Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mystery Malware Infection


  • This topic is locked This topic is locked
16 replies to this topic

#1 Steve48224

Steve48224

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 24 December 2010 - 09:40 AM

Here's the link to the backstory on my son's laptop:
http://www.bleepingcomputer.com/forums/topic369091.html/page__gopid__2068230#entry2068230

I was able to get DDS to run. I tried the rest of the steps in the Preparation Guide, but GMER is blocked from running. It says I don't have the appropriate permission to run it.

DDS (Ver_10-12-12.02) - NTFSx86
Run by Master at 9:15:02.61 on Fri 12/24/2010
Internet Explorer: 8.0.6001.18999 BrowserJavaVersion: 1.6.0_23
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1790.1052 [GMT -5:00]

AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\svchost.exe -k Akamai
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Icecast2 Win32\icecastService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchProtocolHost.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Master\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autorun=AUTORUN
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\master\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: $talisma_url$
Trusted Zone: ketsujin.com\fighterace
Trusted Zone: ketsujin.com\primary
Trusted Zone: ketsujin.com\update
Trusted Zone: ketsujin.com\www
Trusted Zone: stormofaces.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\master\appdata\roaming\mozilla\firefox\profiles\2vnvq8wf.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/?ref=hp
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Menu Editor: {EDA7B1D7-F793-4e03-B074-E6F303317FB0} - %profile%\extensions\{EDA7B1D7-F793-4e03-B074-E6F303317FB0}
FF - Ext: Veoh Video Compass: searchrecs@veoh.com - %profile%\extensions\searchrecs@veoh.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

============= SERVICES / DRIVERS ===============

R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-1-20 21504]
R2 CAMTHWDM;WebcamMax, WDM Video Capture;c:\windows\system32\drivers\CAMTHWDM.sys [2010-3-13 1053056]
R2 Icecast-trunk;Icecast-trunk Streaming Media Server;c:\program files\icecast2 win32\icecastService.exe [2010-7-5 417792]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2008-10-25 365952]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-10-25 193840]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-5-9 43040]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-3-12 30576]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-1-20 16896]

=============== Created Last 30 ================

2010-12-24 00:55:50 56400 ----a-w- c:\windows\system32\drivers\tmrkb.sys
2010-12-24 00:55:50 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-12-23 23:45:27 -------- d--h--w- c:\windows\PIF
2010-12-23 23:15:15 -------- d-----w- c:\windows\en
2010-12-23 23:08:12 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2010-12-23 23:08:11 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-12-23 23:08:10 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-12-23 23:08:02 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2010-12-23 23:07:39 94040 ----a-w- c:\program files\common files\windows live\.cache\3055331c1cba2f605\DSETUP.dll
2010-12-23 23:07:39 525656 ----a-w- c:\program files\common files\windows live\.cache\3055331c1cba2f605\DXSETUP.exe
2010-12-23 23:07:39 1691480 ----a-w- c:\program files\common files\windows live\.cache\3055331c1cba2f605\dsetup32.dll
2010-12-23 23:07:33 94040 ----a-w- c:\program files\common files\windows live\.cache\2dd27fdc1cba2f603\DSETUP.dll
2010-12-23 23:07:33 525656 ----a-w- c:\program files\common files\windows live\.cache\2dd27fdc1cba2f603\DXSETUP.exe
2010-12-23 23:07:33 1691480 ----a-w- c:\program files\common files\windows live\.cache\2dd27fdc1cba2f603\dsetup32.dll
2010-12-23 22:28:23 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{2974bde4-25b2-4e7b-b966-6b0a0efb4b61}\mpengine.dll
2010-12-18 18:54:40 -------- d-----w- c:\users\master\appdata\roaming\Malwarebytes
2010-12-18 18:54:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-18 18:54:05 -------- d-----w- c:\progra~2\Malwarebytes
2010-12-18 18:54:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-18 18:54:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-18 02:14:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-12-18 01:52:52 -------- d-----w- c:\program files\Panda Security
2010-12-16 08:02:57 -------- d-sh--w- c:\windows\system32\%APPDATA%
2010-12-15 22:55:33 -------- d-----w- c:\program files\iPod
2010-12-15 22:55:24 -------- d-----w- c:\program files\iTunes
2010-12-15 22:26:21 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2010-12-15 22:24:59 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-12 23:51:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-12 23:51:45 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2010-12-09 01:58:36 -------- d-----w- c:\users\master\appdata\local\WinZip
2010-12-09 01:44:25 -------- d-----w- c:\users\master\appdata\local\Apps
2010-12-05 19:20:16 758784 ----a-w- c:\windows\system32\cohelper.dll
2010-12-05 19:20:15 -------- d-----w- c:\program files\NVIDIA Corporation
2010-12-04 02:11:46 -------- d-----w- c:\program files\common files\Motive
2010-12-04 01:56:44 -------- d-----w- c:\users\master\appdata\local\Windows Live
2010-12-04 01:55:04 754688 ----a-w- c:\windows\system32\webservices.dll
2010-12-04 01:49:59 246272 ----a-w- c:\windows\system32\WSManHTTPConfig.exe
2010-12-04 01:49:59 1181696 ----a-w- c:\windows\system32\WsmSvc.dll
2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2010-11-12 23:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-04 18:56:07 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-04 18:55:38 352768 ----a-w- c:\windows\system32\taskschd.dll
2010-11-04 18:55:38 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-04 18:55:12 601600 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-04 16:34:06 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 06:01:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-02 05:57:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-02 05:57:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-11-02 05:57:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-11-02 05:01:31 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 04:26:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-11-02 04:24:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-10-28 15:44:56 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-10-28 13:27:47 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-10-28 13:20:12 2048 ----a-w- c:\windows\system32\tzres.dll
2010-10-19 15:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-18 13:37:35 81920 ----a-w- c:\windows\system32\consent.exe
2010-10-18 13:31:24 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-09-28 20:44:52 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll

============= FINISH: 9:16:33.91 ===============



BC AdBot (Login to Remove)

 


#2 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:38 PM

Posted 29 December 2010 - 10:58 PM

Hi Steve48224,



Welcome to BleepingComputer Virus, Trojan, Spyware, and Malware Removal Logs Forum. :welcome:
My name is sundavis, I will be helping you to deal with your Malware problems today.

Please advise me if you have Vista Install DVD handy or only have pre-installed recovery options (recovery partition) instead in your next reply. For more info: Here .


Step1

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\TDSSKiller folder). Please copy and paste the contents of that file here.


In your next reply, please post back:

1.TDSSKiller log

#3 Steve48224

Steve48224
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 30 December 2010 - 11:07 PM

I've only got the pre-installed recovery options, no install disc.

Here's the TDSSKiller log.

2010/12/30 14:16:37.0334 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2010/12/30 14:16:37.0334 ================================================================================
2010/12/30 14:16:37.0334 SystemInfo:
2010/12/30 14:16:37.0334
2010/12/30 14:16:37.0334 OS Version: 6.0.6002 ServicePack: 2.0
2010/12/30 14:16:37.0334 Product type: Workstation
2010/12/30 14:16:37.0334 ComputerName: CJ
2010/12/30 14:16:37.0335 UserName: Master
2010/12/30 14:16:37.0335 Windows directory: C:\Windows
2010/12/30 14:16:37.0335 System windows directory: C:\Windows
2010/12/30 14:16:37.0335 Processor architecture: Intel x86
2010/12/30 14:16:37.0335 Number of processors: 2
2010/12/30 14:16:37.0335 Page size: 0x1000
2010/12/30 14:16:37.0335 Boot type: Normal boot
2010/12/30 14:16:37.0335 ================================================================================
2010/12/30 14:16:38.0080 Initialize success
2010/12/30 14:16:48.0933 ================================================================================
2010/12/30 14:16:48.0933 Scan started
2010/12/30 14:16:48.0933 Mode: Manual;
2010/12/30 14:16:48.0933 ================================================================================
2010/12/30 14:16:50.0040 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2010/12/30 14:16:50.0281 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
2010/12/30 14:16:50.0460 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
2010/12/30 14:16:50.0518 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
2010/12/30 14:16:50.0569 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
2010/12/30 14:16:51.0012 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2010/12/30 14:16:51.0301 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
2010/12/30 14:16:51.0392 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2010/12/30 14:16:51.0643 aliide (3d76fda1a10acc3dc84728f55c29b6d4) C:\Windows\system32\drivers\aliide.sys
2010/12/30 14:16:51.0813 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
2010/12/30 14:16:51.0859 amdide (5b92e7839f5a1fbc1b39de67758ad6f8) C:\Windows\system32\drivers\amdide.sys
2010/12/30 14:16:51.0932 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
2010/12/30 14:16:52.0193 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
2010/12/30 14:16:52.0461 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
2010/12/30 14:16:52.0740 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
2010/12/30 14:16:52.0916 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2010/12/30 14:16:53.0091 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2010/12/30 14:16:53.0517 athr (600efe56f37adbd65a0fb076b50d1b8d) C:\Windows\system32\DRIVERS\athr.sys
2010/12/30 14:16:53.0833 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2010/12/30 14:16:54.0267 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
2010/12/30 14:16:54.0724 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2010/12/30 14:16:55.0097 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2010/12/30 14:16:55.0206 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2010/12/30 14:16:55.0464 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2010/12/30 14:16:55.0620 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2010/12/30 14:16:55.0798 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2010/12/30 14:16:56.0160 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2010/12/30 14:16:56.0495 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2010/12/30 14:16:56.0807 CAMTHWDM (0a110efb1307b1c1aa19ebe0b53790ae) C:\Windows\system32\DRIVERS\CAMTHWDM.sys
2010/12/30 14:16:57.0016 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2010/12/30 14:16:57.0434 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2010/12/30 14:16:57.0585 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
2010/12/30 14:16:57.0757 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2010/12/30 14:16:58.0171 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
2010/12/30 14:16:58.0493 cmdide (d36372a6ea6805efbe8884d10772313f) C:\Windows\system32\drivers\cmdide.sys
2010/12/30 14:16:58.0787 CnxtHdAudService (dda0cb141150fef87419926790cd26c8) C:\Windows\system32\drivers\CHDRT32.sys
2010/12/30 14:16:59.0082 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2010/12/30 14:16:59.0352 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
2010/12/30 14:16:59.0547 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
2010/12/30 14:16:59.0819 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2010/12/30 14:17:00.0120 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2010/12/30 14:17:00.0396 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2010/12/30 14:17:00.0574 DXGKrnl (5c7e2097b91d689ded7a6ff90f0f3a25) C:\Windows\System32\drivers\dxgkrnl.sys
2010/12/30 14:17:00.0826 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
2010/12/30 14:17:01.0401 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2010/12/30 14:17:01.0581 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
2010/12/30 14:17:02.0010 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
2010/12/30 14:17:02.0281 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2010/12/30 14:17:02.0515 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2010/12/30 14:17:02.0733 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
2010/12/30 14:17:02.0933 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2010/12/30 14:17:02.0983 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2010/12/30 14:17:03.0039 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
2010/12/30 14:17:03.0218 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2010/12/30 14:17:03.0441 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2010/12/30 14:17:03.0493 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
2010/12/30 14:17:03.0631 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2010/12/30 14:17:03.0788 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2010/12/30 14:17:03.0863 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2010/12/30 14:17:03.0972 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2010/12/30 14:17:04.0004 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2010/12/30 14:17:04.0148 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2010/12/30 14:17:04.0241 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
2010/12/30 14:17:04.0561 HpqKbFiltr (35956140e686d53bf676cf0c778880fc) C:\Windows\system32\DRIVERS\HpqKbFiltr.sys
2010/12/30 14:17:04.0854 HSF_DPV (cc267848cb3508e72762be65734e764d) C:\Windows\system32\DRIVERS\HSX_DPV.sys
2010/12/30 14:17:05.0119 HSXHWAZL (a2882945cc4b6e3e4e9e825590438888) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
2010/12/30 14:17:05.0428 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2010/12/30 14:17:05.0650 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
2010/12/30 14:17:05.0786 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2010/12/30 14:17:05.0844 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
2010/12/30 14:17:06.0147 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2010/12/30 14:17:06.0406 intelide (dd512a049bd7b4bce8a83554c5eff2c1) C:\Windows\system32\drivers\intelide.sys
2010/12/30 14:17:06.0557 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2010/12/30 14:17:06.0873 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2010/12/30 14:17:07.0332 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
2010/12/30 14:17:07.0478 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2010/12/30 14:17:07.0640 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2010/12/30 14:17:07.0700 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
2010/12/30 14:17:07.0980 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2010/12/30 14:17:08.0164 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2010/12/30 14:17:08.0399 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2010/12/30 14:17:09.0012 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2010/12/30 14:17:09.0664 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\drivers\kbdhid.sys
2010/12/30 14:17:10.0144 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2010/12/30 14:17:10.0837 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2010/12/30 14:17:11.0370 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
2010/12/30 14:17:11.0927 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
2010/12/30 14:17:12.0561 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
2010/12/30 14:17:12.0940 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2010/12/30 14:17:13.0246 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
2010/12/30 14:17:13.0606 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
2010/12/30 14:17:13.0783 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
2010/12/30 14:17:14.0031 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2010/12/30 14:17:14.0235 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2010/12/30 14:17:14.0449 mouclass (9720d474f216be3b76229cf5999934fe) C:\Windows\system32\DRIVERS\mouclass.sys
2010/12/30 14:17:14.0450 Suspicious file (Forged): C:\Windows\system32\DRIVERS\mouclass.sys. Real md5: 9720d474f216be3b76229cf5999934fe, Fake md5: 5bf6a1326a335c5298477754a506d263
2010/12/30 14:17:14.0462 mouclass - detected Forged file (1)
2010/12/30 14:17:14.0777 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2010/12/30 14:17:14.0931 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2010/12/30 14:17:15.0108 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
2010/12/30 14:17:15.0166 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2010/12/30 14:17:15.0307 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2010/12/30 14:17:15.0583 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2010/12/30 14:17:15.0667 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
2010/12/30 14:17:15.0873 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2010/12/30 14:17:16.0222 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2010/12/30 14:17:16.0531 msahci (aa305cff241da187bd5077de4a2a043d) C:\Windows\system32\drivers\msahci.sys
2010/12/30 14:17:16.0740 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
2010/12/30 14:17:17.0054 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2010/12/30 14:17:17.0185 MSHUSBVideo (5119ffc2a6b51089cdb0efdc75808c97) C:\Windows\system32\Drivers\nx6000.sys
2010/12/30 14:17:17.0288 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2010/12/30 14:17:17.0426 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2010/12/30 14:17:17.0626 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2010/12/30 14:17:17.0870 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2010/12/30 14:17:18.0370 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2010/12/30 14:17:18.0614 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2010/12/30 14:17:18.0843 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2010/12/30 14:17:19.0234 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2010/12/30 14:17:19.0531 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2010/12/30 14:17:19.0970 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2010/12/30 14:17:20.0354 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2010/12/30 14:17:20.0639 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2010/12/30 14:17:20.0842 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2010/12/30 14:17:21.0210 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2010/12/30 14:17:21.0843 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2010/12/30 14:17:22.0145 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2010/12/30 14:17:22.0859 NETw3v32 (35d5458d9a1b26b2005abffbf4c1c5e7) C:\Windows\system32\DRIVERS\NETw3v32.sys
2010/12/30 14:17:23.0166 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2010/12/30 14:17:23.0722 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2010/12/30 14:17:24.0147 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2010/12/30 14:17:24.0399 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2010/12/30 14:17:24.0639 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2010/12/30 14:17:24.0761 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2010/12/30 14:17:24.0935 NVENETFD (1efec38a852ab35883bfff3427b92b3f) C:\Windows\system32\DRIVERS\nvmfdx32.sys
2010/12/30 14:17:25.0238 NVHDA (b0dd52428bf564f5fc5ee331060be2a6) C:\Windows\system32\drivers\nvhda32v.sys
2010/12/30 14:17:26.0612 nvlddmkm (9dac05d828e56801fd6ce5fdfced64af) C:\Windows\system32\DRIVERS\nvlddmkm.sys
2010/12/30 14:17:27.0012 NVNET (1efec38a852ab35883bfff3427b92b3f) C:\Windows\system32\DRIVERS\nvmfdx32.sys
2010/12/30 14:17:27.0309 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
2010/12/30 14:17:27.0678 nvsmu (0fb6bf3ab170fc5bd403d25e134eafde) C:\Windows\system32\DRIVERS\nvsmu.sys
2010/12/30 14:17:28.0038 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
2010/12/30 14:17:28.0354 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
2010/12/30 14:17:29.0097 ohci1394 (790e27c3db53410b40ff9ef2fd10a1d9) C:\Windows\system32\DRIVERS\ohci1394.sys
2010/12/30 14:17:29.0438 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2010/12/30 14:17:29.0762 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2010/12/30 14:17:29.0905 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2010/12/30 14:17:30.0032 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2010/12/30 14:17:30.0326 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
2010/12/30 14:17:30.0564 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2010/12/30 14:17:30.0957 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2010/12/30 14:17:31.0312 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2010/12/30 14:17:31.0521 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\DRIVERS\processr.sys
2010/12/30 14:17:31.0809 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2010/12/30 14:17:32.0222 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
2010/12/30 14:17:32.0636 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2010/12/30 14:17:32.0920 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2010/12/30 14:17:33.0236 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2010/12/30 14:17:33.0496 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2010/12/30 14:17:33.0752 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2010/12/30 14:17:33.0902 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2010/12/30 14:17:34.0019 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2010/12/30 14:17:34.0286 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2010/12/30 14:17:34.0423 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
2010/12/30 14:17:34.0589 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2010/12/30 14:17:34.0870 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2010/12/30 14:17:35.0325 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2010/12/30 14:17:35.0457 RTSTOR (08c3394391ab0aff65d75ae65d4207e1) C:\Windows\system32\drivers\RTSTOR.SYS
2010/12/30 14:17:35.0683 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2010/12/30 14:17:35.0921 sdbus (126ea89bcc413ee45e3004fb0764888f) C:\Windows\system32\DRIVERS\sdbus.sys
2010/12/30 14:17:36.0067 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2010/12/30 14:17:36.0168 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2010/12/30 14:17:36.0361 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2010/12/30 14:17:36.0429 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2010/12/30 14:17:36.0712 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
2010/12/30 14:17:36.0766 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
2010/12/30 14:17:36.0929 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
2010/12/30 14:17:36.0999 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2010/12/30 14:17:37.0131 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
2010/12/30 14:17:37.0190 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
2010/12/30 14:17:37.0416 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
2010/12/30 14:17:37.0699 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2010/12/30 14:17:37.0882 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2010/12/30 14:17:38.0137 srv (ff3cbc13db84d81f56931bc922cc37c4) C:\Windows\system32\DRIVERS\srv.sys
2010/12/30 14:17:38.0210 srv2 (d15959d9f69f0d39a0153e9c244f20dd) C:\Windows\system32\DRIVERS\srv2.sys
2010/12/30 14:17:38.0401 srvnet (faa0d553a49e85008c6bb3781987c574) C:\Windows\system32\DRIVERS\srvnet.sys
2010/12/30 14:17:38.0583 sscdbus (d5dffeaa1e15d4effabb9d9a3068ac5b) C:\Windows\system32\DRIVERS\sscdbus.sys
2010/12/30 14:17:38.0769 sscdmdfl (8a1be0c347814f482f493aea619d57f6) C:\Windows\system32\DRIVERS\sscdmdfl.sys
2010/12/30 14:17:38.0972 sscdmdm (5ab0b1987f682a59b15b78f84c6ad7d0) C:\Windows\system32\DRIVERS\sscdmdm.sys
2010/12/30 14:17:39.0196 sscdserd (751e66eb32efa80633b80f5d7ff0a1d8) C:\Windows\system32\DRIVERS\sscdserd.sys
2010/12/30 14:17:39.0499 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2010/12/30 14:17:39.0748 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2010/12/30 14:17:40.0353 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2010/12/30 14:17:40.0671 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2010/12/30 14:17:40.0991 SynTP (00b19f27858f56181edb58b71a7c67a0) C:\Windows\system32\DRIVERS\SynTP.sys
2010/12/30 14:17:41.0496 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
2010/12/30 14:17:41.0764 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
2010/12/30 14:17:42.0078 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2010/12/30 14:17:42.0379 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2010/12/30 14:17:42.0692 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2010/12/30 14:17:42.0894 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2010/12/30 14:17:43.0267 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2010/12/30 14:17:43.0491 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2010/12/30 14:17:43.0589 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2010/12/30 14:17:43.0747 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2010/12/30 14:17:43.0833 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
2010/12/30 14:17:43.0971 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2010/12/30 14:17:44.0474 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
2010/12/30 14:17:44.0947 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
2010/12/30 14:17:45.0316 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2010/12/30 14:17:45.0693 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2010/12/30 14:17:45.0886 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2010/12/30 14:17:46.0303 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\Windows\system32\Drivers\usbaapl.sys
2010/12/30 14:17:46.0705 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
2010/12/30 14:17:47.0072 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2010/12/30 14:17:47.0292 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2010/12/30 14:17:47.0591 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2010/12/30 14:17:47.0880 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2010/12/30 14:17:48.0100 usbohci (ce697fee0d479290d89bec80dfe793b7) C:\Windows\system32\DRIVERS\usbohci.sys
2010/12/30 14:17:48.0467 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2010/12/30 14:17:48.0673 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2010/12/30 14:17:49.0143 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2010/12/30 14:17:49.0509 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
2010/12/30 14:17:49.0595 Suspicious service (NoAccess): vbma92a1
2010/12/30 14:17:50.0087 vbma92a1 (43b3e66eadf40d33e5885a074f43952a) C:\Windows\system32\drivers\vbma92a1.sys
2010/12/30 14:17:50.0087 Suspicious file (NoAccess): C:\Windows\system32\drivers\vbma92a1.sys. md5: 43b3e66eadf40d33e5885a074f43952a
2010/12/30 14:17:50.0100 vbma92a1 - detected Locked service (1)
2010/12/30 14:17:50.0414 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
2010/12/30 14:17:50.0826 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2010/12/30 14:17:51.0224 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
2010/12/30 14:17:51.0598 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
2010/12/30 14:17:51.0808 viaide (ea1aa6e3abb3c194feba12a46de8cf2c) C:\Windows\system32\drivers\viaide.sys
2010/12/30 14:17:52.0127 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2010/12/30 14:17:52.0602 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2010/12/30 14:17:52.0940 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2010/12/30 14:17:53.0160 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
2010/12/30 14:17:53.0621 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2010/12/30 14:17:54.0320 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/12/30 14:17:54.0465 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/12/30 14:17:54.0812 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
2010/12/30 14:17:55.0027 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2010/12/30 14:17:55.0441 winachsf (0acd399f5db3df1b58903cf4949ab5a8) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
2010/12/30 14:17:55.0868 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2010/12/30 14:17:56.0187 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
2010/12/30 14:17:56.0653 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2010/12/30 14:17:56.0917 WSDPrintDevice (4422ac5ed8d4c2f0db63e71d4c069dd7) C:\Windows\system32\DRIVERS\WSDPrint.sys
2010/12/30 14:17:57.0328 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2010/12/30 14:17:57.0832 XAudio (dab33cfa9dd24251aaa389ff36b64d4b) C:\Windows\system32\DRIVERS\xaudio.sys
2010/12/30 14:17:58.0137 yukonwlh (7d1f3b131d503ef43ee594b5a2b9b427) C:\Windows\system32\DRIVERS\yk60x86.sys
2010/12/30 14:17:58.0247 ================================================================================
2010/12/30 14:17:58.0247 Scan finished
2010/12/30 14:17:58.0247 ================================================================================
2010/12/30 14:17:58.0276 Detected object count: 2
2010/12/30 14:18:11.0112 Forged file(mouclass) - User select action: Skip
2010/12/30 14:18:11.0123 Locked service(vbma92a1) - User select action: Skip

#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:38 PM

Posted 30 December 2010 - 11:53 PM

Hi Steve48224,



Please note down the following instructions in case you need reference while you're in recovery options. Unplug the internet access after downloading the necessary files in the following:


Step1

  • If you already have Combofix, please delete that copy and download it again as it's being updated regularly.
  • Please visit this webpage for download links, and instructions for running the tool:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  • Note: If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu.
    The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.
  • Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.
  • Please download Combofix on your desktop. Do not run it yet .



Step2

1.Restart the computer.
2.Boot into the Advanced Boot Options screen
3.Select Repair your computer and press Enter
4.Select your language preferences and click on Next.
5.Select a user name and type in the password, and then click on OK.
6.Select which operating system you want to restore and the click on Next. System Recovery Options should prompt.

Posted Image


7.Select Command Prompt, Once you click on that option, the Command Prompt will open as shown in the following:


Posted Image

8.At the X:\Sources, type C: and press Enter.

9.At the C:\> prompt, Please type sc delete vbma92a1 and press Enter. You should see a message :[SC] DeleteService SUCCESS

(Note:If you get a message: "Access is Dennied", Please type the following command instead: TASKKILL /F /IM vbma92a1 /T and press Enter. Advise me in your next reply)

10.At the C:\> prompt, Please type cd C:\Windows\system32\drivers and press Enter

11.At the C:\Windows\system32\drivers> prompt, type del vbma92a1.sys and press Enter

12.Type Exit and reboot your pc. Windows should now reboot. After that, please do the following:

13.Double click on ComboFix and let it run unhindered.

14.When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.

15.Do not mouse click on Combofix while it is running. That may cause it to stall.



Step3

  • Please download OTL and save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste the following bolded text:


    /md5start
    explorer.exe
    winlogon.exe
    userinit.exe
    svchost.exe
    mouclass.sys
    /md5stop
    %SYSTEMDRIVE%\*.exe
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90


  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • OTListIt.txt <-- Will be opened and Extra.txt <-- Will be minimized
  • Copy and paste both logs back here in your next reply.


In your next reply, please post back:

1.ComboFix log
2.OTListIt.txt and Extra.txt

If you have problems with one of the steps, simply move on to the next one, and make note of it in your next reply

Edited by sundavis, 31 December 2010 - 02:28 AM.


#5 Steve48224

Steve48224
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 31 December 2010 - 11:20 AM

I tried each step a few times this morning, and I'm not getting any logs or the results we're looking for.

In step 2, at the command prompt in system recovery options, I got the following message:

'sc' is not recognized as an internal or external command, operable program or batch file.

Trying "TASKKILL" got me the same message.

Combofix would start, but I don't think it ran. No window would ever open, and no log was produced.

OTL would run, but no logs were produced.

#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:38 PM

Posted 31 December 2010 - 11:50 AM

Hi Steve48224,




Ok, we take another approach. Please do the following:


Step1

Open Device Manager. How do I get into Windows Device Manager?
Expand "System Devices". Right click "[cmz vmkd] Virtual Bus", choose "Disable".

Posted Image


Step2

1.Download The Avenger by Swandog and save it to your Desktop.

2.Disconnect from net access by unpluging the router , close all open programs(including IE) and unzip the downloaded avenger.zip file. Then in the new avenger folder created locate and right click on avenger.exe and Select Run As Administrator to run the tool.

3.Okay the warning. When the Avenger display opens, copy/paste the following text inside the Code box into the Avenger box titled "Input script here:". Then click the Execute button to run the repair, click Yes, then allow Avenger to reboot your system.

Files to delete:
c:\windows\assembly\GAC\__AssemblyInfo__.ini
c:\documents and settings\All Users\Application Data\.wtav
C:\Windows\system32\drivers\vbma92a1.sys
c:\windows\system32\6to4v32.dll
C:\WINDOWS\system32\exefile.exe
C:\WINDOWS\system32\mswmqnei.dll
C:\windows\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll

Drivers to delete:
vbma92a1


4. The Avenger will automatically do the following:

  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.


After that, please rerun ComboFix and OTL and post the logs in your next reply. Thanks.

Edited by sundavis, 31 December 2010 - 05:27 PM.


#7 Steve48224

Steve48224
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 31 December 2010 - 12:24 PM

No luck with Avenger. I tried it three times. It starts fine, reboots the computer, but doesn't save a log file. I've tried ComboFix and OTL again, no logs from them, either.

#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:38 PM

Posted 31 December 2010 - 12:38 PM

Hi Steve48224,



Can you navigate to the root of C:\ and check if any logs around? If the problem persists, we will take another approach.

#9 Steve48224

Steve48224
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 31 December 2010 - 01:26 PM

I looked manually, and I used the search function to find any of the logs, but none of them can be found.

#10 Steve48224

Steve48224
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 01 January 2011 - 03:48 PM

I was able to find the OTL log from when we ran it last night.

========== FILES ==========
c:\windows\assembly\GAC\__AssemblyInfo__.ini moved successfully.
File\Folder c:\documents and settings\All Users\Application Data\.wtav not found.
C:\Windows\system32\drivers\vbma92a1.sys moved successfully.
File\Folder c:\windows\system32\6to4v32.dll not found.
File\Folder C:\WINDOWS\system32\exefile.exe not found.
File\Folder C:\WINDOWS\system32\mswmqnei.dll not found.
C:\windows\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll moved successfully.
========== SERVICES/DRIVERS ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vbma92a1 deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]
Empty user temp failed. Cannot find local settings folders.
Empty user temp failed. Cannot find local settings folders.
Empty user temp failed. Cannot find local settings folders.
Empty user temp failed. Cannot find local settings folders.
Empty user temp failed. Cannot find local settings folders.

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 603718 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 449749 bytes

Total Files Cleaned = 1.00 mb


[EMPTYFLASH]
Empty user temp failed. Cannot find local settings folders.
Empty user temp failed. Cannot find local settings folders.
Empty user temp failed. Cannot find local settings folders.
Empty user temp failed. Cannot find local settings folders.
Empty user temp failed. Cannot find local settings folders.

Total Flash Files Cleaned = 0.00 mb


OTLPE by OldTimer - Version 3.1.43.0 log created on 12312010_183606

#11 Steve48224

Steve48224
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 01 January 2011 - 09:02 PM

Things are looking up for the laptop! I was able to run Combofix and OTL and actually get their logs, which is a huge improvement. However, as I was copying and pasting the logs here, I got a "blue screen of death" and now I can't find the new OTL log. The only one there is from last night.

ComboFix Log

ComboFix 11-01-01.01 - Master 01/01/2011 19:57:15.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1790.878 [GMT -5:00]
Running from: C:\Users\Master\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\.wtav
C:\Users\Master\Documents\cc_20101212_191608.reg
C:\Windows\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll

.
((((((((((((((((((((((((( Files Created from 2010-12-02 to 2011-01-02 )))))))))))))))))))))))))))))))
.

2011-01-02 01:14:14 . 2011-01-02 01:14:14 -------- d-----w- C:\Users\Default\AppData\Local\temp
2010-12-31 23:36:06 . 2010-12-31 23:36:06 -------- d-----w- C:\_OTL
2010-12-31 23:18:10 . 2010-11-10 04:33:37 6273872 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1153B6BF-D5F9-4104-9154-2050674E6FC6}\mpengine.dll
2010-12-31 20:33:48 . 2010-12-31 20:34:17 -------- d-----r- C:\32788R22FWJFW(0)
2010-12-24 00:55:50 . 2010-12-24 00:55:50 56400 ----a-w- C:\Windows\system32\drivers\tmrkb.sys
2010-12-24 00:55:50 . 2010-12-24 00:55:50 190032 ----a-w- C:\Windows\system32\drivers\tmcomm.sys
2010-12-23 23:45:27 . 2010-12-23 23:45:27 -------- d--h--w- C:\Windows\PIF
2010-12-23 23:15:15 . 2010-12-23 23:15:15 -------- d-----w- C:\Windows\en
2010-12-23 23:08:12 . 2009-09-04 22:44:40 69464 ----a-w- C:\Windows\system32\XAPOFX1_3.dll
2010-12-23 23:08:11 . 2009-09-04 22:44:40 515416 ----a-w- C:\Windows\system32\XAudio2_5.dll
2010-12-23 23:08:10 . 2009-09-04 22:29:34 453456 ----a-w- C:\Windows\system32\d3dx10_42.dll
2010-12-23 23:08:02 . 2006-11-29 18:06:18 3426072 ----a-w- C:\Windows\system32\d3dx9_32.dll
2010-12-23 23:07:39 . 2010-12-23 23:07:39 94040 ----a-w- C:\Program Files\Common Files\Windows Live\.cache\3055331c1cba2f605\DSETUP.dll
2010-12-23 23:07:39 . 2010-12-23 23:07:39 525656 ----a-w- C:\Program Files\Common Files\Windows Live\.cache\3055331c1cba2f605\DXSETUP.exe
2010-12-23 23:07:39 . 2010-12-23 23:07:39 1691480 ----a-w- C:\Program Files\Common Files\Windows Live\.cache\3055331c1cba2f605\dsetup32.dll
2010-12-23 23:07:33 . 2010-12-23 23:07:33 94040 ----a-w- C:\Program Files\Common Files\Windows Live\.cache\2dd27fdc1cba2f603\DSETUP.dll
2010-12-23 23:07:33 . 2010-12-23 23:07:33 525656 ----a-w- C:\Program Files\Common Files\Windows Live\.cache\2dd27fdc1cba2f603\DXSETUP.exe
2010-12-23 23:07:33 . 2010-12-23 23:07:33 1691480 ----a-w- C:\Program Files\Common Files\Windows Live\.cache\2dd27fdc1cba2f603\dsetup32.dll
2010-12-18 18:54:40 . 2010-12-18 18:54:40 -------- d-----w- C:\Users\Master\AppData\Roaming\Malwarebytes
2010-12-18 18:54:07 . 2010-11-29 22:42:18 38224 ----a-w- C:\Windows\system32\drivers\mbamswissarmy.sys
2010-12-18 18:54:05 . 2010-12-18 18:54:05 -------- d-----w- C:\ProgramData\Malwarebytes
2010-12-18 18:54:01 . 2010-12-18 20:09:17 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2010-12-18 18:54:01 . 2010-11-29 22:42:06 20952 ----a-w- C:\Windows\system32\drivers\mbam.sys
2010-12-18 02:14:37 . 2009-06-30 15:37:16 28552 ----a-w- C:\Windows\system32\drivers\pavboot.sys
2010-12-18 01:52:52 . 2010-12-18 01:52:52 -------- d-----w- C:\Program Files\Panda Security
2010-12-16 08:02:57 . 2010-12-16 08:02:57 -------- d-sh--w- C:\Windows\system32\%APPDATA%
2010-12-15 22:55:33 . 2010-12-15 22:55:33 -------- d-----w- C:\Program Files\iPod
2010-12-15 22:55:24 . 2010-12-15 22:56:46 -------- d-----w- C:\Program Files\iTunes
2010-12-15 22:26:21 . 2010-11-03 10:51:57 2409784 ----a-w- C:\Program Files\Windows Mail\OESpamFilter.dat
2010-12-15 22:24:59 . 2010-11-02 05:57:27 1469440 ----a-w- C:\Windows\system32\inetcpl.cpl
2010-12-12 23:51:45 . 2010-12-13 01:03:16 -------- d-----w- C:\Program Files\Spybot - Search & Destroy
2010-12-12 23:51:45 . 2010-12-13 01:03:15 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2010-12-09 01:58:36 . 2011-01-01 02:11:21 -------- d-----w- C:\Users\Master\AppData\Local\WinZip
2010-12-09 01:58:36 . 2010-12-09 01:59:15 -------- d-----w- C:\ProgramData\WinZip
2010-12-09 01:44:25 . 2010-12-09 01:44:25 -------- d-----w- C:\Users\Master\AppData\Local\Apps
2010-12-05 19:20:16 . 2010-08-12 16:46:14 758784 ----a-w- C:\Windows\system32\cohelper.dll
2010-12-05 19:20:15 . 2010-12-05 19:20:15 -------- d-----w- C:\Program Files\NVIDIA Corporation
2010-12-04 02:15:53 . 2010-12-04 02:16:04 -------- d-----w- C:\Program Files\Common Files\Adobe
2010-12-04 02:11:46 . 2010-12-04 02:12:22 -------- d-----w- C:\Program Files\Common Files\Motive
2010-12-04 02:11:38 . 2010-12-04 02:11:38 -------- d-----w- C:\ProgramData\Motive
2010-12-04 01:56:44 . 2010-12-23 23:31:25 -------- d-----w- C:\Users\Master\AppData\Local\Windows Live
2010-12-04 01:55:04 . 2009-08-04 08:02:24 754688 ----a-w- C:\Windows\system32\webservices.dll
2010-12-04 01:49:59 . 2009-10-09 21:56:18 1181696 ----a-w- C:\Windows\system32\WsmSvc.dll
2010-12-04 01:49:59 . 2009-10-09 21:56:03 246272 ----a-w- C:\Windows\system32\WSManHTTPConfig.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 22:38:30 . 2010-11-29 22:38:30 94208 ----a-w- C:\Windows\system32\QuickTimeVR.qtx
2010-11-29 22:38:30 . 2010-11-29 22:38:30 69632 ----a-w- C:\Windows\system32\QuickTime.qts
2010-11-12 23:53:06 . 2010-04-21 00:56:09 472808 ----a-w- C:\Windows\system32\deployJava1.dll
2010-10-19 15:41:44 . 2009-10-02 22:08:29 222080 ------w- C:\Windows\system32\MpSigStub.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisor"="C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-09-30 23:56:04 972080]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-21 02:25:11 125952]
"Pando Media Booster"="C:\Program Files\Pando Networks\Media Booster\PMB.exe" [2009-12-26 21:05:43 2935480]
"VeohPlugin"="C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-07-06 14:01:16 2634048]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 02:25:33 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 18:05:10 1049896]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2008-09-24 00:21:52 468264]
"UpdateLBPShortCut"="C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 01:11:32 210216]
"UpdatePSTShortCut"="C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 03:42:38 210216]
"QlbCtrl.exe"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 23:14:02 202032]
"UpdateP2GoShortCut"="C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 01:11:32 210216]
"UpdatePDIRShortCut"="C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 01:11:32 210216]
"HP Health Check Scheduler"="c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 14:58:56 75008]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 23:24:20 54840]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 21:51:00 488752]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2009-07-23 20:39:04 13797920]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2010-03-12 22:41:16 119152]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2010-06-29 04:00:16 74752]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 09:47:04 35760]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 04:07:44 932288]
"DivXUpdate"="C:\Program Files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 20:04:06 1164584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2010-11-29 22:38:18 421888]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2010-12-13 22:16:18 421160]
"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 16:44:46 248552]

C:\Users\Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtariBanner]
2001-05-22 22:17:32 49152 ----a-w- C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-09-23 05:47:30 4240760 ----a-w- C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-68370313-1866952282-1315329875-1000]
"EnableNotificationsRef"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 17:16:28 130384]
R2 Icecast-trunk;Icecast-trunk Streaming Media Server;C:\Program Files\Icecast2 Win32\icecastService.exe [2008-05-24 19:02:50 417792]
R2 Norton Internet Security;Norton Internet Security;C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [x]
R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;C:\Windows\system32\Drivers\nx6000.sys [2010-03-12 22:41:16 30576]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 17:16:28 753504]
R3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 02:23:21 16896]
S2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe [2008-01-21 02:23:43 21504]
S2 CAMTHWDM;WebcamMax, WDM Video Capture;C:\Windows\system32\DRIVERS\CAMTHWDM.sys [2009-08-07 06:42:36 1053056]
S2 Recovery Service for Windows;Recovery Service for Windows;C:\Program Files\SMINST\BLService.exe [2008-10-06 16:54:52 365952]
S3 Com4QLBEx;Com4QLBEx;C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 18:33:26 193840]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda32v.sys [2008-05-09 19:17:32 43040]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-12-31 C:\Windows\Tasks\HPCeeScheduleForMaster.job
- C:\Program Files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-10-25 22:50:32 . 2008-05-19 18:34:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: mswsock.dll
Trusted Zone: $talisma_url$
Trusted Zone: ketsujin.com\fighterace
Trusted Zone: ketsujin.com\primary
Trusted Zone: ketsujin.com\update
Trusted Zone: ketsujin.com\www
Trusted Zone: stormofaces.com\www
FF - ProfilePath - C:\Users\Master\AppData\Roaming\Mozilla\Firefox\Profiles\2vnvq8wf.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/?ref=hp
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Menu Editor: {EDA7B1D7-F793-4e03-B074-E6F303317FB0} - %profile%\extensions\{EDA7B1D7-F793-4e03-B074-E6F303317FB0}
FF - Ext: Veoh Video Compass: searchrecs@veoh.com - %profile%\extensions\searchrecs@veoh.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-Active WebCam - C:\Program Files\Active WebCam\PY_UNINSTAL.EXE SOFTWARE\PySoft\Act_WebCam

#12 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:38 PM

Posted 02 January 2011 - 12:20 AM

Hi Steve48224,




The combofix log isn't complete. Go to start > Run > Copy/paste the C:\ComboFix.txt into run box and press enter. That log should prompt. Copy/paste the contents in your next reply.


Step1


  • Please download Junction.zip and save it on your desktop.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start >> Run >> Copy/paste the following bolded command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt
  • A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the content in your next reply.




Step2


  • Double click OTL and let it run
  • Then Click the Cleanup button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
  • Please download OTL and save it to your desktop.
  • Under the Custom Scans/Fixes box at the bottom, copy/paste the following contents of code box.

    /md5start
    explorer.exe
    winlogon.exe
    userinit.exe
    svchost.exe
    mouclass.sys
    /md5stop
    %SYSTEMDRIVE%\*.* 
    %SYSTEMDRIVE%\*.exe
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    
  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • OTListIt.txt <-- Will be opened and Extra.txt <-- Will be minimized
  • Copy and paste both logs back here in your next reply.


In your next reply, please post back:

1.ComboFix log
2.Junction log
3.OTListIt.txt and Extra.txt

Let me know if you have any remaining issues on your pc.

#13 Steve48224

Steve48224
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 02 January 2011 - 07:09 PM

The ComboFix log I posted is all that was generated.

The Junction.exe didn't do anything. I left the command window open for two hours while I went to church, and no log showed up.

OTL worked well. The two logs follow this. The browser still gets redirected, but I can eventually get to where I want to go. The new issue is I'm not able to connect wirelessly. This might be a problem with my provider, though. I can connect with an ethernet wire.

OTL log:

OTL logfile created on: 1/2/2011 6:45:48 PM - Run 1
OTL by OldTimer - Version 3.2.20.1 Folder = C:\Users\Master\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18999)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 38.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 69.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 222.01 Gb Total Space | 135.58 Gb Free Space | 61.07% Space Free | Partition Type: NTFS
Drive D: | 10.88 Gb Total Space | 1.48 Gb Free Space | 13.62% Space Free | Partition Type: NTFS

Computer Name: CJ | User Name: Master | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/01/02 18:44:39 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Master\Desktop\OTL.exe
PRC - [2010/12/14 14:44:04 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/10/16 00:40:40 | 000,037,664 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/09/16 15:04:06 | 001,164,584 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2010/07/06 09:01:16 | 002,634,048 | ---- | M] (Veoh Networks) -- C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
PRC - [2010/06/28 23:00:16 | 000,074,752 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\Winamp\winampa.exe
PRC - [2010/03/12 17:41:16 | 000,139,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe
PRC - [2009/12/26 16:05:43 | 002,935,480 | ---- | M] () -- C:\Program Files\Pando Networks\Media Booster\PMB.exe
PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/10/09 09:58:56 | 000,075,008 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
PRC - [2008/10/06 11:54:52 | 000,365,952 | ---- | M] () -- C:\Program Files\SMINST\BLService.exe
PRC - [2008/05/24 14:02:50 | 000,417,792 | ---- | M] () -- C:\Program Files\Icecast2 Win32\icecastService.exe


========== Modules (SafeList) ==========

MOD - [2011/01/02 18:44:39 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Master\Desktop\OTL.exe
MOD - [2010/08/31 10:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe -- (Norton Internet Security)
SRV - [2010/12/08 20:39:02 | 003,020,888 | ---- | M] () [Auto | Running] -- c:\Program Files\Common Files\Akamai\netsession_win_aeec0f0.dll -- (Akamai)
SRV - [2010/10/16 00:40:40 | 000,037,664 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/03/18 12:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/03/12 17:41:16 | 000,139,632 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)
SRV - [2009/09/24 20:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2008/10/06 11:54:52 | 000,365,952 | ---- | M] () [Auto | Running] -- C:\Program Files\SMINST\BLService.exe -- (Recovery Service for Windows)
SRV - [2008/05/24 14:02:50 | 000,417,792 | ---- | M] () [Auto | Running] -- C:\Program Files\Icecast2 Win32\icecastService.exe -- (Icecast-trunk)
SRV - [2008/01/20 21:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- C:\Windows\System32\drivers\NIS\1000000.07D\SRTSPX.SYS -- (SRTSPX)
DRV - File not found [File_System | System | Stopped] -- C:\Windows\System32\drivers\NIS\1000000.07D\SRTSP.SYS -- (SRTSP)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\NAVEX15.SYS -- (NAVEX15)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\NAVENG.SYS -- (NAVENG)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS -- (MRESP50)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS -- (MREMP50)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Master\AppData\Local\Temp\EagleNT.sys -- (EagleNT)
DRV - [2010/08/12 12:07:50 | 000,292,712 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVNET)
DRV - [2010/08/12 12:07:50 | 000,292,712 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2010/03/12 17:41:16 | 000,030,576 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nx6000.sys -- (MSHUSBVideo)
DRV - [2009/08/07 01:42:36 | 001,053,056 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\System32\drivers\CAMTHWDM.sys -- (CAMTHWDM)
DRV - [2009/07/23 21:01:00 | 009,791,072 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2009/04/23 10:33:34 | 000,064,512 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTSTOR.sys -- (RTSTOR)
DRV - [2009/04/10 23:42:54 | 000,073,216 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/10/25 18:12:44 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008/10/25 18:12:44 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2008/10/25 18:12:43 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008/10/03 02:39:28 | 000,222,208 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CHDRT32.sys -- (CnxtHdAudService)
DRV - [2008/05/09 14:17:32 | 000,043,040 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvhda32v.sys -- (NVHDA)
DRV - [2008/04/27 13:07:44 | 000,909,824 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2008/04/24 17:51:46 | 000,014,848 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2008/04/17 13:05:16 | 000,199,344 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2008/01/20 21:23:27 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
DRV - [2008/01/20 21:23:27 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2008/01/20 21:23:27 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2008/01/20 21:23:26 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2008/01/20 21:23:26 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2008/01/20 21:23:26 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2008/01/20 21:23:25 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2008/01/20 21:23:25 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2008/01/20 21:23:24 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2008/01/20 21:23:24 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2008/01/20 21:23:24 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2008/01/20 21:23:23 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2008/01/20 21:23:23 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2008/01/20 21:23:23 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2008/01/20 21:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2008/01/20 21:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2008/01/20 21:23:23 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2008/01/20 21:23:22 | 000,342,584 | ---- | M] (Emulex) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2008/01/20 21:23:21 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2008/01/20 21:23:21 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2008/01/20 21:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2008/01/20 21:23:21 | 000,016,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV - [2008/01/20 21:23:20 | 002,225,664 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel®
DRV - [2008/01/20 21:23:20 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2007/10/31 20:51:26 | 000,985,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2007/10/31 20:47:54 | 000,208,896 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2007/10/31 20:47:08 | 000,661,504 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2007/10/17 18:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/06/18 19:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2006/11/02 04:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 04:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 04:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 04:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 04:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 04:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 04:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 04:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 04:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 04:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 04:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 03:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 03:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 03:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 03:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 03:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 03:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 02:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 02:30:56 | 000,194,048 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\yk60x86.sys -- (yukonwlh)
DRV - [2005/08/17 06:47:48 | 000,073,696 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdserd.sys -- (sscdserd) SAMSUNG CDMA Modem Diagnostic Serial Port (WDM)
DRV - [2005/08/17 06:46:26 | 000,093,872 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdm.sys -- (sscdmdm)
DRV - [2005/08/17 06:46:20 | 000,008,272 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdfl.sys -- (sscdmdfl)
DRV - [2005/08/17 06:45:00 | 000,058,352 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdbus.sys -- (sscdbus) SAMSUNG USB Composite Device driver (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-68370313-1866952282-1315329875-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
IE - HKU\S-1-5-21-68370313-1866952282-1315329875-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-68370313-1866952282-1315329875-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-68370313-1866952282-1315329875-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.facebook.com/?ref=hp"
FF - prefs.js..extensions.enabledItems: {EDA7B1D7-F793-4e03-B074-E6F303317FB0}:1.2.6
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: searchrecs@veoh.com:1.5.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/17 21:16:34 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/15 17:50:05 | 000,000,000 | ---D | M]

[2009/06/05 20:51:50 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Master\AppData\Roaming\Mozilla\Extensions
[2011/01/01 15:54:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Master\AppData\Roaming\Mozilla\Firefox\Profiles\2vnvq8wf.default\extensions
[2010/12/23 19:04:21 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Master\AppData\Roaming\Mozilla\Firefox\Profiles\2vnvq8wf.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}(28)
[2010/12/23 19:04:22 | 000,000,000 | ---D | M] (Public Fox) -- C:\Users\Master\AppData\Roaming\Mozilla\Firefox\Profiles\2vnvq8wf.default\extensions\{9AA46F4F-4DC7-4c06-97AF-6665170634FE}(29)
[2010/12/23 19:04:23 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Master\AppData\Roaming\Mozilla\Firefox\Profiles\2vnvq8wf.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}(30)
[2009/10/12 19:49:54 | 000,000,000 | ---D | M] (Menu Editor) -- C:\Users\Master\AppData\Roaming\Mozilla\Firefox\Profiles\2vnvq8wf.default\extensions\{EDA7B1D7-F793-4e03-B074-E6F303317FB0}
[2010/05/31 08:24:48 | 000,000,000 | ---D | M] (Veoh Video Compass) -- C:\Users\Master\AppData\Roaming\Mozilla\Firefox\Profiles\2vnvq8wf.default\extensions\searchrecs@veoh.com
[2011/01/01 15:54:49 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/20 19:56:18 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/12/23 18:05:15 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2009/09/21 19:52:21 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2010/11/12 18:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/12/26 16:05:30 | 000,238,776 | ---- | M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll
[2010/06/28 23:01:22 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npwachk.dll

O1 HOSTS File: ([2011/01/01 20:14:22 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKU\S-1-5-21-68370313-1866952282-1315329875-1000\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O3 - HKU\S-1-5-21-68370313-1866952282-1315329875-1000\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [LifeCam] C:\Program Files\Microsoft LifeCam\LifeExp.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [UpdateLBPShortCut] C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdateP2GoShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePDIRShortCut] C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePSTShortCut] C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe (Nullsoft, Inc.)
O4 - HKU\S-1-5-21-68370313-1866952282-1315329875-1000..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe ()
O4 - HKU\S-1-5-21-68370313-1866952282-1315329875-1000..\Run: [VeohPlugin] C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe (Veoh Networks)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-68370313-1866952282-1315329875-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-68370313-1866952282-1315329875-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-68370313-1866952282-1315329875-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-68370313-1866952282-1315329875-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKU\S-1-5-21-68370313-1866952282-1315329875-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O9 - Extra Button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-21-68370313-1866952282-1315329875-1000\..Trusted Domains: $talisma_url$ ([]https in Trusted sites)
O15 - HKU\S-1-5-21-68370313-1866952282-1315329875-1000\..Trusted Domains: ketsujin.com ([fighterace] https in Trusted sites)
O15 - HKU\S-1-5-21-68370313-1866952282-1315329875-1000\..Trusted Domains: ketsujin.com ([primary] https in Trusted sites)
O15 - HKU\S-1-5-21-68370313-1866952282-1315329875-1000\..Trusted Domains: ketsujin.com ([update] https in Trusted sites)
O15 - HKU\S-1-5-21-68370313-1866952282-1315329875-1000\..Trusted Domains: ketsujin.com ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-68370313-1866952282-1315329875-1000\..Trusted Domains: stormofaces.com ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-68370313-1866952282-1315329875-1000\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} http://ax.emsisoft.com/asquared.cab (a-squared Scanner)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Master\Pictures\Star Wars Stuff\Death Star Memorial Wall.jpg
O24 - Desktop BackupWallPaper: C:\Users\Master\Pictures\Star Wars Stuff\Death Star Memorial Wall.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/01/02 18:44:33 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Master\Desktop\OTL.exe
[2011/01/01 20:31:20 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/01/01 19:42:27 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/12/31 15:33:48 | 000,000,000 | R--D | C] -- C:\32788R22FWJFW(0)
[2010/12/23 19:55:50 | 000,190,032 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmcomm.sys
[2010/12/23 19:55:50 | 000,056,400 | ---- | C] (trend_company_name) -- C:\Windows\System32\drivers\tmrkb.sys
[2010/12/23 19:55:50 | 000,000,000 | ---D | C] -- C:\Users\Master\Desktop\log
[2010/12/23 18:45:27 | 000,000,000 | -H-D | C] -- C:\Windows\PIF
[2010/12/23 18:15:15 | 000,000,000 | ---D | C] -- C:\Windows\en
[2010/12/23 18:14:40 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live
[2010/12/18 13:54:40 | 000,000,000 | ---D | C] -- C:\Users\Master\AppData\Roaming\Malwarebytes
[2010/12/18 13:54:07 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/12/18 13:54:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2010/12/18 13:54:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/12/18 13:54:01 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/12/18 13:54:01 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/12/17 20:52:52 | 000,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2010/12/16 03:02:57 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2010/12/15 17:56:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2010/12/15 17:55:33 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/12/15 17:55:24 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/12/15 17:49:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2010/12/15 17:49:20 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/12/12 18:51:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010/12/12 18:51:45 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/12/08 20:59:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZip
[2010/12/08 20:58:36 | 000,000,000 | ---D | C] -- C:\Users\Master\AppData\Local\WinZip
[2010/12/08 20:58:36 | 000,000,000 | ---D | C] -- C:\ProgramData\WinZip
[2010/12/08 20:58:26 | 000,000,000 | ---D | C] -- C:\Program Files\WinZip
[2010/12/08 20:44:25 | 000,000,000 | ---D | C] -- C:\Users\Master\AppData\Local\Apps
[2010/12/05 14:20:15 | 000,000,000 | ---D | C] -- C:\Program Files\NVIDIA Corporation
[2010/12/03 21:15:53 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2010/12/03 21:11:46 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Motive
[2010/12/03 21:11:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Motive
[2010/12/03 20:56:44 | 000,000,000 | ---D | C] -- C:\Users\Master\AppData\Local\Windows Live
[2010/12/03 20:52:59 | 000,000,000 | ---D | C] -- C:\Windows\System32\WindowsPowerShell

========== Files - Modified Within 30 Days ==========

[2011/01/02 18:44:39 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Master\Desktop\OTL.exe
[2011/01/02 18:43:02 | 000,000,246 | ---- | M] () -- C:\ProgramData\hpqp.ini
[2011/01/02 18:41:53 | 000,048,222 | ---- | M] () -- C:\ProgramData\nvModes.001
[2011/01/02 18:41:53 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/01/02 18:41:48 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/01/02 18:41:46 | 000,363,576 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/01/02 18:41:42 | 000,048,222 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2011/01/02 18:41:30 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/01/02 18:41:20 | 1877,331,968 | -HS- | M] () -- C:\hiberfil.sys
[2011/01/02 10:43:58 | 000,028,672 | ---- | M] () -- C:\Users\Master\Desktop\Step1.doc
[2011/01/02 10:43:04 | 000,079,623 | ---- | M] () -- C:\Users\Master\Desktop\Junction.zip
[2011/01/01 20:57:21 | 276,858,934 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/01/01 20:14:22 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/01/01 19:49:19 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2010/12/31 18:12:55 | 000,000,326 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForMaster.job
[2010/12/31 17:33:09 | 000,010,548 | ---- | M] () -- C:\Users\Master\Documents\otlpe directions 2.odt
[2010/12/31 14:33:15 | 000,010,350 | ---- | M] () -- C:\Users\Master\Desktop\boot directions.odt
[2010/12/31 11:58:28 | 000,010,263 | ---- | M] () -- C:\Users\Master\Documents\avenger instructions 2.odt
[2010/12/31 11:54:04 | 000,000,098 | -H-- | M] () -- C:\Users\Master\Documents\.~lock.avenger instructions.odt#
[2010/12/23 19:55:50 | 000,190,032 | ---- | M] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmcomm.sys
[2010/12/23 19:55:50 | 000,056,400 | ---- | M] (trend_company_name) -- C:\Windows\System32\drivers\tmrkb.sys
[2010/12/23 19:54:16 | 001,113,789 | ---- | M] () -- C:\Users\Master\Desktop\RootkitBuster_3.60.1016.zip
[2010/12/17 21:26:21 | 000,000,036 | ---- | M] () -- C:\Users\Master\AppData\Local\housecall.guid.cache
[2010/12/17 21:16:19 | 000,103,594 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/12/17 21:16:19 | 000,000,000 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/12/16 21:01:47 | 002,034,006 | ---- | M] () -- C:\Users\Master\Documents\Cool Lego Guy Poster.pdf
[2010/12/12 20:05:36 | 000,003,184 | ---- | M] () -- C:\Users\Master\Documents\cc_20101212_200530.reg
[2010/12/12 19:10:07 | 000,040,448 | ---- | M] () -- C:\Users\Master\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/12/08 20:42:25 | 007,730,747 | ---- | M] () -- C:\Users\Master\Desktop\mariopaintcomposerpc.zip
[2010/12/05 14:18:07 | 000,001,395 | ---- | M] () -- C:\Users\Master\Desktop\DivX Movies.lnk
[2010/12/03 20:44:23 | 000,007,808 | ---- | M] () -- C:\Users\Master\AppData\Local\d3d9caps.dat

========== Files Created - No Company Name ==========

[2011/01/02 10:46:05 | 000,079,623 | ---- | C] () -- C:\Users\Master\Desktop\Junction.zip
[2011/01/02 10:46:01 | 000,028,672 | ---- | C] () -- C:\Users\Master\Desktop\Step1.doc
[2010/12/31 17:33:05 | 000,010,548 | ---- | C] () -- C:\Users\Master\Documents\otlpe directions 2.odt
[2010/12/31 14:33:13 | 000,010,350 | ---- | C] () -- C:\Users\Master\Desktop\boot directions.odt
[2010/12/31 11:58:27 | 000,010,263 | ---- | C] () -- C:\Users\Master\Documents\avenger instructions 2.odt
[2010/12/31 11:54:04 | 000,000,098 | -H-- | C] () -- C:\Users\Master\Documents\.~lock.avenger instructions.odt#
[2010/12/30 23:02:55 | 1877,331,968 | -HS- | C] () -- C:\hiberfil.sys
[2010/12/30 14:13:37 | 276,858,934 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/12/23 19:54:14 | 001,113,789 | ---- | C] () -- C:\Users\Master\Desktop\RootkitBuster_3.60.1016.zip
[2010/12/17 21:26:21 | 000,000,036 | ---- | C] () -- C:\Users\Master\AppData\Local\housecall.guid.cache
[2010/12/17 21:14:37 | 000,028,552 | ---- | C] () -- C:\Windows\System32\drivers\pavboot.sys
[2010/12/16 21:01:47 | 002,034,006 | ---- | C] () -- C:\Users\Master\Documents\Cool Lego Guy Poster.pdf
[2010/12/12 20:05:34 | 000,003,184 | ---- | C] () -- C:\Users\Master\Documents\cc_20101212_200530.reg
[2010/12/08 20:42:03 | 007,730,747 | ---- | C] () -- C:\Users\Master\Desktop\mariopaintcomposerpc.zip
[2010/12/05 14:18:07 | 000,001,395 | ---- | C] () -- C:\Users\Master\Desktop\DivX Movies.lnk
[2010/12/03 20:50:01 | 000,201,184 | ---- | C] () -- C:\Windows\System32\winrm.vbs
[2010/12/03 20:50:01 | 000,004,675 | ---- | C] () -- C:\Windows\System32\wsmanconfig_schema.xml
[2010/12/03 20:50:01 | 000,002,426 | ---- | C] () -- C:\Windows\System32\WsmTxt.xsl
[2010/07/05 15:26:30 | 000,000,171 | ---- | C] () -- C:\Windows\icecast2.ini
[2010/06/25 11:44:54 | 000,000,701 | ---- | C] () -- C:\Users\Master\AppData\Roaming\init.dll
[2010/06/25 11:44:54 | 000,000,006 | ---- | C] () -- C:\Users\Master\AppData\Roaming\SYSTEM32.dll
[2010/06/25 11:44:51 | 000,000,701 | ---- | C] () -- C:\Users\Master\AppData\Roaming\sound.dll
[2010/06/23 19:02:20 | 000,116,736 | ---- | C] () -- C:\Windows\System32\redmonnt.dll
[2010/06/23 19:02:15 | 000,094,274 | ---- | C] () -- C:\Windows\System32\HPBHEALR.DLL
[2010/03/13 09:26:11 | 001,053,056 | ---- | C] () -- C:\Windows\System32\drivers\CAMTHWDM.sys
[2010/03/03 19:06:44 | 000,000,094 | ---- | C] () -- C:\Users\Master\AppData\Local\fusioncache.dat
[2009/09/21 18:49:52 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/07/27 14:08:44 | 000,040,448 | ---- | C] () -- C:\Users\Master\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/24 05:26:58 | 000,000,021 | ---- | C] () -- C:\ProgramData\hpqp.txt
[2009/06/30 17:31:38 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2009/06/06 18:14:22 | 000,007,808 | ---- | C] () -- C:\Users\Master\AppData\Local\d3d9caps.dat
[2009/06/06 07:43:02 | 000,048,222 | ---- | C] () -- C:\ProgramData\nvModes.001
[2009/06/06 07:42:10 | 000,048,222 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2009/06/05 08:19:25 | 000,000,000 | ---- | C] () -- C:\Users\Master\AppData\Local\QSwitch.txt
[2009/06/05 08:19:25 | 000,000,000 | ---- | C] () -- C:\Users\Master\AppData\Local\DSwitch.txt
[2009/06/05 08:19:25 | 000,000,000 | ---- | C] () -- C:\Users\Master\AppData\Local\AtStart.txt
[2009/03/31 04:12:14 | 000,000,105 | ---- | C] () -- C:\ProgramData\{d36dd326-7280-11d8-97c8-000129760cbe}.log
[2009/03/31 04:12:07 | 000,000,032 | ---- | C] () -- C:\ProgramData\{051B9612-4D82-42AC-8C63-CD2DCEDC1CB3}.log
[2009/03/31 04:11:43 | 000,000,032 | ---- | C] () -- C:\ProgramData\{9867824A-C86D-4A83-8F3C-E7A86BE0AFD3}.log
[2009/03/31 04:11:10 | 000,000,032 | ---- | C] () -- C:\ProgramData\{23F3DA62-2D9E-4A69-B8D5-BE8E9E148092}.log
[2009/03/31 04:08:51 | 000,000,032 | ---- | C] () -- C:\ProgramData\{4FC670EB-5F02-4B07-90DB-022B86BFEFD0}.log
[2009/03/31 04:08:16 | 000,000,246 | ---- | C] () -- C:\ProgramData\hpqp.ini
[2008/10/25 19:10:11 | 000,000,109 | ---- | C] () -- C:\ProgramData\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log
[2008/10/25 19:03:58 | 000,000,110 | ---- | C] () -- C:\ProgramData\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}.log
[2008/10/25 19:01:59 | 000,000,105 | ---- | C] () -- C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
[2008/10/25 19:00:34 | 000,000,107 | ---- | C] () -- C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/03/09 04:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll

========== LOP Check ==========

[2009/08/05 17:59:43 | 000,000,000 | ---D | M] -- C:\Users\Master\AppData\Roaming\FloodLightGames
[2010/09/06 17:14:19 | 000,000,000 | ---D | M] -- C:\Users\Master\AppData\Roaming\LEGO Company
[2009/07/01 17:56:30 | 000,000,000 | ---D | M] -- C:\Users\Master\AppData\Roaming\Ludia
[2010/02/07 11:18:18 | 000,000,000 | ---D | M] -- C:\Users\Master\AppData\Roaming\Magic Set Editor
[2010/10/07 17:57:13 | 000,000,000 | ---D | M] -- C:\Users\Master\AppData\Roaming\MonkeyJam
[2010/04/26 17:32:04 | 000,000,000 | ---D | M] -- C:\Users\Master\AppData\Roaming\muvee Technologies
[2009/07/10 20:20:39 | 000,000,000 | ---D | M] -- C:\Users\Master\AppData\Roaming\OpenOffice.org
[2009/08/01 19:57:10 | 000,000,000 | ---D | M] -- C:\Users\Master\AppData\Roaming\PlayFirst
[2009/08/03 18:10:22 | 000,000,000 | ---D | M] -- C:\Users\Master\AppData\Roaming\ScreenSeven
[2009/07/24 08:18:05 | 000,000,000 | ---D | M] -- C:\Users\Master\AppData\Roaming\SPORE Creature Creator
[2009/10/24 19:25:35 | 000,000,000 | ---D | M] -- C:\Users\Master\AppData\Roaming\Unity
[2010/03/13 09:30:03 | 000,000,000 | ---D | M] -- C:\Users\Master\AppData\Roaming\WebcamMax
[2009/06/06 17:24:52 | 000,000,000 | ---D | M] -- C:\Users\Master\AppData\Roaming\WildTangent
[2009/08/07 18:31:35 | 000,000,000 | ---D | M] -- C:\Users\Master\AppData\Roaming\WildTangentv1002
[2010/02/06 19:51:35 | 000,000,000 | ---D | M] -- C:\Users\Master\AppData\Roaming\Wizards of the Coast
[2011/01/02 18:40:17 | 000,032,632 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: EXPLORER.EXE >
[2008/10/29 01:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[2008/10/29 01:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[2008/10/29 22:59:17 | 002,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\ERDNT\cache\explorer.exe
[2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\explorer.exe
[2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
[2008/10/27 21:15:02 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[2008/01/20 21:24:24 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe

< MD5 for: MOUCLASS.SYS >
[2006/11/02 04:49:54 | 000,031,848 | ---- | M] (Microsoft Corporation) MD5=3C9469DFB3440555DAB070716D768B1E -- C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_3dfa3917\mouclass.sys
[2008/01/20 21:09:47 | 000,034,360 | ---- | M] (Microsoft Corporation) MD5=4A00B3CF90AD075193CA5AEECE71154C -- C:\Windows\winsxs\x86_msmouse.inf_31bf3856ad364e35_6.0.6000.20734_none_4cbafb05ee66fb5a\mouclass.sys
[2008/01/20 21:23:20 | 000,034,360 | ---- | M] (Microsoft Corporation) MD5=5BF6A1326A335C5298477754A506D263 -- C:\Windows\System32\drivers\mouclass.sys
[2008/01/20 21:23:20 | 000,034,360 | ---- | M] (Microsoft Corporation) MD5=5BF6A1326A335C5298477754A506D263 -- C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_8b7c4328\mouclass.sys
[2008/01/20 21:23:20 | 000,034,360 | ---- | M] (Microsoft Corporation) MD5=5BF6A1326A335C5298477754A506D263 -- C:\Windows\winsxs\x86_msmouse.inf_31bf3856ad364e35_6.0.6001.18000_none_4e340b7cd25b3352\mouclass.sys
[2008/01/20 21:09:47 | 000,034,360 | ---- | M] (Microsoft Corporation) MD5=5FBA13C1A1841B0885D316ED3589489D -- C:\Windows\winsxs\x86_msmouse.inf_31bf3856ad364e35_6.0.6000.16609_none_4c56cf70d52c8670\mouclass.sys

< MD5 for: SVCHOST.EXE >
[2008/01/20 21:23:43 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\ERDNT\cache\svchost.exe
[2008/01/20 21:23:43 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\System32\svchost.exe
[2008/01/20 21:23:43 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6001.18000_none_b5bb59a1054dbde5\svchost.exe

< MD5 for: USERINIT.EXE >
[2008/01/20 21:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\ERDNT\cache\userinit.exe
[2008/01/20 21:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\System32\userinit.exe
[2008/01/20 21:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe

< MD5 for: WINLOGON.EXE >
[2009/04/11 01:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\ERDNT\cache\winlogon.exe
[2009/04/11 01:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\System32\winlogon.exe
[2009/04/11 01:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe
[2008/01/20 21:24:49 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe

< %SYSTEMDRIVE%\*.* >
[2006/09/18 16:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2009/04/11 01:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr
[2006/09/18 16:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
[2011/01/02 18:41:20 | 1877,331,968 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/03 20:20:18 | 000,000,461 | ---- | M] () -- C:\LOG118.log
[2009/12/01 19:03:00 | 000,000,461 | ---- | M] () -- C:\LOG1361.log
[2009/11/01 14:41:28 | 000,000,461 | ---- | M] () -- C:\LOG27BC.log
[2009/12/01 19:29:09 | 000,000,461 | ---- | M] () -- C:\LOG3D8.log
[2009/11/11 17:26:16 | 000,000,461 | ---- | M] () -- C:\LOG61CE.log
[2010/08/30 16:49:25 | 000,000,461 | ---- | M] () -- C:\LOG6558.log
[2009/11/11 17:12:09 | 000,000,461 | ---- | M] () -- C:\LOG75BB.log
[2009/11/01 14:35:16 | 000,000,461 | ---- | M] () -- C:\LOG7CEC.log
[2010/03/10 17:25:01 | 000,000,461 | ---- | M] () -- C:\LOG80D2.log
[2009/11/01 15:11:24 | 000,000,461 | ---- | M] () -- C:\LOG8FC2.log
[2009/11/01 16:08:14 | 000,000,461 | ---- | M] () -- C:\LOG979F.log
[2009/11/01 15:55:11 | 000,000,461 | ---- | M] () -- C:\LOGA777.log
[2009/12/01 18:03:35 | 000,000,461 | ---- | M] () -- C:\LOGAD8D.log
[2009/11/16 18:11:00 | 000,000,461 | ---- | M] () -- C:\LOGB75D.log
[2009/11/01 15:45:26 | 000,000,461 | ---- | M] () -- C:\LOGB99F.log
[2009/12/01 07:09:52 | 000,000,461 | ---- | M] () -- C:\LOGBA3A.log
[2009/11/18 17:30:40 | 000,000,461 | ---- | M] () -- C:\LOGC976.log
[2009/11/19 18:25:41 | 000,000,461 | ---- | M] () -- C:\LOGD5D5.log
[2009/11/19 18:48:41 | 000,000,461 | ---- | M] () -- C:\LOGE2D0.log
[2009/11/02 17:57:12 | 000,000,461 | ---- | M] () -- C:\LOGE54F.log
[2009/10/04 13:58:33 | 000,000,461 | ---- | M] () -- C:\LOGFF65.log
[2011/01/02 18:41:19 | 2191,200,256 | -HS- | M] () -- C:\pagefile.sys
[2010/12/18 15:08:02 | 000,000,417 | ---- | M] () -- C:\rkill.log

< %SYSTEMDRIVE%\*.exe >

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/04/11 01:27:47 | 000,241,128 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2009/04/11 01:28:23 | 000,228,352 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/01/20 22:14:18 | 016,846,848 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2008/01/20 22:14:08 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2008/01/20 22:14:18 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 05:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 05:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %systemroot%\system32\drivers\*.sys /90 >
[2010/11/29 17:42:06 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/11/29 17:42:18 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/12/23 19:55:50 | 000,190,032 | ---- | M] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmcomm.sys
[2010/12/23 19:55:50 | 000,056,400 | ---- | M] (trend_company_name) -- C:\Windows\System32\drivers\tmrkb.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 95 bytes -> C:\ProgramData\Temp:5C321E34
@Alternate Data Stream - 131 bytes -> C:\ProgramData\Temp:18BFD8F8

< End of report >

Extras log:

OTL Extras logfile created on: 1/2/2011 6:45:48 PM - Run 1
OTL by OldTimer - Version 3.2.20.1 Folder = C:\Users\Master\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18999)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 38.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 69.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 222.01 Gb Total Space | 135.58 Gb Free Space | 61.07% Space Free | Partition Type: NTFS
Drive D: | 10.88 Gb Total Space | 1.48 Gb Free Space | 13.62% Space Free | Partition Type: NTFS

Computer Name: CJ | User Name: Master | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-68370313-1866952282-1315329875-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallOverride" = 1
"AntiVirusOverride" = 1
"AntiSpywareOverride" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 1
"AntiSpywareOverride" = 1
"FirewallOverride" = 1
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-68370313-1866952282-1315329875-1000]
"EnableNotifications" = 0
"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{03522152-594F-4B8E-8CAD-1237E2F1D740}" = rport=139 | protocol=6 | dir=out | app=system |
"{04DD5E01-1ECE-4E5A-A59B-F08D5C078E06}" = lport=445 | protocol=6 | dir=in | app=system |
"{05B1ABEF-0F91-4A25-A5A0-9A3D7F0ACE3B}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{06941683-D8BE-458A-ACB5-06312DA40692}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{161F8097-66D0-4D4C-AFF5-F24D58FBB700}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{1FEAA93F-141D-496C-AB45-2332BC3CDF0C}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{228CE3AD-EDE6-45FE-999D-80ADF6C5D45B}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{22CAD9DB-BB3B-4F6A-86FA-0CC1DECF4E1D}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{24BD0492-EA9E-4D64-8A11-C3F069B3DFDC}" = lport=139 | protocol=6 | dir=in | app=system |
"{276ED771-F16A-42FF-8D33-6ADD40E81C59}" = rport=138 | protocol=17 | dir=out | app=system |
"{2D1D8864-3569-4828-990F-168880EC9BB8}" = lport=49162 | protocol=6 | dir=in | name=akamai netsession interface |
"{320F79FA-E5CA-4831-AE23-ADA047D89146}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{3AE65D77-85F1-442E-95D6-3D42CF5CF398}" = lport=49170 | protocol=6 | dir=in | name=akamai netsession interface |
"{41013DA7-E830-48B9-9331-9F3E11AA7539}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{51CD85C0-14C1-48B8-948F-18692781A819}" = rport=137 | protocol=17 | dir=out | app=system |
"{5B9C2C18-A39C-45E3-B141-5E1BB0801800}" = rport=445 | protocol=6 | dir=out | app=system |
"{61060CB0-A1C6-4247-91F6-0E9B6FEA11EC}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{64AF91A1-668E-4952-80FB-610141B17E65}" = lport=2869 | protocol=6 | dir=in | app=system |
"{77A39D96-928C-409A-ABB5-92AADAAEC51B}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
"{8391AC5A-E979-4D86-ADEB-2C66A39AF9C3}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{8576E71A-1EF6-43BD-8787-880053C872F1}" = lport=5000 | protocol=17 | dir=in | name=akamai netsession interface |
"{8AC07DC4-B268-4A2A-88A5-E98B4D733B94}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{938C3A66-3E7D-477D-9382-6A9529418CD9}" = lport=5000 | protocol=17 | dir=in | name=akamai netsession interface |
"{95535EBE-7BC5-4313-B296-28EFAB12B9D5}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{9B4224EF-38C2-4C47-BFB9-E6D608A2F792}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{9E6E451E-0CDF-4E61-8A68-42E8FDE07572}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{9EBCA248-3AA9-4126-93FD-B44776471C75}" = lport=138 | protocol=17 | dir=in | app=system |
"{A50D96D9-40BF-4A78-B6E5-82F9B6207F83}" = lport=53189 | protocol=6 | dir=in | name=akamai netsession interface |
"{AE474662-FB41-423D-B27D-7D2F1A0AB760}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{AFBCAB1A-0E80-49BC-BC29-AE408DA5C905}" = lport=2869 | protocol=6 | dir=in | app=system |
"{B8531B75-1376-475B-BDC0-2ECACE1E22ED}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{C8B6908B-7D7D-4447-ABA2-02B09020B63F}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |
"{ED8F1C03-6454-426E-8D52-0F65DC456D11}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{F13839B8-21AA-4C15-B5D9-3B78EC3B2B8D}" = lport=137 | protocol=17 | dir=in | app=system |
"{FC907377-726F-40FD-9439-119F23338F87}" = rport=10243 | protocol=6 | dir=out | app=system |
"{FD98D104-4BA6-4C01-90B2-A949249E8803}" = lport=10243 | protocol=6 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{116E4D05-1782-4CEC-B486-8C0E36EF5903}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{149C5413-332E-4AA7-8BE2-F12BCE5E69E1}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{1FD885FC-F630-4AC3-BCDF-F2BACE36FBA6}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{1FF9B5FA-F576-4093-AFC7-0A218C7D27C9}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{23144737-344F-4046-8521-AA322D5136CB}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{23FDCA5D-A479-407D-B7DE-7BBCBB7B71D5}" = protocol=17 | dir=in | app=c:\users\master\turbine download manager\turbinemessageservice.exe |
"{2467880C-D4DA-4720-B032-4B63CBC990C4}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{2DD014AE-7B2B-43FC-8366-E36B96BA540F}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe |
"{2E7B2399-824A-4C34-B5B9-603C8EB9852B}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{33A412A5-3AC0-4BBC-B665-48036C0F6AC9}" = protocol=6 | dir=out | app=system |
"{3F3D081C-B1C2-432C-B818-A1220A27CF53}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{3F4199C4-70CF-41DB-B769-3D3B69FE0360}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{4064D856-0B73-406A-B282-FDF4A8FBA2D7}" = protocol=17 | dir=in | app=c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe |
"{450C5AC7-9F27-4267-8321-4524F53124DF}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{4544A0E1-BC7E-449C-8A29-AF84EF4A64F3}" = dir=in | app=c:\program files\hp\quickplay\qp.exe |
"{4902CBA3-3773-4B14-B6C8-7E215919B83C}" = dir=in | app=c:\program files\cyberlink\powerdirector\pdr.exe |
"{4A7163B6-3633-4CE8-88F5-299F22F2C9B3}" = protocol=6 | dir=in | app=c:\program files\microsoft lifecam\lifetray.exe |
"{4B13CEC6-DD7D-439D-8521-1C7843F6FB46}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{507C65A6-C8B2-4D49-B2FF-035315EDE13B}" = protocol=6 | dir=in | app=c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe |
"{51770EF3-B520-47CF-8C03-1AA6BF69A879}" = protocol=17 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{54BF9A07-3170-4959-B417-99676A6B4F83}" = protocol=17 | dir=in | app=c:\program files\microsoft lifecam\lifeexp.exe |
"{58990F28-8D8D-41F1-AB68-391B934D2CA0}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{6BB9E056-A9AB-47FC-B1DE-C7472CB96211}" = protocol=6 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{70D97AE4-8C91-414C-BD9C-00EEE3B6C3A8}" = protocol=6 | dir=in | app=c:\users\master\turbine download manager\turbinemessageservice.exe |
"{74E39EDC-9F9D-4398-82BB-4E6EA73992E1}" = protocol=6 | dir=in | app=c:\program files\microsoft lifecam\lifecam.exe |
"{7AEE88C5-796C-424D-B1BF-8B9C11232D55}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{8515C0A0-1B1D-4F39-9D1E-2C017AAE230B}" = dir=in | app=c:\program files\windows live\contacts\wlcomm.exe |
"{88D487EA-639A-425F-8C59-FFBEA19187A4}" = dir=in | app=c:\program files\itunes\itunes.exe |
"{963265D0-869C-4BE7-B0EC-D3C587E835E4}" = protocol=6 | dir=in | app=c:\users\master\turbine download manager\turbinenetworkservice.exe |
"{9E8E8FE1-30AF-4550-BA10-B17E9B4F66ED}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{A94B0BE4-C408-4BC9-B478-321A6FE42DEE}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{AA6D4DEB-4615-470D-888D-DF385E462A8F}" = protocol=17 | dir=in | app=c:\program files\microsoft lifecam\lifeenc2.exe |
"{B0F0E8E7-54FE-4D6D-9239-42C94C501712}" = dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{B931951E-42B9-4FF8-A025-CBFCA089DAC0}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{BD074FB8-11C2-4434-9E71-008A29BB0711}" = protocol=6 | dir=in | app=c:\program files\microsoft lifecam\lifeexp.exe |
"{C099C277-D9EA-4694-A9CB-1F8EDF1EEB28}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{C63D22EC-3437-4E41-82B3-4DE090A269DA}" = protocol=17 | dir=in | app=c:\program files\microsoft lifecam\lifetray.exe |
"{C824D8BE-01C4-455D-B80B-BC9E5A209102}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{DD4DA2AC-57A2-47A5-95EF-211108AD913E}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{E48E46D4-8C06-4A50-890E-ED26F040C0BB}" = dir=in | app=c:\program files\hp\quickplay\qpservice.exe |
"{EC5ED285-0B64-458F-B05C-7F743B5A632A}" = protocol=17 | dir=in | app=c:\users\master\turbine download manager\turbinenetworkservice.exe |
"{ED61C351-8182-4832-B535-5B295FEDFF15}" = protocol=17 | dir=in | app=c:\program files\microsoft lifecam\lifecam.exe |
"{EFD704B8-6A0E-4E1A-A52E-7193029E1DA3}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{F2A4AEA4-4B72-45B3-BCB0-AA8DDA93A98A}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{F35484B4-1F1A-466D-B4CC-9B77664C7DCD}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{F5885BE4-CC60-45CF-BB38-77685B5EDD64}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{F71BC8BC-AEE6-4307-A1F8-C3C9E544EB4C}" = protocol=6 | dir=in | app=c:\program files\microsoft lifecam\lifeenc2.exe |
"TCP Query User{01CC9807-D5DF-419E-97CF-5D433F863002}C:\program files\microsoft games\halo server\haloded.exe" = protocol=6 | dir=in | app=c:\program files\microsoft games\halo server\haloded.exe |
"TCP Query User{0A153035-1A68-422D-AF43-8A7581CD157F}C:\program files\icecast2 win32\icecast2win.exe" = protocol=6 | dir=in | app=c:\program files\icecast2 win32\icecast2win.exe |
"TCP Query User{5E481EB7-3A06-4BEA-BD3D-2EC6F86522ED}C:\program files\veoh networks\veohwebplayer\veohwebplayer.exe" = protocol=6 | dir=in | app=c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe |
"TCP Query User{6EB4B037-53D2-438D-8F5F-453504A78867}C:\users\master\desktop\photoboof\utils\webserver\pbapache.exe" = protocol=6 | dir=in | app=c:\users\master\desktop\photoboof\utils\webserver\pbapache.exe |
"TCP Query User{6F869E6C-EB01-4942-B5FF-1B1D722AFEC1}C:\program files\icecast2 win32\icecast2win.exe" = protocol=6 | dir=in | app=c:\program files\icecast2 win32\icecast2win.exe |
"TCP Query User{77AEF0B0-C1EB-4116-A76D-DF73BEADC3FA}C:\program files\java\jre6\bin\java.exe" = protocol=6 | dir=in | app=c:\program files\java\jre6\bin\java.exe |
"UDP Query User{4E596CF2-1265-4855-8806-77035D825BBD}C:\program files\icecast2 win32\icecast2win.exe" = protocol=17 | dir=in | app=c:\program files\icecast2 win32\icecast2win.exe |
"UDP Query User{761C85F4-5A11-473B-8356-ACF412ABAA09}C:\program files\icecast2 win32\icecast2win.exe" = protocol=17 | dir=in | app=c:\program files\icecast2 win32\icecast2win.exe |
"UDP Query User{A98B9CEE-5342-4CC2-B74D-CECA43C6B858}C:\program files\microsoft games\halo server\haloded.exe" = protocol=17 | dir=in | app=c:\program files\microsoft games\halo server\haloded.exe |
"UDP Query User{B65D0709-F2E2-4715-BBCA-7477860BC6AF}C:\program files\veoh networks\veohwebplayer\veohwebplayer.exe" = protocol=17 | dir=in | app=c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe |
"UDP Query User{D3DA3D81-66B5-4A6D-AE7A-3D6A38A3D53C}C:\users\master\desktop\photoboof\utils\webserver\pbapache.exe" = protocol=17 | dir=in | app=c:\users\master\desktop\photoboof\utils\webserver\pbapache.exe |
"UDP Query User{E02B7ED9-9C43-437F-8EA6-6AC21A0200E2}C:\program files\java\jre6\bin\java.exe" = protocol=17 | dir=in | app=c:\program files\java\jre6\bin\java.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0054A0F6-00C9-4498-B821-B5C9578F433E}" = HP Help and Support
"{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{154A4184-1A3D-4BF9-A5AE-4FA1660445F3}" = HP Total Care Advisor
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{228C6B46-64E2-404E-898A-EF0830603EF4}" = HPNetworkAssistant
"{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 23
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.40 H2
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{3877C901-7B90-4727-A639-B6ED2DD59D43}" = ESU for Microsoft Vista
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"{415B2719-AD3A-4944-B404-C472DB6085B3}" = Cisco EAP-FAST Module
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP DVD Play 3.7
"{47A3FE80-528F-482B-8143-B3A4645557FC}" = Microsoft LifeCam
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CBABDFD-49F8-47FD-BE7D-ECDE7270525A}" = Windows Live PIMT Platform
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{57A5AEC1-97FC-474D-92C4-908FCC2253D4}" = HP Customer Experience Enhancements
"{5DD4FCBD-A3C1-4155-9E17-4161C70AAABA}" = Segoe UI
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{61AD15B2-50DB-4686-A739-14FE180D4429}" = Windows Live ID Sign-in Assistant
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{669C7BD8-DAA2-49B6-966C-F1E2AAE6B17E}" = Cisco PEAP Module
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = HPAsset component for HP Active Support Library
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6A05FEDF-662E-46BF-8A25-010E3F1C9C69}" = Windows Live UX Platform Language Pack
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7B15D70E-9449-4CFB-B9BC-798465B2BD5C}" = Norton Internet Security
"{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger
"{83770D14-21B9-44B3-8689-F7B523F94560}" = Cisco LEAP Module
"{846DDADA-0239-4B67-A6B1-33658863793B}" = HPTCSSetup
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{881F5DE8-9367-4B81-A325-E91BBC6472F9}" = iTunes
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9ADABDDE-9644-461B-9E73-83FA3EFCAB50}" = HP Wireless Assistant
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.1
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AD72CFB4-C2BF-424E-9DF0-C7BAD1F30A11}" = Adobe Shockwave Player
"{AEM384L1-28E3-1232-1233-1JD74JDIEK32}_is1" = PDFTigerDriver
"{AF7733C1-FB0B-4FED-9730-E0433AF7A2EF}" = Magic Online
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B3BC9DB1-0B0A-48B0-B86B-EA77CAA7F800}" = Microsoft Corporation
"{B6D0B141-B2BE-4DD0-B08F-B9186F3E36B3}" = HP User Guides 0118
"{BA1C3DD8-62E0-7F64-62A3-3BDDE5DFD3C2}" = CrazyCam
"{BEFBEDDF-1417-4C8A-92FB-F003C0D41199}" = OpenOffice.org 3.2
"{C1D6BB50-1911-11DB-6784-0DE05EAD18BE}" = VIDEO GAME TYCOON : Gold Edition
"{C3A32068-8AB1-4327-BB16-BED9C6219DC7}" = Atheros Driver Installation Program
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}" = HP Update
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240C0}" = WinZip 15.0
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE7E3BE0-2DD3-4416-A690-F9E4A99A8CFF}" = HP Active Support Library
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
"{DD35C328-F115-BEDA-6EEE-E00C5AACCCBC}" = muvee Reveal
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{DE252510-5687-4C60-A705-C43E19F12C9D}_is1" = PDFTiger Kernel
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E503B4BF-F7BB-3D5F-8BC8-F694B1CFF942}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
"{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
"{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone Configuration Utility
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}" = Bonjour
"62289540-dc30-11dc-95ff-0800200c9a66_is1" = Turbine Download Manager
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Active WebCam" = Active WebCam
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Atari Anniversary Edition" = Atari Anniversary Edition
"Build-a-lot" = Build-a-lot
"CCleaner" = CCleaner
"CNXT_AUDIO_HDA" = Conexant HD Audio
"CNXT_MODEM_HDAUDIO_HERMOSA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"CrazyCam.35DE5907E5C0A104824FC8801D6BD46D899C198E.1" = CrazyCam
"DivX Setup.divx.com" = DivX Setup
"HOMESTUDENTR" = Microsoft Office Home and Student 2007 Trial
"Icecast2 Win32_is1" = Icecast 2.3.2
"InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"Magic Set Editor 2_is1" = Magic Set Editor 2 - 0.3.8 beta
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"MonkeyJam_is1" = MonkeyJam 3_050529
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
"New LEGO Digital Designer" = LEGO Digital Designer
"NVIDIA Drivers" = NVIDIA Drivers
"PDFTiger_is1" = PDFTiger
"SpywareBlaster_is1" = SpywareBlaster 4.4
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"UnityWebPlayer" = Unity Web Player
"Veoh Web Player Beta" = Veoh Web Player
"WildTangent hp Master Uninstall" = HP Games
"Winamp" = Winamp
"WinLiveSuite" = Windows Live Essentials

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-68370313-1866952282-1315329875-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Winamp Detect" = Winamp Detector Plug-in

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/20/2010 7:59:58 PM | Computer Name = CJ | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 1479139

Error - 9/20/2010 7:59:59 PM | Computer Name = CJ | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 9/20/2010 7:59:59 PM | Computer Name = CJ | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 1480278

Error - 9/20/2010 7:59:59 PM | Computer Name = CJ | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 1480278

Error - 9/22/2010 4:38:02 PM | Computer Name = CJ | Source = WinMgmt | ID = 10
Description =

Error - 9/22/2010 4:38:18 PM | Computer Name = CJ | Source = HP AdvisorUpdate | ID = 0
Description = Could not find a part of the path 'C:\_pack6\hp-advisor\src\HPAdvisor\Shared\Content\xsd\HPAdvisor.xsd'.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileStream.Init(String
path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare
share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String
msgPath, Boolean bFromProxy) at System.IO.FileStream..ctor(String path, FileMode
mode, FileAccess access, FileShare share, Int32 bufferSize) at System.Xml.XmlDownloadManager.GetStream(Uri
uri, ICredentials credentials) at System.Xml.XmlUrlResolver.GetEntity(Uri absoluteUri,
String role, Type ofObjectToReturn) at System.Xml.XmlReader.Create(String inputUri,
XmlReaderSettings settings, XmlParserContext inputContext) at System.Xml.Schema.XmlSchemaSet.Add(String
targetNamespace, String schemaUri) at HPAdvisor.Common.Content.CategoryCollection.ValidateDocument(String
path) ValidateDocument failed Business\SearchTargets.xml

Error - 9/23/2010 7:59:12 PM | Computer Name = CJ | Source = WinMgmt | ID = 10
Description =

Error - 9/23/2010 7:59:18 PM | Computer Name = CJ | Source = HP AdvisorUpdate | ID = 0
Description = Could not find a part of the path 'C:\_pack6\hp-advisor\src\HPAdvisor\Shared\Content\xsd\HPAdvisor.xsd'.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileStream.Init(String
path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare
share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String
msgPath, Boolean bFromProxy) at System.IO.FileStream..ctor(String path, FileMode
mode, FileAccess access, FileShare share, Int32 bufferSize) at System.Xml.XmlDownloadManager.GetStream(Uri
uri, ICredentials credentials) at System.Xml.XmlUrlResolver.GetEntity(Uri absoluteUri,
String role, Type ofObjectToReturn) at System.Xml.XmlReader.Create(String inputUri,
XmlReaderSettings settings, XmlParserContext inputContext) at System.Xml.Schema.XmlSchemaSet.Add(String
targetNamespace, String schemaUri) at HPAdvisor.Common.Content.CategoryCollection.ValidateDocument(String
path) ValidateDocument failed Business\SearchTargets.xml

Error - 9/24/2010 6:45:42 AM | Computer Name = CJ | Source = WinMgmt | ID = 10
Description =

Error - 9/24/2010 6:45:53 AM | Computer Name = CJ | Source = HP AdvisorUpdate | ID = 0
Description = Could not find a part of the path 'C:\_pack6\hp-advisor\src\HPAdvisor\Shared\Content\xsd\HPAdvisor.xsd'.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileStream.Init(String
path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare
share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String
msgPath, Boolean bFromProxy) at System.IO.FileStream..ctor(String path, FileMode
mode, FileAccess access, FileShare share, Int32 bufferSize) at System.Xml.XmlDownloadManager.GetStream(Uri
uri, ICredentials credentials) at System.Xml.XmlUrlResolver.GetEntity(Uri absoluteUri,
String role, Type ofObjectToReturn) at System.Xml.XmlReader.Create(String inputUri,
XmlReaderSettings settings, XmlParserContext inputContext) at System.Xml.Schema.XmlSchemaSet.Add(String
targetNamespace, String schemaUri) at HPAdvisor.Common.Content.CategoryCollection.ValidateDocument(String
path) ValidateDocument failed Business\SearchTargets.xml

[ System Events ]
Error - 1/2/2011 11:35:28 AM | Computer Name = CJ | Source = Service Control Manager | ID = 7026
Description =

Error - 1/2/2011 11:36:31 AM | Computer Name = CJ | Source = DCOM | ID = 10016
Description =

Error - 1/2/2011 7:29:24 PM | Computer Name = CJ | Source = Service Control Manager | ID = 7000
Description =

Error - 1/2/2011 7:29:24 PM | Computer Name = CJ | Source = Service Control Manager | ID = 7000
Description =

Error - 1/2/2011 7:29:24 PM | Computer Name = CJ | Source = Service Control Manager | ID = 7026
Description =

Error - 1/2/2011 7:29:46 PM | Computer Name = CJ | Source = DCOM | ID = 10016
Description =

Error - 1/2/2011 7:42:49 PM | Computer Name = CJ | Source = Service Control Manager | ID = 7000
Description =

Error - 1/2/2011 7:42:49 PM | Computer Name = CJ | Source = Service Control Manager | ID = 7000
Description =

Error - 1/2/2011 7:42:49 PM | Computer Name = CJ | Source = Service Control Manager | ID = 7026
Description =

Error - 1/2/2011 7:43:20 PM | Computer Name = CJ | Source = DCOM | ID = 10016
Description =


< End of report >

#14 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:38 PM

Posted 02 January 2011 - 10:29 PM

Hi Steve48224,



The new issue is I'm not able to connect wirelessly...

Please remove the existing wireless network profile as instructed in this thread . If not working, you may try to install this tool to check your networks by clicking on "networks" in the top left pane area, which network "Adapter Name" (1st column) is yours on the list.

If your network is busy, you may try to change another Channel by going into your routers set up page and then test your wireless connection. After that, please uninstall outdated java (Java™ 6 Update 7) via programs and features, and reset your homepage after perfoming the following instructions:




Step1

  • Go into the Control Panel (Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave both Checked

    Applications and Applets
    Trace and Log Files
  • Click OK on Delete Temporary Files Window
  • Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


Step2

  • Please start OTL on your desktop.
  • Under the Custom Scans/Fixes box at the bottom, copy/paste the following contents of code box.

    :OTL
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
    IE - HKU\S-1-5-21-68370313-1866952282-1315329875-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
    IE - HKU\S-1-5-21-68370313-1866952282-1315329875-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
    IE - HKU\S-1-5-21-68370313-1866952282-1315329875-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-68370313-1866952282-1315329875-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
    O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)
    O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)
    O15 - HKU\S-1-5-21-68370313-1866952282-1315329875-1000\..Trusted Domains: $talisma_url$ ([]https in Trusted sites)
    O15 - HKU\S-1-5-21-68370313-1866952282-1315329875-1000\..Trusted Domains: ketsujin.com ([fighterace] https in Trusted sites)
    O15 - HKU\S-1-5-21-68370313-1866952282-1315329875-1000\..Trusted Domains: ketsujin.com ([primary] https in Trusted sites)
    O15 - HKU\S-1-5-21-68370313-1866952282-1315329875-1000\..Trusted Domains: ketsujin.com ([update] https in Trusted sites)
    O15 - HKU\S-1-5-21-68370313-1866952282-1315329875-1000\..Trusted Domains: ketsujin.com ([www] https in Trusted sites)
    O15 - HKU\S-1-5-21-68370313-1866952282-1315329875-1000\..Trusted Domains: stormofaces.com ([www] https in Trusted sites)
    O15 - HKU\S-1-5-21-68370313-1866952282-1315329875-1000\..Trusted Ranges: Range1 ([http] in Local intranet)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
    O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
    
    :reg
    [-HKEY_CLASSES_ROOT\CLSID\{4FA18276-912A-11D1-AD9B-00C04FD8FDFF}]
    
    [HKEY_CLASSES_ROOT\CLSID\{4FA18276-912A-11D1-AD9B-00C04FD8FDFF}]
    @="InProcWbemLevel1Login Class"
    
    [HKEY_CLASSES_ROOT\CLSID\{4FA18276-912A-11D1-AD9B-00C04FD8FDFF}\InprocServer32]
    @=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,74,00,25,\
      00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,00,62,00,\
      65,00,6d,00,5c,00,77,00,62,00,65,00,6d,00,63,00,6f,00,72,00,65,00,2e,00,64,\
      00,6c,00,6c,00,00,00
    "ThreadingModel"="Both"
    
    :Files
    ipconfig /flushdns /c
     
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [start explorer]
    [Reboot]
    
  • Click Run Fix button on the top.
  • Click OK and let it run unhindered.
  • OTL will ask to reboot the machine. Please OK the prompt.
  • A report will open. Copy and Paste that report in your next reply.


Step3

I notice you have MBAM installed in your system, Please rerun it as instructed in the following. Update your virus definitions before proceeding. If you can't update the program, you can download the virus definitions from Here and install manually.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • You can refer to this tutorial
Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



In your next reply, please post back:

1.OTL delete log
2.MBAM log

Let me know how things went.

Edited by sundavis, 02 January 2011 - 10:41 PM.


#15 Steve48224

Steve48224
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 03 January 2011 - 06:02 PM

No luck getting the wireless connection working through either method. I was able to get both OTL and Malware run, though, and this is the first time Malware ran since I had the problem in the first place. We must be making progress!

OTL log:

All processes killed
========== OTL ==========
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
HKU\S-1-5-21-68370313-1866952282-1315329875-1000\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
HKU\S-1-5-21-68370313-1866952282-1315329875-1000\SOFTWARE\Microsoft\Internet Explorer\Main\\StartPageCache| /E : value set successfully!
HKU\S-1-5-21-68370313-1866952282-1315329875-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\S-1-5-21-68370313-1866952282-1315329875-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\ deleted successfully.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1\\http deleted successfully.
Registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1\\http not found.
Registry key HKEY_USERS\S-1-5-21-68370313-1866952282-1315329875-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\$talisma_url$\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-68370313-1866952282-1315329875-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ketsujin.com\fighterace\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-68370313-1866952282-1315329875-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ketsujin.com\primary\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-68370313-1866952282-1315329875-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ketsujin.com\update\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-68370313-1866952282-1315329875-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ketsujin.com\www\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-68370313-1866952282-1315329875-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\stormofaces.com\www\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-68370313-1866952282-1315329875-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1\\http deleted successfully.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
========== REGISTRY ==========
Registry key HKEY_CLASSES_ROOT\CLSID\{4FA18276-912A-11D1-AD9B-00C04FD8FDFF}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4FA18276-912A-11D1-AD9B-00C04FD8FDFF}\ not found.
HKEY_CLASSES_ROOT\CLSID\{4FA18276-912A-11D1-AD9B-00C04FD8FDFF}\\@|"InProcWbemLevel1Login Class" /E : value set successfully!
HKEY_CLASSES_ROOT\CLSID\{4FA18276-912A-11D1-AD9B-00C04FD8FDFF}\InprocServer32\\@|hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,00,62,00,65,00,6d,00,5c,00,77,00,62,00,65,00,6d,00,63,00,6f,00,72,00,65,00,2e,00,64,00,6c,00,6c,00,00,00 /E : value set successfully!
HKEY_CLASSES_ROOT\CLSID\{4FA18276-912A-11D1-AD9B-00C04FD8FDFF}\InprocServer32\\"ThreadingModel"|"Both" /E : value set successfully!
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Master\Desktop\cmd.bat deleted successfully.
C:\Users\Master\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 41620 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Master
->Temp folder emptied: 3768382 bytes
->Temporary Internet Files folder emptied: 645738 bytes
->Java cache emptied: 33524133 bytes
->FireFox cache emptied: 88762452 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 54463 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 528028 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 121.00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Master
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\: LSP stack updated.

OTL by OldTimer - Version 3.2.20.1 log created on 01032011_174029

Files\Folders moved on Reboot...
C:\Users\Master\AppData\Local\Temp\radDE3D4.tmp\bin\x86\sharpwrapi_Win32.dll moved successfully.
C:\Users\Master\AppData\Local\Temp\radDE3D4.tmp\bin\Gadget.Interop.dll moved successfully.
C:\Users\Master\AppData\Local\Temp\ehmsas.txt moved successfully.
C:\Users\Master\AppData\Local\Temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb moved successfully.
C:\Windows\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb moved successfully.

Registry entries deleted on Reboot...


MBAM Log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5450

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18999

1/3/2011 5:54:09 PM
mbam-log-2011-01-03 (17-54-09).txt

Scan type: Quick scan
Objects scanned: 149121
Time elapsed: 4 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users