M] () -- C:\Program Files (x86)\Portrait Displays\Pivot Software\Winphook.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2010/12/31 15:06:34 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV:64bit: - [2010/12/31 15:06:34 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV:64bit: - [2010/12/31 15:06:34 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV:64bit: - [2010/10/27 02:51:38 | 000,203,776 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2010/06/29 12:49:27 | 000,128,752 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE -- (!SASCORE)
SRV:64bit: - [2010/03/25 23:48:42 | 000,017,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2010/03/24 01:59:44 | 000,033,280 | ---- | M] () [Auto | Running] -- C:\Windows\SysNative\qmpehsoe.dll -- (qmpehsoe)
SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2010/12/02 00:01:03 | 000,069,632 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DTSRVC.exe -- (DTSRVC)
SRV - [2010/05/18 17:06:42 | 000,327,064 | ---- | M] (Enigma Software Group USA, LLC.) [Auto | Running] -- C:\Program Files (x86)\Enigma Software Group\SpyHunter\SH4Service.exe -- (SpyHunter 4 Service)
SRV - [2010/04/16 10:33:40 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/03/18 15:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/12/15 15:07:16 | 000,025,832 | ---- | M] (BioWare) [On_Demand | Stopped] -- C:\Games\Dragon Age\bin_ship\daupdatersvc.service.exe -- (DAUpdaterSvc)
SRV - [2009/07/16 19:04:16 | 000,316,664 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/05/27 05:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\DAODB\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$BWDATOOLSET) SQL Server (BWDATOOLSET)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2010/10/27 04:00:16 | 008,012,288 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag)
DRV:64bit: - [2010/10/27 04:00:16 | 008,012,288 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2010/10/27 02:14:24 | 000,287,232 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2010/10/22 16:41:53 | 000,116,240 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService)
DRV:64bit: - [2010/09/07 10:47:33 | 000,061,008 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV:64bit: - [2010/07/21 16:59:28 | 000,045,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\point64.sys -- (Point64)
DRV:64bit: - [2010/06/23 09:10:56 | 000,344,680 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2010/06/05 02:34:10 | 000,082,816 | ---- | M] (VSO Software) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\pcouffin.sys -- (pcouffin)
DRV:64bit: - [2010/05/05 19:43:06 | 000,314,016 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\atksgt.sys -- (atksgt)
DRV:64bit: - [2010/05/05 19:43:05 | 000,043,680 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\lirsgt.sys -- (lirsgt)
DRV:64bit: - [2010/04/07 14:14:50 | 000,446,304 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\WMP54Gv41x64.sys -- (rt61x64)
DRV:64bit: - [2010/02/26 19:27:50 | 000,834,544 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\drivers\sptd.sys -- (sptd)
DRV:64bit: - [2010/02/17 13:23:05 | 000,014,920 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys -- (SASDIFSV)
DRV:64bit: - [2010/02/17 13:23:05 | 000,012,360 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\saskutil64.sys -- (SASKUTIL)
DRV:64bit: - [2009/12/16 13:35:29 | 000,109,480 | ---- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\jraid.sys -- (JRAID)
DRV:64bit: - [2009/10/17 09:25:54 | 000,022,016 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dc3d.sys -- (dc3d) MS Hardware Device Detection Driver (HID)
DRV:64bit: - [2009/10/16 04:33:06 | 000,050,176 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2009/09/30 09:34:30 | 000,121,872 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV:64bit: - [2009/07/13 20:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/13 20:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 20:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 15:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/06/01 21:22:26 | 000,025,600 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\MBfilt64.sys -- (MBfilt)
DRV:64bit: - [2009/05/18 17:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/05/09 04:14:20 | 000,015,752 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\nuidfltr.sys -- (NuidFltr)
DRV:64bit: - [2006/11/16 20:26:44 | 000,019,248 | ---- | M] (Portrait Displays, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\pdiports.sys -- (PdiPorts)
DRV - [2010/01/27 18:10:44 | 000,005,248 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\Enigma Software Group\SpyHunter\esgiguard.sys -- (esgiguard)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 7B B6 01 37 74 AB CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010/12/11 16:47:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010/12/11 16:47:35 | 000,000,000 | ---D | M]

[2010/10/29 19:03:31 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Max Hennings\AppData\Roaming\Mozilla\Extensions
[2010/10/29 19:03:31 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Max Hennings\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010/09/08 13:08:18 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Max Hennings\AppData\Roaming\Mozilla\Firefox\Profiles\jeby41nk.default\extensions
[2011/01/05 12:09:06 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2010/06/01 12:45:25 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2011/01/05 00:25:25 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2010/11/12 18:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/11/19 16:13:11 | 000,001,919 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\bing-zugo.xml

O1 HOSTS File: ([2010/12/08 22:52:12 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O4:64bit: - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [Launch LCDMon] C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe File not found
O4:64bit: - HKLM..\Run: [Launch LGDCore] C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe (Logitech Inc.)
O4:64bit: - HKLM..\Run: [MSSE] C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [ATICustomerCare] c:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [DT HSP] C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe ()
O4 - HKLM..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe ()
O4 - HKLM..\Run: [PivotSoftware] C:\Program Files (x86)\Portrait Displays\Pivot Software\wpctrl.exe ()
O4 - HKLM..\Run: [StartCCC] c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKCU..\Run: [EA Core] C:\Program Files (x86)\Electronic Arts\EADM\Core.exe File not found
O4 - HKCU..\Run: [Steam] c:\program files (x86)\steam\steam.exe (Valve Corporation)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\SysWow64\GPhotos.scr (Google Inc.)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O18:64bit: - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - Reg Error: Key error. File not found
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18:64bit: - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/12/15 20:48:53 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/08/23 20:51:10 | 000,000,044 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{12fe9833-1bf0-11df-ac46-4061862e3abb}\Shell - "" = AutoRun
O33 - MountPoints2\{12fe9833-1bf0-11df-ac46-4061862e3abb}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O33 - MountPoints2\{2a01841d-2337-11df-a69a-4061862e3abb}\Shell - "" = AutoRun
O33 - MountPoints2\{2a01841d-2337-11df-a69a-4061862e3abb}\Shell\AutoRun\command - "" = F:\Razor1911_Installer.exe -- File not found
O33 - MountPoints2\{a8d3e1ce-ea7c-11de-a78a-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{a8d3e1ce-ea7c-11de-a78a-806e6f6e6963}\Shell\AutoRun\command - "" = E:\Setup.exe -- [2010/08/23 20:51:12 | 000,345,896 | R--- | M] (Valve Corporation)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/01/05 12:09:43 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Max Hennings\Desktop\OTL.exe
[2011/01/05 00:25:24 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaws.exe
[2011/01/05 00:25:24 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaw.exe
[2011/01/05 00:25:24 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\java.exe
[2010/12/15 05:13:48 | 001,169,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\taskschd.dll
[2010/12/15 05:13:48 | 000,524,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wmicmiplugin.dll
[2010/12/15 05:13:48 | 000,496,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\taskschd.dll
[2010/12/15 05:13:48 | 000,473,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\taskcomp.dll
[2010/12/15 05:13:48 | 000,464,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\taskeng.exe
[2010/12/15 05:13:48 | 000,305,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\taskcomp.dll
[2010/12/15 05:13:48 | 000,285,696 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\schtasks.exe
[2010/12/15 05:13:48 | 000,179,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\schtasks.exe
[2010/12/15 05:13:47 | 000,367,104 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysNative\atmfd.dll
[2010/12/15 05:13:47 | 000,294,400 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\atmfd.dll
[2010/12/15 05:13:47 | 000,046,080 | ---- | C] (Adobe Systems) -- C:\Windows\SysNative\atmlib.dll
[2010/12/15 05:13:47 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\SysWow64\atmlib.dll
[2010/12/15 05:13:45 | 000,395,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\webio.dll
[2010/12/15 05:13:45 | 000,314,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\webio.dll
[2010/12/15 05:13:43 | 000,112,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\consent.exe
[2010/12/15 05:13:37 | 000,703,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2010/12/15 05:13:36 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msfeeds.dll
[2010/12/15 05:13:36 | 000,482,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\html.iec
[2010/12/15 05:13:36 | 000,386,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\html.iec
[2010/12/15 05:13:36 | 000,256,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iepeers.dll
[2010/12/15 05:13:36 | 000,247,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2010/12/15 05:13:36 | 000,185,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iepeers.dll
[2010/12/15 05:13:36 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2010/12/15 05:13:36 | 000,097,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2010/12/15 05:13:36 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2010/12/15 05:13:36 | 000,057,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\licmgr10.dll
[2010/12/15 05:13:36 | 000,044,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\licmgr10.dll
[2010/12/15 05:13:36 | 000,012,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msfeedssync.exe
[2010/12/15 05:13:36 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeedssync.exe
[2010/12/07 23:09:44 | 000,121,936 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys
[2010/12/07 23:09:44 | 000,020,048 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswFsBlk.sys
[2010/12/07 23:09:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
[2010/12/07 23:09:42 | 000,028,752 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswRdr.sys
[2010/12/07 23:09:40 | 000,051,280 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswTdi.sys
[2010/12/07 23:09:34 | 000,061,008 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswMonFlt.sys
[2010/12/07 23:09:21 | 000,188,216 | ---- | C] (AVAST Software) -- C:\Windows\SysWow64\aswBoot.exe
[2010/12/07 23:09:21 | 000,038,848 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2010/12/07 23:09:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Alwil Software
[2010/12/07 23:09:16 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/12/07 22:59:34 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\Windows\SysNative\bootdelete.exe
[2010/12/07 22:54:24 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/12/07 22:54:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Hitman Pro
[2010/06/05 02:34:10 | 000,082,816 | ---- | C] (VSO Software) -- C:\Users\Max Hennings\AppData\Roaming\pcouffin.sys
[2008/04/28 07:36:08 | 011,768,648 | ---- | C] (Macrovision Corporation) -- C:\Users\Max Hennings\AppData\Local\FC9106US.exe
[3 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/01/05 12:12:07 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/01/05 12:12:02 | 3213,451,264 | -HS- | M] () -- C:\hiberfil.sys
[2011/01/05 12:11:20 | 000,013,440 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/01/05 12:11:20 | 000,013,440 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/01/05 12:11:09 | 000,000,188 | ---- | M] () -- C:\Users\Max Hennings\defogger_reenable
[2011/01/05 12:09:50 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Max Hennings\Desktop\OTL.exe
[2010/12/31 15:06:36 | 000,038,848 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
[2010/12/31 15:06:33 | 000,188,216 | ---- | M] (AVAST Software) -- C:\Windows\SysWow64\aswBoot.exe
[2010/12/15 15:20:32 | 000,288,120 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010/12/13 23:11:15 | 000,054,784 | ---- | M] () -- C:\Users\Max Hennings\Documents\Hormone Take-Home 2.doc
[2010/12/12 16:03:06 | 015,111,680 | ---- | M] () -- C:\Users\Max Hennings\Documents\465 clocks fall 2010.ppt
[2010/12/11 13:27:51 | 000,794,468 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/12/11 13:27:51 | 000,672,218 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/12/11 13:27:51 | 000,124,486 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/12/10 11:34:49 | 000,624,128 | ---- | M] () -- C:\Users\Max Hennings\Desktop\dds.scr
[2010/12/08 20:25:19 | 000,019,528 | ---- | M] () -- C:\Windows\SysNative\drivers\hitmanpro35.sys
[2010/12/07 23:09:34 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\config.nt
[2010/12/07 22:59:34 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\Windows\SysNative\bootdelete.exe
[3 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/01/05 12:11:09 | 000,000,188 | ---- | C] () -- C:\Users\Max Hennings\defogger_reenable
[2010/12/12 16:03:06 | 015,111,680 | ---- | C] () -- C:\Users\Max Hennings\Documents\465 clocks fall 2010.ppt
[2010/12/11 13:28:30 | 000,054,784 | ---- | C] () -- C:\Users\Max Hennings\Documents\Hormone Take-Home 2.doc
[2010/12/10 11:34:40 | 000,624,128 | ---- | C] () -- C:\Users\Max Hennings\Desktop\dds.scr
[2010/12/07 23:09:34 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\config.nt
[2010/12/07 22:54:26 | 000,019,528 | ---- | C] () -- C:\Windows\SysNative\drivers\hitmanpro35.sys
[2010/11/23 21:39:55 | 000,000,036 | ---- | C] () -- C:\Users\Max Hennings\AppData\Local\housecall.guid.cache
[2010/11/16 16:49:21 | 000,000,731 | ---- | C] () -- C:\ProgramData\.wtav
[2010/10/14 01:36:44 | 000,179,263 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2010/09/26 11:44:04 | 006,581,215 | ---- | C] () -- C:\Users\Max Hennings\AppData\Roaming\Rihanna - Only Girl (In The World) 2010.zip
[2010/09/23 17:38:41 | 000,004,608 | ---- | C] () -- C:\Users\Max Hennings\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/27 10:31:27 | 000,002,528 | ---- | C] () -- C:\Windows\FCIC.INI
[2010/06/27 13:17:17 | 000,000,032 | ---- | C] () -- C:\Windows\d2_lod.INI
[2010/06/25 12:05:45 | 000,000,229 | ---- | C] () -- C:\Windows\RomeTW.ini
[2010/06/05 02:34:29 | 000,000,034 | ---- | C] () -- C:\Users\Max Hennings\AppData\Roaming\pcouffin.log
[2010/06/05 02:34:10 | 000,099,384 | ---- | C] () -- C:\Users\Max Hennings\AppData\Roaming\inst.exe
[2010/06/05 02:34:10 | 000,007,859 | ---- | C] () -- C:\Users\Max Hennings\AppData\Roaming\pcouffin.cat
[2010/06/05 02:34:10 | 000,001,167 | ---- | C] () -- C:\Users\Max Hennings\AppData\Roaming\pcouffin.inf
[2010/05/19 06:18:04 | 000,016,384 | ---- | C] () -- C:\Users\Max Hennings\AppData\Roaming\Windowz.exe
[2010/05/04 21:07:31 | 000,030,305 | ---- | C] () -- C:\Users\Max Hennings\AppData\Roaming\CompatAdmin.log
[2010/04/23 02:19:11 | 000,000,023 | ---- | C] () -- C:\Windows\BlendSettings.ini
[2010/04/15 15:08:25 | 000,730,638 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010/02/09 19:14:51 | 000,000,262 | ---- | C] () -- C:\Windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini
[2009/12/16 01:01:11 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/12/15 23:24:04 | 000,002,304 | ---- | C] () -- C:\Windows\SysWow64\Machnm32.sys
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 16:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2008/10/07 11:13:30 | 000,197,912 | ---- | C] () -- C:\Windows\SysWow64\physxcudart_20.dll
[2008/10/07 11:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelTraditionalChinese.dll
[2008/10/07 11:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSwedish.dll
[2008/10/07 11:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSpanish.dll
[2008/10/07 11:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSimplifiedChinese.dll
[2008/10/07 11:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelPortugese.dll
[2008/10/07 11:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelKorean.dll
[2008/10/07 11:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelJapanese.dll
[2008/10/07 11:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelGerman.dll
[2008/10/07 11:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelFrench.dll
[2007/06/12 10:25:54 | 000,000,920 | ---- | C] () -- C:\Windows\SysWow64\WLAN.INI

========== LOP Check ==========

[2010/09/26 19:03:45 | 000,000,000 | ---D | M] -- C:\Users\Max Hennings\AppData\Roaming\Audacity
[2010/05/03 22:07:57 | 000,000,000 | ---D | M] -- C:\Users\Max Hennings\AppData\Roaming\Bioshock2
[2010/12/04 11:52:55 | 000,000,000 | ---D | M] -- C:\Users\Max Hennings\AppData\Roaming\BitTorrent
[2010/02/27 21:31:30 | 000,000,000 | ---D | M] -- C:\Users\Max Hennings\AppData\Roaming\DAEMON Tools Lite
[2009/12/15 23:26:14 | 000,000,000 | ---D | M] -- C:\Users\Max Hennings\AppData\Roaming\DisplayTune
[2010/04/15 15:11:21 | 000,000,000 | ---D | M] -- C:\Users\Max Hennings\AppData\Roaming\Dragon Age Toolset
[2010/08/10 16:32:41 | 000,000,000 | ---D | M] -- C:\Users\Max Hennings\AppData\Roaming\PlayFirst
[2010/05/25 20:02:45 | 000,000,000 | ---D | M] -- C:\Users\Max Hennings\AppData\Roaming\runic games
[2010/04/28 19:02:00 | 000,000,000 | ---D | M] -- C:\Users\Max Hennings\AppData\Roaming\Smart PDF Creator
[2010/04/28 19:09:10 | 000,000,000 | ---D | M] -- C:\Users\Max Hennings\AppData\Roaming\Softland
[2010/10/29 19:03:31 | 000,000,000 | ---D | M] -- C:\Users\Max Hennings\AppData\Roaming\Thunderbird
[2010/06/05 02:34:29 | 000,000,000 | ---D | M] -- C:\Users\Max Hennings\AppData\Roaming\Vso
[2010/11/09 14:02:39 | 000,032,610 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Files - Unicode (All) ==========
[2010/06/23 09:10:09 | 000,033,280 | ---- | C] ()(C:\Windows\SysNative\?mpehsoe.dll) -- C:\Windows\SysNative\аmpehsoe.dll
[2010/03/24 01:59:44 | 000,033,280 | ---- | M] ()(C:\Windows\SysNative\?mpehsoe.dll) -- C:\Windows\SysNative\аmpehsoe.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 135 bytes -> C:\ProgramData\TEMP:ED9B661E
@Alternate Data Stream - 133 bytes -> C:\ProgramData\TEMP:22741C1F
@Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:91486201

< End of report >

And here are the Extras.txt results:

OTL Extras logfile created on: 1/5/2011 12:15:00 PM - Run 1
OTL by OldTimer - Version 3.2.20.1 Folder = C:\Users\Max Hennings\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 66.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 596.16 Gb Total Space | 318.42 Gb Free Space | 53.41% Space Free | Partition Type: NTFS
Drive D: | 698.64 Gb Total Space | 495.32 Gb Free Space | 70.90% Space Free | Partition Type: NTFS
Drive E: | 6.28 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: BLACKICE | User Name: Max Hennings | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\System32\ieframe.DLL (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.url [@ = InternetShortcut] -- C:\Windows\System32\ieframe.DLL (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
htafile [open] -- "%1" %* File not found
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htafile [open] -- "%1" %*
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallOverride" = 1
"AntiVirusOverride" = 1
"AntiSpywareOverride" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 1
"AntiSpywareOverride" = 1
"FirewallOverride" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{404BB1FF-A84F-432F-B77B-301E88E8D1C7}" = Apple Mobile Device Support
"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
"{503640E5-B2ED-3173-D109-D4D03153471A}" = AMD Drag and Drop Transcoding
"{563F041C-DFDB-437B-A1E8-E141E0906076}" = Microsoft IntelliPoint 8.0
"{59427B1F-852F-4AF1-8215-E5B12F966D89}" = Logitech G11 Keyboard Software 1.03
"{79BF7CB8-1E09-489F-9547-DB3EE8EA3F16}" = Microsoft SQL Server Native Client
"{86177DAE-38B1-49DD-912E-35CB703AB779}" = Microsoft SQL Server VSS Writer
"{8DF9D3DF-6D03-A04F-217F-F2577D973DBE}" = ATI Catalyst Install Manager
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95C9C76F-ECF3-40FA-94F8-5DDFB6BAF40D}" = Microsoft Security Essentials
"{96D5EB02-DE18-4DCD-A713-929B4461CA8D}" = iTunes
"{9B48B0AC-C813-4174-9042-476A887592C7}" = Windows Live ID Sign-in Assistant
"{AE0D971F-5430-8874-B09E-3F1C76E2F8FF}" = WMV9/VC-1 Video Playback
"{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
"{C19D4D8F-4433-4F6D-9F0C-79589FD0B973}" = Bonjour
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{D29E5E5F-47CA-087E-DCBF-FB75171D5B2E}" = ccc-utility64
"{E62A1F01-07B7-4541-A835-EE5B0BF064C2}" = Microsoft Antimalware
"{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}" = Ventrilo Client for Windows x64
"{F00A3A54-C293-8F64-7C6D-9A4C09106FD8}" = Antivirus 2010
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"CANONIJINBOXADDON100" = Canon Inkjet Printer Driver Add-On Module
"doPDF 7 printer_is1" = doPDF 7.1 printer
"HitmanPro35" = Hitman Pro 3.5
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Essentials" = Microsoft Security Essentials
"WinRAR archiver" = WinRAR archiver

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0217E1D1-BCEF-4A61-AF6D-F7740F65A066}" = Pivot Software
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{0DEA342C-15CB-4F52-97B6-06A9C4B9C06F}" = SDK
"{11083C7A-D0D6-4DA4-8C3A-74B8389EC07B}" = ATI Catalyst Registration
"{135F49F2-9071-F45A-4263-DF7D42FBF7DD}" = CCC Help English
"{155F4A0E-76ED-45A2-91FB-FF2A2133C31A}" = Risen
"{16D919E6-F019-4E15-BFBE-4A85EF19DA57}" = Oblivion - Spell Tomes
"{172423F9-522A-483A-AD65-03600CE4CA4F}" = Microsoft Works 6-9 Converter
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F61E0B1-1AB8-F15E-07C4-46D100A1D3F7}" = Borderlands
"{1FDA5A37-B22D-43FF-B582-B8964050DC13}" = Microsoft Games for Windows - LIVE Redistributable
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java™ 6 Update 23
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (BWDATOOLSET)
"{2B653229-9854-4989-B780-D978F5F13EAB}" = FEAR
"{2F2E3D62-8B8C-448F-8900-451325E50948}" = Oblivion - Wizard's Tower
"{2FDBBCEA-62DB-45F4-B6E5-0E1FB2A1F29D}" = Visual C++ 8.0 Runtime Setup Package (x64)
"{35CB6715-41F8-4F99-8881-6FC75BF054B0}" = Oblivion
"{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}" = JMicron JMB36X Driver
"{3ABEBD00-299D-4DCA-967F-B912163AB5EA}" = Oblivion - Horse Armor Pack
"{3B11D799-48E0-48ED-BFD7-EA655676D8BB}" = Dragon Age Toolset
"{3F66C4BF-4BD9-FF9C-FA9F-4579F60A33B3}" = Catalyst Control Center Graphics Previews Vista
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A8B461A-9336-4CF9-98F4-14DD38E673F0}" = BioShock 2
"{4DDC3BED-CC68-44AA-B435-D727B620CA5B}" = Linksys Wireless-G PCI Adapter Driver - WMP54Gv4.1
"{4FC9DA9D-F608-454E-8191-D7EFFDCC5726}" = SpyHunter
"{520F4B09-3A51-47A2-82B0-9FF1DC2D20FA}" = Oblivion - Vile Lair
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5B35C417-2649-11D6-83D1-0050FC01225C}" = FirstClass® Client
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6C1804BC-094F-431A-BEA5-37A837958029}" = Rome - Total War - Alexander
"{6EB1C49D-71C7-40E3-A365-EF713EDA997A}" = X-TUNE
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{75D84EF7-0D8C-4e70-B3FA-7B42A5D4E0EB}" = Mass Effect 2
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{86A4C6D9-29EE-4719-AFA1-BA3341862B83}" = Microsoft Games for Windows - LIVE
"{888F1505-C2B3-4FDE-835D-36353EBD4754}" = Ubisoft Game Launcher
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{910F4A29-1134-49E0-AD8B-56E4A3152BD1}" = The Sims™ 3 Ambitions
"{974C4B12-4D02-4879-85E0-61C95CC63E9E}" = Fallout 3
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A0A20753-92DF-4631-82B4-9CACE2FCED6A}" = Oblivion - The Fighter's Stronghold
"{A642BB6B-CA1D-4142-8DD4-318C3F3DC834}" = Rome - Total War™
"{A914AE85-1A36-0575-714C-BF996BDA20C7}" = ccc-core-static
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.1
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AE249BA3-2421-3996-5E9A-DF4A9F3551FC}" = Catalyst Control Center InstallProxy
"{AEC81925-9C76-4707-84A9-40696C613ED3}" = Dragon Age: Origins
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{BA26FFA5-6D47-47DB-BE56-34C357B5F8CC}" = The Sims™ 3 World Adventures
"{BBB3F622-D848-4CDA-B282-CC53627432F0}" = Microsoft Application Compatibility Toolkit 5.5
"{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}" = The Sims™ 3
"{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{DB8B49A9-7CF1-34DB-6DF2-1EC41C0FE5E1}" = Catalyst Control Center Graphics Previews Common
"{DDA34038-89BD-4804-B0B8-DC48D5DFB463}" = Catalyst Control Center - Branding
"{E17141A6-211D-5854-61D9-69827A430D82}" = EA Download Manager UI
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{EC425CFC-EE78-4A91-AA25-3BFA65B75364}" = Oblivion - Orrery
"{EF295F5C-7B57-47AA-8889-6B3E8E214E89}" = Oblivion - Mehrunes Razor
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FAB1F336-1B7C-4057-A7BC-2922CD82A781}" = Ralink RT6x Wireless LAN Card
"{FD69C8CB-6964-432C-98AB-A5A09ED50EEA}" = Barbarian Invasion
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"{FFFFFD17-B460-41EB-93F1-C48ABAD63828}" = Oblivion - Thieves Den
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"avast5" = avast! Free Antivirus
"Axis and Allies" = Axis and Allies
"Axis and Allies Starter Pack v4.3" = Axis and Allies Starter Pack v4.3
"BitTorrent" = BitTorrent
"Canon_IJ_Network_UTILITY" = Canon IJ Network Tool
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"com.ea.Vault.919CACB699904AC5D41B606703500DD39747C02D.1" = EA Download Manager UI
"Diablo II" = Diablo II
"DVD Shrink_is1" = DVD Shrink 3.2
"DVDFab 7_is1" = DVDFab 7.0.6.7 (30/05/2010)
"EA Download Manager" = EA Download Manager
"Fallout 2 Restoration Project_is1" = FO2 Expansion Pack 1.2
"Fallout2" = Fallout2
"InstallShield_{A642BB6B-CA1D-4142-8DD4-318C3F3DC834}" = Rome - Total War™
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
"Peggle" = Peggle (remove only)
"Picasa 3" = Picasa 3
"Runic Games Torchlight" = Torchlight
"Star Wars: The Force Unleashed 2_is1" = Star Wars: The Force Unleashed 2
"Steam App 22380" = Fallout: New Vegas
"Steam App 440" = Team Fortress 2
"Steam App 550" = Left 4 Dead 2
"System Tool2011" = System Tool2011
"Unofficial Oblivion Patch_is1" = Unofficial Oblivion Patch v3.2.0
"Unofficial Shivering Isles Patch_is1" = Unofficial Shivering Isles Patch v1.4.0
"Visual Color Picker_is1" = Visual Color Picker 2.6
"VLC media player" = VLC media player 1.0.5
"World of Warcraft" = World of Warcraft

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/12/2010 1:51:19 PM | Computer Name = BlackIce | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 999

Error - 12/12/2010 1:51:20 PM | Computer Name = BlackIce | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 12/12/2010 1:51:20 PM | Computer Name = BlackIce | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 2013

Error - 12/12/2010 1:51:20 PM | Computer Name = BlackIce | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 2013

Error - 12/12/2010 4:26:33 PM | Computer Name = BlackIce | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 12/12/2010 4:26:33 PM | Computer Name = BlackIce | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 999

Error - 12/12/2010 4:26:33 PM | Computer Name = BlackIce | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 999

Error - 12/12/2010 11:01:12 PM | Computer Name = BlackIce | Source = Application Error | ID = 1000
Description = Faulting application name: FalloutNV.exe, version: 1.2.0.285, time
stamp: 0x4cd9d70b Faulting module name: FalloutNV.exe, version: 1.2.0.285, time
stamp: 0x4cd9d70b Exception code: 0xc0000005 Fault offset: 0x001dfc64 Faulting process
id: 0x122c Faulting application start time: 0x01cb9a617939f382 Faulting application
path: c:\program files (x86)\steam\steamapps\common\fallout new vegas\FalloutNV.exe
Faulting
module path: c:\program files (x86)\steam\steamapps\common\fallout new vegas\FalloutNV.exe
Report
Id: 3d5f86ee-0665-11e0-a7bd-4061862e3abb

Error - 12/16/2010 4:13:59 PM | Computer Name = BlackIce | Source = Application Error | ID = 1000
Description = Faulting application name: FalloutNV.exe, version: 1.2.0.314, time
stamp: 0x4cfdf842 Faulting module name: FalloutNV.exe, version: 1.2.0.314, time
stamp: 0x4cfdf842 Exception code: 0xc0000005 Fault offset: 0x001667ac Faulting process
id: 0x12c8 Faulting application start time: 0x01cb9d562615d854 Faulting application
path: c:\program files (x86)\steam\steamapps\common\fallout new vegas\FalloutNV.exe
Faulting
module path: c:\program files (x86)\steam\steamapps\common\fallout new vegas\FalloutNV.exe
Report
Id: 03b278b3-0951-11e0-aee7-4061862e3abb

Error - 12/19/2010 3:30:04 PM | Computer Name = BlackIce | Source = Application Error | ID = 1000
Description = Faulting application name: FalloutNV.exe, version: 1.2.0.314, time
stamp: 0x4cfdf842 Faulting module name: FalloutNV.exe, version: 1.2.0.314, time
stamp: 0x4cfdf842 Exception code: 0xc0000005 Fault offset: 0x001df674 Faulting process
id: 0xb50 Faulting application start time: 0x01cb9fae29243265 Faulting application
path: c:\program files (x86)\steam\steamapps\common\fallout new vegas\FalloutNV.exe
Faulting
module path: c:\program files (x86)\steam\steamapps\common\fallout new vegas\FalloutNV.exe
Report
Id: 60bb0fed-0ba6-11e0-9c86-4061862e3abb

[ System Events ]
Error - 12/20/2010 4:42:03 PM | Computer Name = BlackIce | Source = Microsoft Antimalware | ID = 3002
Description = %%861 Real-Time Protection feature has encountered an error and failed.

Feature:
%%835 Error Code: 0x80004005 Error description: Unspecified error Reason: %%842

Error - 12/20/2010 4:42:45 PM | Computer Name = BlackIce | Source = Service Control Manager | ID = 7024
Description = The HomeGroup Listener service terminated with service-specific error
%%-2147023143.

Error - 1/5/2011 12:19:25 AM | Computer Name = BlackIce | Source = Microsoft Antimalware | ID = 3002
Description = %%861 Real-Time Protection feature has encountered an error and failed.

Feature:
%%835 Error Code: 0x80004005 Error description: Unspecified error Reason: %%842

Error - 1/5/2011 1:17:20 AM | Computer Name = BlackIce | Source = Service Control Manager | ID = 7024
Description = The HomeGroup Listener service terminated with service-specific error
%%-2147023143.

Error - 1/5/2011 1:17:38 AM | Computer Name = BlackIce | Source = Service Control Manager | ID = 7000
Description = The SASDIFSV service failed to start due to the following error: %%183

Error - 1/5/2011 2:07:33 AM | Computer Name = BlackIce | Source = Service Control Manager | ID = 7024
Description = The HomeGroup Listener service terminated with service-specific error
%%-2147023143.

Error - 1/5/2011 1:07:50 PM | Computer Name = BlackIce | Source = Microsoft Antimalware | ID = 3002
Description = %%861 Real-Time Protection feature has encountered an error and failed.

Feature:
%%835 Error Code: 0x80004005 Error description: Unspecified error Reason: %%842

Error - 1/5/2011 1:08:29 PM | Computer Name = BlackIce | Source = Service Control Manager | ID = 7024
Description = The HomeGroup Listener service terminated with service-specific error
%%-2147023143.

Error - 1/5/2011 1:12:15 PM | Computer Name = BlackIce | Source = Microsoft Antimalware | ID = 3002
Description = %%861 Real-Time Protection feature has encountered an error and failed.

Feature:
%%835 Error Code: 0x80004005 Error description: Unspecified error Reason: %%842

Error - 1/5/2011 1:12:46 PM | Computer Name = BlackIce | Source = Service Control Manager | ID = 7024
Description = The HomeGroup Listener service terminated with service-specific error
%%-2147023143.


< End of report >

#8 Max Hennings

Max Hennings
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 05 January 2011 - 12:22 PM

Here are the Extras.txt results:

OTL Extras logfile created on: 1/5/2011 12:15:00 PM - Run 1
OTL by OldTimer - Version 3.2.20.1 Folder = C:\Users\Max Hennings\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 66.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 596.16 Gb Total Space | 318.42 Gb Free Space | 53.41% Space Free | Partition Type: NTFS
Drive D: | 698.64 Gb Total Space | 495.32 Gb Free Space | 70.90% Space Free | Partition Type: NTFS
Drive E: | 6.28 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: BLACKICE | User Name: Max Hennings | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\System32\ieframe.DLL (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.url [@ = InternetShortcut] -- C:\Windows\System32\ieframe.DLL (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
htafile [open] -- "%1" %* File not found
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htafile [open] -- "%1" %*
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallOverride" = 1
"AntiVirusOverride" = 1
"AntiSpywareOverride" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 1
"AntiSpywareOverride" = 1
"FirewallOverride" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{404BB1FF-A84F-432F-B77B-301E88E8D1C7}" = Apple Mobile Device Support
"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
"{503640E5-B2ED-3173-D109-D4D03153471A}" = AMD Drag and Drop Transcoding
"{563F041C-DFDB-437B-A1E8-E141E0906076}" = Microsoft IntelliPoint 8.0
"{59427B1F-852F-4AF1-8215-E5B12F966D89}" = Logitech G11 Keyboard Software 1.03
"{79BF7CB8-1E09-489F-9547-DB3EE8EA3F16}" = Microsoft SQL Server Native Client
"{86177DAE-38B1-49DD-912E-35CB703AB779}" = Microsoft SQL Server VSS Writer
"{8DF9D3DF-6D03-A04F-217F-F2577D973DBE}" = ATI Catalyst Install Manager
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95C9C76F-ECF3-40FA-94F8-5DDFB6BAF40D}" = Microsoft Security Essentials
"{96D5EB02-DE18-4DCD-A713-929B4461CA8D}" = iTunes
"{9B48B0AC-C813-4174-9042-476A887592C7}" = Windows Live ID Sign-in Assistant
"{AE0D971F-5430-8874-B09E-3F1C76E2F8FF}" = WMV9/VC-1 Video Playback
"{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
"{C19D4D8F-4433-4F6D-9F0C-79589FD0B973}" = Bonjour
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{D29E5E5F-47CA-087E-DCBF-FB75171D5B2E}" = ccc-utility64
"{E62A1F01-07B7-4541-A835-EE5B0BF064C2}" = Microsoft Antimalware
"{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}" = Ventrilo Client for Windows x64
"{F00A3A54-C293-8F64-7C6D-9A4C09106FD8}" = Antivirus 2010
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"CANONIJINBOXADDON100" = Canon Inkjet Printer Driver Add-On Module
"doPDF 7 printer_is1" = doPDF 7.1 printer
"HitmanPro35" = Hitman Pro 3.5
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Essentials" = Microsoft Security Essentials
"WinRAR archiver" = WinRAR archiver

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0217E1D1-BCEF-4A61-AF6D-F7740F65A066}" = Pivot Software
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{0DEA342C-15CB-4F52-97B6-06A9C4B9C06F}" = SDK
"{11083C7A-D0D6-4DA4-8C3A-74B8389EC07B}" = ATI Catalyst Registration
"{135F49F2-9071-F45A-4263-DF7D42FBF7DD}" = CCC Help English
"{155F4A0E-76ED-45A2-91FB-FF2A2133C31A}" = Risen
"{16D919E6-F019-4E15-BFBE-4A85EF19DA57}" = Oblivion - Spell Tomes
"{172423F9-522A-483A-AD65-03600CE4CA4F}" = Microsoft Works 6-9 Converter
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F61E0B1-1AB8-F15E-07C4-46D100A1D3F7}" = Borderlands
"{1FDA5A37-B22D-43FF-B582-B8964050DC13}" = Microsoft Games for Windows - LIVE Redistributable
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java™ 6 Update 23
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (BWDATOOLSET)
"{2B653229-9854-4989-B780-D978F5F13EAB}" = FEAR
"{2F2E3D62-8B8C-448F-8900-451325E50948}" = Oblivion - Wizard's Tower
"{2FDBBCEA-62DB-45F4-B6E5-0E1FB2A1F29D}" = Visual C++ 8.0 Runtime Setup Package (x64)
"{35CB6715-41F8-4F99-8881-6FC75BF054B0}" = Oblivion
"{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}" = JMicron JMB36X Driver
"{3ABEBD00-299D-4DCA-967F-B912163AB5EA}" = Oblivion - Horse Armor Pack
"{3B11D799-48E0-48ED-BFD7-EA655676D8BB}" = Dragon Age Toolset
"{3F66C4BF-4BD9-FF9C-FA9F-4579F60A33B3}" = Catalyst Control Center Graphics Previews Vista
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A8B461A-9336-4CF9-98F4-14DD38E673F0}" = BioShock 2
"{4DDC3BED-CC68-44AA-B435-D727B620CA5B}" = Linksys Wireless-G PCI Adapter Driver - WMP54Gv4.1
"{4FC9DA9D-F608-454E-8191-D7EFFDCC5726}" = SpyHunter
"{520F4B09-3A51-47A2-82B0-9FF1DC2D20FA}" = Oblivion - Vile Lair
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5B35C417-2649-11D6-83D1-0050FC01225C}" = FirstClass® Client
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6C1804BC-094F-431A-BEA5-37A837958029}" = Rome - Total War - Alexander
"{6EB1C49D-71C7-40E3-A365-EF713EDA997A}" = X-TUNE
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{75D84EF7-0D8C-4e70-B3FA-7B42A5D4E0EB}" = Mass Effect 2
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{86A4C6D9-29EE-4719-AFA1-BA3341862B83}" = Microsoft Games for Windows - LIVE
"{888F1505-C2B3-4FDE-835D-36353EBD4754}" = Ubisoft Game Launcher
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{910F4A29-1134-49E0-AD8B-56E4A3152BD1}" = The Sims™ 3 Ambitions
"{974C4B12-4D02-4879-85E0-61C95CC63E9E}" = Fallout 3
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A0A20753-92DF-4631-82B4-9CACE2FCED6A}" = Oblivion - The Fighter's Stronghold
"{A642BB6B-CA1D-4142-8DD4-318C3F3DC834}" = Rome - Total War™
"{A914AE85-1A36-0575-714C-BF996BDA20C7}" = ccc-core-static
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.1
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AE249BA3-2421-3996-5E9A-DF4A9F3551FC}" = Catalyst Control Center InstallProxy
"{AEC81925-9C76-4707-84A9-40696C613ED3}" = Dragon Age: Origins
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{BA26FFA5-6D47-47DB-BE56-34C357B5F8CC}" = The Sims™ 3 World Adventures
"{BBB3F622-D848-4CDA-B282-CC53627432F0}" = Microsoft Application Compatibility Toolkit 5.5
"{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}" = The Sims™ 3
"{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{DB8B49A9-7CF1-34DB-6DF2-1EC41C0FE5E1}" = Catalyst Control Center Graphics Previews Common
"{DDA34038-89BD-4804-B0B8-DC48D5DFB463}" = Catalyst Control Center - Branding
"{E17141A6-211D-5854-61D9-69827A430D82}" = EA Download Manager UI
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{EC425CFC-EE78-4A91-AA25-3BFA65B75364}" = Oblivion - Orrery
"{EF295F5C-7B57-47AA-8889-6B3E8E214E89}" = Oblivion - Mehrunes Razor
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FAB1F336-1B7C-4057-A7BC-2922CD82A781}" = Ralink RT6x Wireless LAN Card
"{FD69C8CB-6964-432C-98AB-A5A09ED50EEA}" = Barbarian Invasion
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"{FFFFFD17-B460-41EB-93F1-C48ABAD63828}" = Oblivion - Thieves Den
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"avast5" = avast! Free Antivirus
"Axis and Allies" = Axis and Allies
"Axis and Allies Starter Pack v4.3" = Axis and Allies Starter Pack v4.3
"BitTorrent" = BitTorrent
"Canon_IJ_Network_UTILITY" = Canon IJ Network Tool
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"com.ea.Vault.919CACB699904AC5D41B606703500DD39747C02D.1" = EA Download Manager UI
"Diablo II" = Diablo II
"DVD Shrink_is1" = DVD Shrink 3.2
"DVDFab 7_is1" = DVDFab 7.0.6.7 (30/05/2010)
"EA Download Manager" = EA Download Manager
"Fallout 2 Restoration Project_is1" = FO2 Expansion Pack 1.2
"Fallout2" = Fallout2
"InstallShield_{A642BB6B-CA1D-4142-8DD4-318C3F3DC834}" = Rome - Total War™
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
"Peggle" = Peggle (remove only)
"Picasa 3" = Picasa 3
"Runic Games Torchlight" = Torchlight
"Star Wars: The Force Unleashed 2_is1" = Star Wars: The Force Unleashed 2
"Steam App 22380" = Fallout: New Vegas
"Steam App 440" = Team Fortress 2
"Steam App 550" = Left 4 Dead 2
"System Tool2011" = System Tool2011
"Unofficial Oblivion Patch_is1" = Unofficial Oblivion Patch v3.2.0
"Unofficial Shivering Isles Patch_is1" = Unofficial Shivering Isles Patch v1.4.0
"Visual Color Picker_is1" = Visual Color Picker 2.6
"VLC media player" = VLC media player 1.0.5
"World of Warcraft" = World of Warcraft

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/12/2010 1:51:19 PM | Computer Name = BlackIce | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 999

Error - 12/12/2010 1:51:20 PM | Computer Name = BlackIce | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 12/12/2010 1:51:20 PM | Computer Name = BlackIce | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 2013

Error - 12/12/2010 1:51:20 PM | Computer Name = BlackIce | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 2013

Error - 12/12/2010 4:26:33 PM | Computer Name = BlackIce | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 12/12/2010 4:26:33 PM | Computer Name = BlackIce | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 999

Error - 12/12/2010 4:26:33 PM | Computer Name = BlackIce | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 999

Error - 12/12/2010 11:01:12 PM | Computer Name = BlackIce | Source = Application Error | ID = 1000
Description = Faulting application name: FalloutNV.exe, version: 1.2.0.285, time
stamp: 0x4cd9d70b Faulting module name: FalloutNV.exe, version: 1.2.0.285, time
stamp: 0x4cd9d70b Exception code: 0xc0000005 Fault offset: 0x001dfc64 Faulting process
id: 0x122c Faulting application start time: 0x01cb9a617939f382 Faulting application
path: c:\program files (x86)\steam\steamapps\common\fallout new vegas\FalloutNV.exe
Faulting
module path: c:\program files (x86)\steam\steamapps\common\fallout new vegas\FalloutNV.exe
Report
Id: 3d5f86ee-0665-11e0-a7bd-4061862e3abb

Error - 12/16/2010 4:13:59 PM | Computer Name = BlackIce | Source = Application Error | ID = 1000
Description = Faulting application name: FalloutNV.exe, version: 1.2.0.314, time
stamp: 0x4cfdf842 Faulting module name: FalloutNV.exe, version: 1.2.0.314, time
stamp: 0x4cfdf842 Exception code: 0xc0000005 Fault offset: 0x001667ac Faulting process
id: 0x12c8 Faulting application start time: 0x01cb9d562615d854 Faulting application
path: c:\program files (x86)\steam\steamapps\common\fallout new vegas\FalloutNV.exe
Faulting
module path: c:\program files (x86)\steam\steamapps\common\fallout new vegas\FalloutNV.exe
Report
Id: 03b278b3-0951-11e0-aee7-4061862e3abb

Error - 12/19/2010 3:30:04 PM | Computer Name = BlackIce | Source = Application Error | ID = 1000
Description = Faulting application name: FalloutNV.exe, version: 1.2.0.314, time
stamp: 0x4cfdf842 Faulting module name: FalloutNV.exe, version: 1.2.0.314, time
stamp: 0x4cfdf842 Exception code: 0xc0000005 Fault offset: 0x001df674 Faulting process
id: 0xb50 Faulting application start time: 0x01cb9fae29243265 Faulting application
path: c:\program files (x86)\steam\steamapps\common\fallout new vegas\FalloutNV.exe
Faulting
module path: c:\program files (x86)\steam\steamapps\common\fallout new vegas\FalloutNV.exe
Report
Id: 60bb0fed-0ba6-11e0-9c86-4061862e3abb

[ System Events ]
Error - 12/20/2010 4:42:03 PM | Computer Name = BlackIce | Source = Microsoft Antimalware | ID = 3002
Description = %%861 Real-Time Protection feature has encountered an error and failed.

Feature:
%%835 Error Code: 0x80004005 Error description: Unspecified error Reason: %%842

Error - 12/20/2010 4:42:45 PM | Computer Name = BlackIce | Source = Service Control Manager | ID = 7024
Description = The HomeGroup Listener service terminated with service-specific error
%%-2147023143.

Error - 1/5/2011 12:19:25 AM | Computer Name = BlackIce | Source = Microsoft Antimalware | ID = 3002
Description = %%861 Real-Time Protection feature has encountered an error and failed.

Feature:
%%835 Error Code: 0x80004005 Error description: Unspecified error Reason: %%842

Error - 1/5/2011 1:17:20 AM | Computer Name = BlackIce | Source = Service Control Manager | ID = 7024
Description = The HomeGroup Listener service terminated with service-specific error
%%-2147023143.

Error - 1/5/2011 1:17:38 AM | Computer Name = BlackIce | Source = Service Control Manager | ID = 7000
Description = The SASDIFSV service failed to start due to the following error: %%183

Error - 1/5/2011 2:07:33 AM | Computer Name = BlackIce | Source = Service Control Manager | ID = 7024
Description = The HomeGroup Listener service terminated with service-specific error
%%-2147023143.

Error - 1/5/2011 1:07:50 PM | Computer Name = BlackIce | Source = Microsoft Antimalware | ID = 3002
Description = %%861 Real-Time Protection feature has encountered an error and failed.

Feature:
%%835 Error Code: 0x80004005 Error description: Unspecified error Reason: %%842

Error - 1/5/2011 1:08:29 PM | Computer Name = BlackIce | Source = Service Control Manager | ID = 7024
Description = The HomeGroup Listener service terminated with service-specific error
%%-2147023143.

Error - 1/5/2011 1:12:15 PM | Computer Name = BlackIce | Source = Microsoft Antimalware | ID = 3002
Description = %%861 Real-Time Protection feature has encountered an error and failed.

Feature:
%%835 Error Code: 0x80004005 Error description: Unspecified error Reason: %%842

Error - 1/5/2011 1:12:46 PM | Computer Name = BlackIce | Source = Service Control Manager | ID = 7024
Description = The HomeGroup Listener service terminated with service-specific error
%%-2147023143.


< End of report >

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:10 AM

Posted 05 January 2011 - 12:55 PM

Hi

Please do the following:

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :OTL
    SRV:64bit: - [2010/03/24 01:59:44 | 000,033,280 | ---- | M] () [Auto | Running] -- C:\Windows\SysNative\qmpehsoe.dll -- (qmpehsoe)
    
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [resethosts]
    [emptyflash]
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post the OTL log


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 Max Hennings

Max Hennings
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 05 January 2011 - 07:07 PM

I was able to run the custom OTL fix without an issue. When I ran combofix the first time it had an error while trying to prepare the log. The second time I ran it the same problem occurred but I just kept closing the "program not responding window" and eventually the log popped up.

Here is the OTL Log:

All processes killed
========== OTL ==========
Service qmpehsoe stopped successfully!
Service qmpehsoe deleted successfully!
C:\Windows\SysNative\qmpehsoe.dll moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Max Hennings\Desktop\cmd.bat deleted successfully.
C:\Users\Max Hennings\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 56504 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Max Hennings
->Flash cache emptied: 158348 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Max Hennings
->Temp folder emptied: 1195534340 bytes
->Temporary Internet Files folder emptied: 455790345 bytes
->Java cache emptied: 5310620 bytes
->FireFox cache emptied: 56730280 bytes
->Google Chrome cache emptied: 6330174 bytes
->Flash cache emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1423246 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 336212 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 728836 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,642.00 mb


OTL by OldTimer - Version 3.2.20.1 log created on 01052011_170703

Files\Folders moved on Reboot...
C:\Users\Max Hennings\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Max Hennings\AppData\Local\Temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb moved successfully.
File move failed. C:\Windows\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.
C:\Windows\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb moved successfully.

Registry entries deleted on Reboot...



---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Here is the Combofix log:

ComboFix 11-01-05.01 - Max Hennings 01/05/2011 18:54:44.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4086.2481 [GMT -5:00]
Running from: c:\users\Max Hennings\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
AV: Microsoft Security Essentials *Disabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Microsoft Security Essentials *Disabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\programdata\.wtav
c:\users\Max Hennings\AppData\Roaming\inst.exe

.
((((((((((((((((((((((((( Files Created from 2010-12-06 to 2011-01-06 )))))))))))))))))))))))))))))))
.

2011-01-06 00:00 . 2011-01-06 00:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-05 22:07 . 2011-01-05 22:07 -------- d-----w- C:\_OTL
2011-01-05 05:42 . 2010-11-10 02:35 8199504 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F734616D-EEDE-47AA-A75F-40CB44E1B083}\mpengine.dll
2010-12-08 04:09 . 2010-12-31 20:06 38848 ----a-w- c:\windows\avastSS.scr
2010-12-08 04:09 . 2010-12-31 20:06 188216 ----a-w- c:\windows\SysWow64\aswBoot.exe
2010-12-08 04:09 . 2010-12-08 04:09 -------- d-----w- c:\programdata\Alwil Software
2010-12-08 04:09 . 2010-12-08 04:09 -------- d-----w- c:\program files\Alwil Software
2010-12-08 03:54 . 2010-12-08 03:54 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-12-08 03:54 . 2010-12-08 03:59 -------- d-----w- c:\programdata\Hitman Pro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-02 04:39 . 2010-12-02 04:39 110080 ----a-r- c:\users\Max Hennings\AppData\Roaming\Microsoft\Installer\{4FC9DA9D-F608-454E-8191-D7EFFDCC5726}\IconF7A21AF7.exe
2010-12-02 04:39 . 2010-12-02 04:39 110080 ----a-r- c:\users\Max Hennings\AppData\Roaming\Microsoft\Installer\{4FC9DA9D-F608-454E-8191-D7EFFDCC5726}\IconD7F16134.exe
2010-11-29 22:42 . 2010-10-30 04:06 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2010-11-12 23:53 . 2010-10-15 21:33 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2010-11-10 05:35 . 2010-11-20 09:12 8199504 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{09B3FBE1-3CC5-422D-A78C-8D3B887936B5}\mpengine.dll
2010-11-10 02:35 . 2010-11-21 06:35 8199504 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-10-27 08:08 . 2010-10-27 08:08 16281600 ----a-w- c:\windows\SysWow64\atioglxx.dll
2010-10-27 07:55 . 2010-10-27 07:55 547328 ----a-w- c:\windows\SysWow64\aticfx32.dll
2010-10-27 07:50 . 2010-10-27 07:50 356352 ----a-w- c:\windows\SysWow64\atipdlxx.dll
2010-10-27 07:49 . 2010-10-27 07:49 278528 ----a-w- c:\windows\SysWow64\Oemdspif.dll
2010-10-27 07:49 . 2010-10-27 07:49 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2010-10-27 07:46 . 2010-10-27 07:46 4020736 ----a-w- c:\windows\SysWow64\atidxx32.dll
2010-10-27 07:35 . 2010-10-27 07:35 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2010-10-27 07:35 . 2010-10-27 07:35 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2010-10-27 07:33 . 2010-10-27 07:33 5441536 ----a-w- c:\windows\SysWow64\aticaldd.dll
2010-10-27 07:28 . 2010-10-27 07:28 4094464 ----a-w- c:\windows\SysWow64\atiumdag.dll
2010-10-27 07:14 . 2010-10-27 07:14 249856 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2010-10-27 07:14 . 2010-10-27 07:14 12800 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2010-10-27 07:14 . 2010-10-27 07:14 27136 ----a-w- c:\windows\SysWow64\atigktxx.dll
2010-10-27 07:13 . 2010-10-27 07:13 30720 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2010-10-27 07:13 . 2010-09-26 02:43 28672 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2010-10-27 06:50 . 2010-10-27 06:50 3460096 ----a-w- c:\windows\SysWow64\atiumdva.dll
2010-10-27 06:37 . 2010-10-27 06:37 52736 ----a-w- c:\windows\SysWow64\atimpc32.dll
2010-10-27 06:37 . 2010-10-27 06:37 52736 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2010-10-14 06:36 . 2010-10-14 06:36 15451288 ----a-w- c:\windows\SysWow64\xlive.dll
2010-10-14 06:36 . 2010-10-14 06:36 13642904 ----a-w- c:\windows\SysWow64\xlivefnt.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
"Steam"="c:\program files (x86)\steam\steam.exe" [2010-11-16 1242448]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-01-05 2988784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"PivotSoftware"="c:\program files (x86)\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"DT HSP"="c:\program files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe" [2008-02-13 81920]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2009-12-16 36864]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"ATICustomerCare"="c:\program files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-10-01 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\games\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
R3 dc3d;MS Hardware Device Detection Driver (HID);c:\windows\system32\DRIVERS\dc3d.sys [2009-10-17 22016]
R3 esgiguard;esgiguard;c:\program files (x86)\Enigma Software Group\SpyHunter\esgiguard.sys [2010-01-27 5248]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2009-10-16 50176]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-06 1255736]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-02-27 834544]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2010-06-29 128752]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-10-27 203776]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 61008]
S2 MSSQL$BWDATOOLSET;SQL Server (BWDATOOLSET);c:\program files (x86)\DAODB\MSSQL.1\MSSQL\Binn\sqlservr.exe [2009-05-27 29262680]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-10-27 8012288]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-10-27 287232]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2010-10-22 116240]
S3 MBfilt;MBfilt;c:\windows\system32\drivers\MBfilt64.sys [2009-06-02 25600]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-26 40832]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2010-07-21 45456]
S3 rt61x64;Linksys Wireless-G PCI Adapter Driver;c:\windows\system32\DRIVERS\WMP54Gv41x64.sys [2010-04-07 446304]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-06-23 344680]

.

--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-21 7981088]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2006-07-23 1783296]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 2327952]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1448568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
qmpehsoe

.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.daemon-search.com/startpage
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Max Hennings\AppData\Roaming\Mozilla\Firefox\Profiles\jeby41nk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
.
- - - - ORPHANS REMOVED - - - -

Wow6432Node-HKCU-Run-EA Core - c:\program files (x86)\Electronic Arts\EADM\Core.exe
HKLM-Run-Launch LCDMon - c:\program files\Common Files\Logitech\LCD Manager\lcdmon.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10d.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10d.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@DACL=(02 0000)
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=expand:"fdeploy.dll"
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Folder Redirection,Application)\00\00"
"DisplayName"=expand:"@fdeploy.dll,-261"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"DisplayName"=expand:"@%SystemRoot%\\System32\\dskquota.dll,-100"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"%SystemRoot%\\System32\\dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@DACL=(02 0000)
@="QoS Packet Scheduler"
"DisplayName"=expand:"@gptext.dll,-201"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}]
@DACL=(02 0000)
@="Windows Search Group Policy Extension"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"=expand:"%SystemRoot%\\System32\\srchadmin.dll"
"RequiresSuccessfulRegistry"=dword:00000001
"NoSlowLink"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoUserPolicy"=dword:00000000
"NoMachinePolicy"=dword:00000000
"PerUserLocalSettings"=dword:00000000
"EnableAsynchronousProcessing"=dword:00000001
"NoBackgroundPolicy"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}]
@DACL=(02 0000)
@="Deployed Printer Connections"
"DisplayName"=expand:"@%systemroot%\\system32\\gpprnext.dll,-1"
"DllName"=expand:"%systemroot%\\system32\\gpprnext.dll"
"EnableAsynchronousProcessing"=dword:00000001
"ExtensionEventSource"=""
"GenerateGroupPolicy"="PrinterGenerateGroupPolicy"
"MaxNoGPOListChangesInterval"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000001
"NotifyLinkTransition"=dword:00000000
"NoUserPolicy"=dword:00000000
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="PrinterProcessGroupPolicy"
"ProcessGroupPolicyEx"="PrinterProcessGroupPolicyEx"
"RequiresSuccessfulRegistry"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}]
@DACL=(02 0000)
@="TCPIP"
"DisplayName"=expand:"@gptext.dll,-204"
"ProcessGroupPolicy"="ProcessTCPIPPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@DACL=(02 0000)
@="IP Security"
"ProcessGroupPolicyEx"="ProcessIPSECPolicyEx"
"GenerateGroupPolicy"="GenerateIPSECPolicy"
"DllName"=expand:"%SystemRoot%\\System32\\polstore.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000000
"DisplayName"=expand:"@c:\\Windows\\system32\\polstore.dll,-5012"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}]
@DACL=(02 0000)
@="Audit Policy Configuration"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"DllName"=expand:"auditcse.dll"
"NoUserPolicy"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0
"ForceRefreshFG"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}]
@DACL=(02 0000)
@="Enterprise QoS"
"DisplayName"=expand:"@gptext.dll,-203"
"ProcessGroupPolicy"="ProcessEQoSPolicy"
"DllName"=expand:"gptext.dll"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}]
@DACL=(02 0000)
@="CP"
"DisplayName"=expand:"@gptext.dll,-205"
"ProcessGroupPolicy"="ProcessConnectivityPlatformPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-01-05 19:02:46
ComboFix-quarantined-files.txt 2011-01-06 00:02

Pre-Run: 342,971,138,048 bytes free
Post-Run: 342,851,391,488 bytes free

- - End Of File - - 31F7362616E8FD3DB38A25602E707478

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:10 AM

Posted 05 January 2011 - 08:46 PM

Hi

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

NetSvc::
qmpehsoe

Driver::
qmpehsoe


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


You have two antivirus programs installed. More than one program can cause system slow downs, conflicts and crashes. I recommend you uninstall one of them.


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 Max Hennings

Max Hennings
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 06 January 2011 - 11:46 AM

I thought I only the only antivirus program I had installed was avast.

Here is the combofix log:

ComboFix 11-01-05.01 - Max Hennings 01/05/2011 21:16:31.3.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4086.2150 [GMT -5:00]
Running from: c:\users\Max Hennings\Desktop\ComboFix.exe
Command switches used :: c:\users\Max Hennings\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
AV: Microsoft Security Essentials *Disabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Microsoft Security Essentials *Disabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-12-06 to 2011-01-06 )))))))))))))))))))))))))))))))
.

2011-01-06 02:22 . 2011-01-06 02:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-06 00:49 . 2010-11-10 02:35 8199504 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B3B9DE5B-4D4D-48D7-977A-D413B284F34A}\mpengine.dll
2011-01-05 22:07 . 2011-01-05 22:07 -------- d-----w- C:\_OTL
2010-12-08 04:09 . 2010-12-31 20:06 38848 ----a-w- c:\windows\avastSS.scr
2010-12-08 04:09 . 2010-12-31 20:06 188216 ----a-w- c:\windows\SysWow64\aswBoot.exe
2010-12-08 04:09 . 2010-12-08 04:09 -------- d-----w- c:\programdata\Alwil Software
2010-12-08 04:09 . 2010-12-08 04:09 -------- d-----w- c:\program files\Alwil Software
2010-12-08 03:54 . 2010-12-08 03:54 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-12-08 03:54 . 2010-12-08 03:59 -------- d-----w- c:\programdata\Hitman Pro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-02 04:39 . 2010-12-02 04:39 110080 ----a-r- c:\users\Max Hennings\AppData\Roaming\Microsoft\Installer\{4FC9DA9D-F608-454E-8191-D7EFFDCC5726}\IconF7A21AF7.exe
2010-12-02 04:39 . 2010-12-02 04:39 110080 ----a-r- c:\users\Max Hennings\AppData\Roaming\Microsoft\Installer\{4FC9DA9D-F608-454E-8191-D7EFFDCC5726}\IconD7F16134.exe
2010-11-29 22:42 . 2010-10-30 04:06 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2010-11-12 23:53 . 2010-10-15 21:33 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2010-11-10 05:35 . 2010-11-20 09:12 8199504 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{09B3FBE1-3CC5-422D-A78C-8D3B887936B5}\mpengine.dll
2010-11-10 02:35 . 2010-11-21 06:35 8199504 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-10-27 08:08 . 2010-10-27 08:08 16281600 ----a-w- c:\windows\SysWow64\atioglxx.dll
2010-10-27 07:55 . 2010-10-27 07:55 547328 ----a-w- c:\windows\SysWow64\aticfx32.dll
2010-10-27 07:50 . 2010-10-27 07:50 356352 ----a-w- c:\windows\SysWow64\atipdlxx.dll
2010-10-27 07:49 . 2010-10-27 07:49 278528 ----a-w- c:\windows\SysWow64\Oemdspif.dll
2010-10-27 07:49 . 2010-10-27 07:49 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2010-10-27 07:46 . 2010-10-27 07:46 4020736 ----a-w- c:\windows\SysWow64\atidxx32.dll
2010-10-27 07:35 . 2010-10-27 07:35 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2010-10-27 07:35 . 2010-10-27 07:35 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2010-10-27 07:33 . 2010-10-27 07:33 5441536 ----a-w- c:\windows\SysWow64\aticaldd.dll
2010-10-27 07:28 . 2010-10-27 07:28 4094464 ----a-w- c:\windows\SysWow64\atiumdag.dll
2010-10-27 07:14 . 2010-10-27 07:14 249856 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2010-10-27 07:14 . 2010-10-27 07:14 12800 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2010-10-27 07:14 . 2010-10-27 07:14 27136 ----a-w- c:\windows\SysWow64\atigktxx.dll
2010-10-27 07:13 . 2010-10-27 07:13 30720 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2010-10-27 07:13 . 2010-09-26 02:43 28672 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2010-10-27 06:50 . 2010-10-27 06:50 3460096 ----a-w- c:\windows\SysWow64\atiumdva.dll
2010-10-27 06:37 . 2010-10-27 06:37 52736 ----a-w- c:\windows\SysWow64\atimpc32.dll
2010-10-27 06:37 . 2010-10-27 06:37 52736 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2010-10-14 06:36 . 2010-10-14 06:36 15451288 ----a-w- c:\windows\SysWow64\xlive.dll
2010-10-14 06:36 . 2010-10-14 06:36 13642904 ----a-w- c:\windows\SysWow64\xlivefnt.dll
.

((((((((((((((((((((((((((((( SnapShot@2011-01-06_00.00.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2011-01-05 23:09 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2011-01-06 00:48 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-01-05 23:09 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-01-06 00:48 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-01-06 00:48 376832 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-01-05 23:09 376832 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 02:34 . 2011-01-06 00:59 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
- 2009-07-14 02:34 . 2011-01-05 23:22 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
"Steam"="c:\program files (x86)\steam\steam.exe" [2010-11-16 1242448]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-01-05 2988784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"PivotSoftware"="c:\program files (x86)\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"DT HSP"="c:\program files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe" [2008-02-13 81920]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2009-12-16 36864]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"ATICustomerCare"="c:\program files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-10-01 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\games\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
R3 dc3d;MS Hardware Device Detection Driver (HID);c:\windows\system32\DRIVERS\dc3d.sys [2009-10-17 22016]
R3 esgiguard;esgiguard;c:\program files (x86)\Enigma Software Group\SpyHunter\esgiguard.sys [2010-01-27 5248]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2009-10-16 50176]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-06 1255736]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-02-27 834544]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2010-06-29 128752]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-10-27 203776]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 61008]
S2 MSSQL$BWDATOOLSET;SQL Server (BWDATOOLSET);c:\program files (x86)\DAODB\MSSQL.1\MSSQL\Binn\sqlservr.exe [2009-05-27 29262680]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-10-27 8012288]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-10-27 287232]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2010-10-22 116240]
S3 MBfilt;MBfilt;c:\windows\system32\drivers\MBfilt64.sys [2009-06-02 25600]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-26 40832]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2010-07-21 45456]
S3 rt61x64;Linksys Wireless-G PCI Adapter Driver;c:\windows\system32\DRIVERS\WMP54Gv41x64.sys [2010-04-07 446304]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-06-23 344680]

.

--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-21 7981088]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2006-07-23 1783296]
"Launch LCDMon"="c:\program files\Common Files\Logitech\LCD Manager\lcdmon.exe" [BU]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 2327952]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1448568]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
qmpehsoe

.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.daemon-search.com/startpage
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Max Hennings\AppData\Roaming\Mozilla\Firefox\Profiles\jeby41nk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10d.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10d.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@DACL=(02 0000)
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=expand:"fdeploy.dll"
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Folder Redirection,Application)\00\00"
"DisplayName"=expand:"@fdeploy.dll,-261"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"DisplayName"=expand:"@%SystemRoot%\\System32\\dskquota.dll,-100"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"%SystemRoot%\\System32\\dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@DACL=(02 0000)
@="QoS Packet Scheduler"
"DisplayName"=expand:"@gptext.dll,-201"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}]
@DACL=(02 0000)
@="Windows Search Group Policy Extension"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"=expand:"%SystemRoot%\\System32\\srchadmin.dll"
"RequiresSuccessfulRegistry"=dword:00000001
"NoSlowLink"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoUserPolicy"=dword:00000000
"NoMachinePolicy"=dword:00000000
"PerUserLocalSettings"=dword:00000000
"EnableAsynchronousProcessing"=dword:00000001
"NoBackgroundPolicy"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}]
@DACL=(02 0000)
@="Deployed Printer Connections"
"DisplayName"=expand:"@%systemroot%\\system32\\gpprnext.dll,-1"
"DllName"=expand:"%systemroot%\\system32\\gpprnext.dll"
"EnableAsynchronousProcessing"=dword:00000001
"ExtensionEventSource"=""
"GenerateGroupPolicy"="PrinterGenerateGroupPolicy"
"MaxNoGPOListChangesInterval"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000001
"NotifyLinkTransition"=dword:00000000
"NoUserPolicy"=dword:00000000
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="PrinterProcessGroupPolicy"
"ProcessGroupPolicyEx"="PrinterProcessGroupPolicyEx"
"RequiresSuccessfulRegistry"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}]
@DACL=(02 0000)
@="TCPIP"
"DisplayName"=expand:"@gptext.dll,-204"
"ProcessGroupPolicy"="ProcessTCPIPPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@DACL=(02 0000)
@="IP Security"
"ProcessGroupPolicyEx"="ProcessIPSECPolicyEx"
"GenerateGroupPolicy"="GenerateIPSECPolicy"
"DllName"=expand:"%SystemRoot%\\System32\\polstore.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000000
"DisplayName"=expand:"@c:\\Windows\\system32\\polstore.dll,-5012"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}]
@DACL=(02 0000)
@="Audit Policy Configuration"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"DllName"=expand:"auditcse.dll"
"NoUserPolicy"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0
"ForceRefreshFG"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}]
@DACL=(02 0000)
@="Enterprise QoS"
"DisplayName"=expand:"@gptext.dll,-203"
"ProcessGroupPolicy"="ProcessEQoSPolicy"
"DllName"=expand:"gptext.dll"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}]
@DACL=(02 0000)
@="CP"
"DisplayName"=expand:"@gptext.dll,-205"
"ProcessGroupPolicy"="ProcessConnectivityPlatformPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-01-05 21:33:02
ComboFix-quarantined-files.txt 2011-01-06 02:33
ComboFix2.txt 2011-01-06 00:02

Pre-Run: 343,750,926,336 bytes free
Post-Run: 343,326,711,808 bytes free

- - End Of File - - EE04E083A7D31981A018B2B02D77B085
----------------------------------------------------------------------------------------------------------------------------------------------------------

Here is the Mbam Report:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5466

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

1/5/2011 9:47:33 PM
mbam-log-2011-01-05 (21-47-33).txt

Scan type: Quick scan
Objects scanned: 156150
Time elapsed: 1 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
-------------------------------------------------------------------------------------------

Here is the ESET log:

C:\Users\Max Hennings\Downloads\rld-rsnf.7z probably a variant of Win32/Obfuscated.ISZPTDH trojan
D:\ISO Files\rzr-set7.iso a variant of Win32/Packed.VMProtect.AAA trojan
D:\Torrent Downloads\Windows XP Professional 32-bit en-US - Black Edition v2009.4.19.iso multiple threats
D:\Torrent Downloads\Warcraft III Reign of Chaos, The Frozen Throne + Update Patch War3TFT_122a_English +CD Key\CDKey\Warcraft III Reign Of Chaos Keygen.exe probably a variant of Win32/Hupigon.DPPTSMY trojan

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:10 AM

Posted 06 January 2011 - 10:01 PM

One of the bad files is being very stubborn to kill, so I would like you to try the next fix in safe mode

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account

NEXT

do the following:


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::

NetSvc::
qmpehsoe

Driver::
qmpehsoe

File::
C:\Users\Max Hennings\Downloads\rld-rsnf.7z 
D:\ISO Files\rzr-set7.iso 
D:\Torrent Downloads\Windows XP Professional 32-bit en-US - Black Edition v2009.4.19.iso 
D:\Torrent Downloads\Warcraft III Reign of Chaos, The Frozen Throne + Update Patch War3TFT_122a_English +CD Key\CDKey\Warcraft III Reign Of Chaos Keygen.exe 

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT



Please describe how your computer is running and if there are any outstanding issues.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 Max Hennings

Max Hennings
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 07 January 2011 - 02:53 PM

I think the redirect problem I had before is gone and I haven't experienced any problems since I started working with you. Can you suggest a good antivirus program? I don't really like avast, the program I currently have on my machine. What can I do to avoid getting this infection again?

Here is the log from the latest custom combofix script:

ComboFix 11-01-05.01 - Max Hennings 01/07/2011 12:27:20.4.4 - x64 MINIMAL
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4086.2763 [GMT -5:00]
Running from: c:\users\Max Hennings\Desktop\ComboFix.exe
Command switches used :: c:\users\Max Hennings\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
AV: Microsoft Security Essentials *Enabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Microsoft Security Essentials *Enabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point

FILE ::
"c:\users\Max Hennings\Downloads\rld-rsnf.7z"
"d:\iso files\rzr-set7.iso"
"d:\torrent downloads\Warcraft III Reign of Chaos, The Frozen Throne + Update Patch War3TFT_122a_English +CD Key\CDKey\Warcraft III Reign Of Chaos Keygen.exe"
"d:\torrent downloads\Windows XP Professional 32-bit en-US - Black Edition v2009.4.19.iso"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Max Hennings\Downloads\rld-rsnf.7z
d:\iso files\rzr-set7.iso
d:\torrent downloads\Windows XP Professional 32-bit en-US - Black Edition v2009.4.19.iso

.
((((((((((((((((((((((((( Files Created from 2010-12-07 to 2011-01-07 )))))))))))))))))))))))))))))))
.

2011-01-07 17:41 . 2011-01-07 17:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-06 16:48 . 2010-11-10 02:35 8199504 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{33B13B4F-17FF-4AB7-AC66-5C2F04A27DDC}\mpengine.dll
2011-01-06 02:57 . 2011-01-06 02:57 -------- d-----w- c:\program files (x86)\ESET
2011-01-06 02:35 . 2011-01-06 02:36 -------- d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2011-01-05 22:07 . 2011-01-05 22:07 -------- d-----w- C:\_OTL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-31 20:06 . 2010-12-08 04:09 38848 ----a-w- c:\windows\avastSS.scr
2010-12-31 20:06 . 2010-12-08 04:09 188216 ----a-w- c:\windows\SysWow64\aswBoot.exe
2010-12-20 23:09 . 2010-10-30 04:06 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2010-11-12 23:53 . 2010-10-15 21:33 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2010-11-10 05:35 . 2010-11-20 09:12 8199504 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{09B3FBE1-3CC5-422D-A78C-8D3B887936B5}\mpengine.dll
2010-11-10 02:35 . 2010-11-21 06:35 8199504 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-10-27 08:08 . 2010-10-27 08:08 16281600 ----a-w- c:\windows\SysWow64\atioglxx.dll
2010-10-27 07:55 . 2010-10-27 07:55 547328 ----a-w- c:\windows\SysWow64\aticfx32.dll
2010-10-27 07:50 . 2010-10-27 07:50 356352 ----a-w- c:\windows\SysWow64\atipdlxx.dll
2010-10-27 07:49 . 2010-10-27 07:49 278528 ----a-w- c:\windows\SysWow64\Oemdspif.dll
2010-10-27 07:49 . 2010-10-27 07:49 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2010-10-27 07:46 . 2010-10-27 07:46 4020736 ----a-w- c:\windows\SysWow64\atidxx32.dll
2010-10-27 07:35 . 2010-10-27 07:35 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2010-10-27 07:35 . 2010-10-27 07:35 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2010-10-27 07:33 . 2010-10-27 07:33 5441536 ----a-w- c:\windows\SysWow64\aticaldd.dll
2010-10-27 07:28 . 2010-10-27 07:28 4094464 ----a-w- c:\windows\SysWow64\atiumdag.dll
2010-10-27 07:14 . 2010-10-27 07:14 249856 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2010-10-27 07:14 . 2010-10-27 07:14 12800 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2010-10-27 07:14 . 2010-10-27 07:14 27136 ----a-w- c:\windows\SysWow64\atigktxx.dll
2010-10-27 07:13 . 2010-10-27 07:13 30720 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2010-10-27 07:13 . 2010-09-26 02:43 28672 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2010-10-27 06:50 . 2010-10-27 06:50 3460096 ----a-w- c:\windows\SysWow64\atiumdva.dll
2010-10-27 06:37 . 2010-10-27 06:37 52736 ----a-w- c:\windows\SysWow64\atimpc32.dll
2010-10-27 06:37 . 2010-10-27 06:37 52736 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2010-10-14 06:36 . 2010-10-14 06:36 15451288 ----a-w- c:\windows\SysWow64\xlive.dll
2010-10-14 06:36 . 2010-10-14 06:36 13642904 ----a-w- c:\windows\SysWow64\xlivefnt.dll
.

((((((((((((((((((((((((((((( SnapShot@2011-01-06_00.00.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-16 03:11 . 2011-01-07 17:19 49582 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2011-01-05 23:10 33472 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-01-07 17:19 33472 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-12-16 02:47 . 2011-01-07 17:19 18766 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4080547822-941997359-612846583-1000_UserData.bin
- 2010-10-30 04:06 . 2010-11-29 22:42 24152 c:\windows\system32\drivers\mbam.sys
+ 2010-10-30 04:06 . 2010-12-20 23:08 24152 c:\windows\system32\drivers\mbam.sys
+ 2009-12-16 02:47 . 2011-01-07 17:44 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-16 02:47 . 2011-01-05 23:09 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-16 02:47 . 2011-01-07 17:44 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-12-16 02:47 . 2011-01-05 23:09 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-01-06 02:35 . 2011-01-06 02:35 27494 c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP\WiseCustomCall.dll
+ 2011-01-07 17:42 . 2011-01-07 17:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-01-05 23:08 . 2011-01-05 23:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-01-07 17:42 . 2011-01-07 17:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-01-05 23:08 . 2011-01-05 23:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-12-17 07:01 . 2011-01-07 19:30 537806 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-07-14 05:01 . 2011-01-05 23:06 260648 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-01-07 17:22 260648 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-01-06 02:35 . 2011-01-06 02:35 130193 c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP\WiseCustomCalla4.dll
+ 2011-01-06 02:35 . 2011-01-06 02:35 130755 c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP\WiseCustomCalla3.dll
+ 2011-01-06 02:35 . 2011-01-06 02:35 130112 c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP\WiseCustomCalla2.dll
+ 2011-01-06 02:35 . 2011-01-06 02:35 131991 c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP\WiseCustomCalla11.exe
+ 2011-01-06 02:35 . 2011-01-06 02:35 131039 c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP\WiseCustomCalla.exe
+ 2010-05-26 07:01 . 2011-01-07 05:41 3313656 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4080547822-941997359-612846583-1000-12288.dat
- 2010-05-26 07:01 . 2011-01-05 23:06 3313656 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4080547822-941997359-612846583-1000-12288.dat
- 2009-07-14 02:34 . 2011-01-05 23:22 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:34 . 2011-01-06 21:18 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
"Steam"="c:\program files (x86)\steam\steam.exe" [2010-11-16 1242448]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-01-05 2988784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"PivotSoftware"="c:\program files (x86)\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"DT HSP"="c:\program files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe" [2008-02-13 81920]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2009-12-16 36864]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"ATICustomerCare"="c:\program files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-10-01 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\games\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
R3 dc3d;MS Hardware Device Detection Driver (HID);c:\windows\system32\DRIVERS\dc3d.sys [2009-10-17 22016]
R3 esgiguard;esgiguard;c:\program files (x86)\Enigma Software Group\SpyHunter\esgiguard.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-26 40832]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2009-10-16 50176]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-06 1255736]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-02-27 834544]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2010-06-29 128752]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-10-27 203776]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 61008]
S2 MSSQL$BWDATOOLSET;SQL Server (BWDATOOLSET);c:\program files (x86)\DAODB\MSSQL.1\MSSQL\Binn\sqlservr.exe [2009-05-27 29262680]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-10-27 8012288]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-10-27 287232]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2010-10-22 116240]
S3 MBfilt;MBfilt;c:\windows\system32\drivers\MBfilt64.sys [2009-06-02 25600]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2010-07-21 45456]
S3 rt61x64;Linksys Wireless-G PCI Adapter Driver;c:\windows\system32\DRIVERS\WMP54Gv41x64.sys [2010-04-07 446304]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-06-23 344680]

.

--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-21 7981088]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2006-07-23 1783296]
"Launch LCDMon"="c:\program files\Common Files\Logitech\LCD Manager\lcdmon.exe" [BU]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 2327952]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1448568]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
qmpehsoe

.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.daemon-search.com/startpage
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Max Hennings\AppData\Roaming\Mozilla\Firefox\Profiles\jeby41nk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10d.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10d.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@DACL=(02 0000)
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=expand:"fdeploy.dll"
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Folder Redirection,Application)\00\00"
"DisplayName"=expand:"@fdeploy.dll,-261"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"DisplayName"=expand:"@%SystemRoot%\\System32\\dskquota.dll,-100"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"%SystemRoot%\\System32\\dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@DACL=(02 0000)
@="QoS Packet Scheduler"
"DisplayName"=expand:"@gptext.dll,-201"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}]
@DACL=(02 0000)
@="Windows Search Group Policy Extension"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"=expand:"%SystemRoot%\\System32\\srchadmin.dll"
"RequiresSuccessfulRegistry"=dword:00000001
"NoSlowLink"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoUserPolicy"=dword:00000000
"NoMachinePolicy"=dword:00000000
"PerUserLocalSettings"=dword:00000000
"EnableAsynchronousProcessing"=dword:00000001
"NoBackgroundPolicy"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}]
@DACL=(02 0000)
@="Deployed Printer Connections"
"DisplayName"=expand:"@%systemroot%\\system32\\gpprnext.dll,-1"
"DllName"=expand:"%systemroot%\\system32\\gpprnext.dll"
"EnableAsynchronousProcessing"=dword:00000001
"ExtensionEventSource"=""
"GenerateGroupPolicy"="PrinterGenerateGroupPolicy"
"MaxNoGPOListChangesInterval"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000001
"NotifyLinkTransition"=dword:00000000
"NoUserPolicy"=dword:00000000
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="PrinterProcessGroupPolicy"
"ProcessGroupPolicyEx"="PrinterProcessGroupPolicyEx"
"RequiresSuccessfulRegistry"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}]
@DACL=(02 0000)
@="TCPIP"
"DisplayName"=expand:"@gptext.dll,-204"
"ProcessGroupPolicy"="ProcessTCPIPPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@DACL=(02 0000)
@="IP Security"
"ProcessGroupPolicyEx"="ProcessIPSECPolicyEx"
"GenerateGroupPolicy"="GenerateIPSECPolicy"
"DllName"=expand:"%SystemRoot%\\System32\\polstore.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000000
"DisplayName"=expand:"@c:\\Windows\\system32\\polstore.dll,-5012"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}]
@DACL=(02 0000)
@="Audit Policy Configuration"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"DllName"=expand:"auditcse.dll"
"NoUserPolicy"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0
"ForceRefreshFG"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}]
@DACL=(02 0000)
@="Enterprise QoS"
"DisplayName"=expand:"@gptext.dll,-203"
"ProcessGroupPolicy"="ProcessEQoSPolicy"
"DllName"=expand:"gptext.dll"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}]
@DACL=(02 0000)
@="CP"
"DisplayName"=expand:"@gptext.dll,-205"
"ProcessGroupPolicy"="ProcessConnectivityPlatformPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Common Files\Portrait Displays\Shared\DTSRVC.exe
c:\program files (x86)\Portrait Displays\Pivot Software\floater.exe
.
**************************************************************************
.
Completion time: 2011-01-07 14:47:50 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-07 19:47
ComboFix2.txt 2011-01-06 02:33
ComboFix3.txt 2011-01-06 00:02

Pre-Run: 343,272,497,152 bytes free
Post-Run: 336,549,560,320 bytes free

- - End Of File - - AA46F07AFE325B0BEC8ABB66382923F8

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:10 AM

Posted 07 January 2011 - 07:28 PM

There are still a couple of leftover bad files

Please run a fresh OTL log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users