Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Windows Recovery


  • This topic is locked This topic is locked
7 replies to this topic

#1 The Joy

The Joy

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 27 March 2011 - 01:30 PM

My computer was infected with some Malware roughly 2-3 days ago. It seems to be posing under the pseudonym of Windows Recovery. I have tried your rkill and MBAM tutorial to get rid of this. At first i ran rkill which indetified and ended three processes that were running. I then ran MBAM straight after which only picked up one infection rather than the three shown in your tutorial. I restarted and my documents are still hidden and various program shortcuts and exe's are missing from my desktop and Program Files list. I treid running your tutorial again. Rkill again picked up three processes but MBAM didn't manage to find anything a second time around. Prior to this i have run a full avast and adaware scan and also a spybot scan but none of these have detected anything.

I don't get any pop ups or balloons trying to block me from doing things. The 'My Documents' folder has apparently been wiped though i can find a few files and shortcuts scattered across my hard drive in random places. As i said above, some programs are missing from my program files list from the start menu though they show up in the Add-Remove PRograms list aswell if i look through my C:\ although this is not the same from my documents. I have moved a shortcut to firefox to my desktop and i can open it with no problems and browse normally with all my settings and tabs/favourites as normal.

I have not included a gmer log as i am running 64bit Windows Vista Home Premium. My system runs at a speed comparable to before i got the malware though it is now slow to boot programs (i.e. firefox) When i run programs i do not get intercepted with messages or balloons from the virus.

.
DDS (Ver_11-03-05.01) - NTFS_AMD64
Run by Bobby at 19:12:36.60 on 27/03/2011
Internet Explorer: 8.0.6001.19019 BrowserJavaVersion: 1.6.0_24
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2046.940 [GMT 1:00]
.
AV: Emsisoft Anti-Malware *Disabled/Updated* {0ADC9F7D-20C1-240F-01E2-43466EBA893A}
AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
SP: Emsisoft Anti-Malware *Disabled/Updated* {B1BD7E99-06FB-2B81-3B52-7834153DC387}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\System32\p2phost.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files (x86)\Advent\AIO\Center\ADAIOHostService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Bobby\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
uRun: [CollaborationHost] C:\Windows\system32\p2phost.exe -s
mRun: [Ad-Watch] "C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe"
mRun: [NPSStartup]
mRun: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Conime] %windir%\system32\conime.exe
mRun: [0150421301089913mcinstcleanup] C:\Users\Bobby\AppData\Local\Temp\015042~1.EXE C:\PROGRA~2\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E19F9331-3110-11d4-991C-005004D3B3DB} - hxxp://java.sun.com/products/plugin/1.3.0_02/jinstall-130_02-win.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
TB-X64: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Bobby\AppData\Roaming\Mozilla\Firefox\Profiles\ip7u7l07.default\
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;C:\Windows\System32\drivers\Lbd.sys [2009-5-4 68640]
R1 a2injectiondriver;a2injectiondriver;C:\Program Files (x86)\Emsisoft Anti-Malware\a2dix64.sys [2011-3-26 48216]
R1 a2util;a-squared Malware-IDS utility driver;C:\Program Files (x86)\Emsisoft Anti-Malware\a2util64.sys [2011-3-26 14720]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2010-8-2 121936]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe [2011-3-26 2964312]
R2 Advent AIO Network Discovery Service;Advent AIO Network Discovery Service;C:\Program Files (x86)\Advent\AIO\Center\ADAIOHostService.exe [2010-9-30 361904]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2010-8-2 20048]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2007-12-14 61008]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-8-2 40384]
R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-6 27648]
R3 a2acc;a2acc;C:\Program Files (x86)\Emsisoft Anti-Malware\a2accx64.sys [2011-3-26 85800]
R3 avast! Mail Scanner;avast! Mail Scanner;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-8-2 40384]
R3 avast! Web Scanner;avast! Web Scanner;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-8-2 40384]
R3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk60x64.sys [2006-11-2 273408]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2009-3-9 1029456]
S3 nmwcdcx64;Nokia USB Generic;C:\Windows\System32\drivers\ccdcmbox64.sys [2008-5-2 23552]
S3 nmwcdx64;Nokia USB Phone Parent;C:\Windows\System32\drivers\ccdcmbx64.sys [2008-5-2 18432]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-6-6 19968]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-8-18 89920]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2071-07-25 08:13:30 203576 ------w- C:\Program Files (x86)\Microsoft Games\Age of Empires III\autopatcher2.exe
2011-03-27 08:35:17 -------- d-----w- C:\PROGRA~3\Kaspersky Lab Setup Files
2011-03-26 18:28:41 -------- d-----w- C:\Program Files (x86)\Emsisoft Anti-Malware
2011-03-26 13:15:21 -------- d-----w- C:\Users\Bobby\AppData\Roaming\Malwarebytes
2011-03-26 13:15:16 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-03-26 13:15:16 -------- d-----w- C:\PROGRA~3\Malwarebytes
2011-03-26 13:15:13 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-03-26 13:15:13 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-03-25 22:02:30 -------- d-----w- C:\PROGRA~3\MFAData
2011-03-25 21:18:51 -------- d-----w- C:\Users\Bobby\AppData\Roaming\SiteAdvisor
2011-03-25 12:34:51 8424784 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{3B1276A1-4DA5-486C-BE16-605E5FE73148}\mpengine.dll
2011-03-23 11:25:45 479744 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2011-03-23 11:25:45 288768 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll
2011-03-23 11:25:45 1555968 ----a-w- C:\Windows\System32\DWrite.dll
2011-03-23 11:25:45 1149440 ----a-w- C:\Windows\System32\FntCache.dll
2011-03-23 11:25:45 1068544 ----a-w- C:\Windows\SysWow64\DWrite.dll
2011-03-21 18:37:01 63488 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\ADAiO2PPR.dll
2011-03-21 18:36:54 -------- d-----w- C:\Windows\System32\advent
2011-03-21 18:33:27 -------- d--h--w- C:\Users\Bobby\AppData\Local\DSGi
2011-03-21 18:32:16 -------- d-----w- C:\Windows\SysWow64\advent
2011-03-21 18:29:52 -------- d-----w- C:\Program Files (x86)\Advent
2011-03-21 18:28:19 -------- d--h--w- C:\Users\Bobby\AppData\Roaming\Temp
2011-03-21 18:28:18 -------- d-----w- C:\PROGRA~3\Advent
2011-03-09 14:43:01 731136 ----a-w- C:\Windows\System32\mstsc.exe
2011-03-09 14:43:01 677888 ----a-w- C:\Windows\SysWow64\mstsc.exe
2011-03-09 14:43:01 2425344 ----a-w- C:\Windows\System32\mstscax.dll
2011-03-09 14:43:01 2067968 ----a-w- C:\Windows\SysWow64\mstscax.dll
2011-03-09 14:42:58 559616 ----a-w- C:\Windows\System32\EncDec.dll
2011-03-09 14:42:58 429056 ----a-w- C:\Windows\SysWow64\EncDec.dll
2011-03-09 14:42:58 416768 ----a-w- C:\Windows\System32\sbe.dll
2011-03-09 14:42:57 322560 ----a-w- C:\Windows\SysWow64\sbe.dll
2011-03-09 14:42:57 226816 ----a-w- C:\Windows\System32\mpg2splt.ax
2011-03-09 14:42:57 210944 ----a-w- C:\Windows\System32\sbeio.dll
2011-03-09 14:42:57 177664 ----a-w- C:\Windows\SysWow64\mpg2splt.ax
2011-03-09 14:42:57 153088 ----a-w- C:\Windows\SysWow64\sbeio.dll
.
==================== Find3M ====================
.
2011-02-02 21:40:23 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-02-02 18:11:20 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-01-20 16:46:10 900480 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2011-01-20 16:17:15 366592 ----a-w- C:\Windows\System32\winspool.drv
2011-01-20 16:17:03 625152 ----a-w- C:\Windows\System32\dxgi.dll
2011-01-20 16:16:53 287232 ----a-w- C:\Windows\System32\d3d10core.dll
2011-01-20 16:16:52 327680 ----a-w- C:\Windows\System32\d3d10_1core.dll
2011-01-20 16:16:52 196096 ----a-w- C:\Windows\System32\d3d10_1.dll
2011-01-20 16:16:52 1268224 ----a-w- C:\Windows\System32\d3d10.dll
2011-01-20 16:16:47 748544 ----a-w- C:\Windows\System32\stobject.dll
2011-01-20 16:16:40 47104 ----a-w- C:\Windows\System32\cdd.dll
2011-01-20 16:16:10 3548672 ----a-w- C:\Windows\System32\mf.dll
2011-01-20 16:16:08 35840 ----a-w- C:\Windows\System32\printfilterpipelineprxy.dll
2011-01-20 16:14:49 278528 ----a-w- C:\Windows\System32\mfplat.dll
2011-01-20 16:14:49 195072 ----a-w- C:\Windows\System32\mfps.dll
2011-01-20 16:08:16 478720 ----a-w- C:\Windows\SysWow64\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- C:\Windows\SysWow64\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- C:\Windows\SysWow64\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- C:\Windows\SysWow64\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- C:\Windows\SysWow64\d3d10.dll
2011-01-20 16:07:42 258048 ----a-w- C:\Windows\SysWow64\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- C:\Windows\SysWow64\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- C:\Windows\SysWow64\mf.dll
2011-01-20 16:04:54 98816 ----a-w- C:\Windows\SysWow64\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- C:\Windows\SysWow64\mfplat.dll
2011-01-20 15:01:50 3068416 ----a-w- C:\Windows\System32\xpsservices.dll
2011-01-20 15:01:09 1653760 ----a-w- C:\Windows\System32\XpsPrint.dll
2011-01-20 14:59:59 1032192 ----a-w- C:\Windows\System32\printfilterpipelinesvc.exe
2011-01-20 14:58:38 1461760 ----a-w- C:\Windows\System32\OpcServices.dll
2011-01-20 14:57:28 231936 ----a-w- C:\Windows\System32\XpsRasterService.dll
2011-01-20 14:42:00 1257984 ----a-w- C:\Windows\System32\MFH264Dec.dll
2011-01-20 14:41:29 428544 ----a-w- C:\Windows\System32\MFHEAACdec.dll
2011-01-20 14:40:17 345088 ----a-w- C:\Windows\System32\mfreadwrite.dll
2011-01-20 14:40:14 34304 ----a-w- C:\Windows\System32\mfpmp.exe
2011-01-20 14:40:11 377344 ----a-w- C:\Windows\System32\mfmp4src.dll
2011-01-20 14:37:06 2002944 ----a-w- C:\Windows\System32\d3d10warp.dll
2011-01-20 14:35:30 566272 ----a-w- C:\Windows\System32\d3d10level9.dll
2011-01-20 14:28:38 1554432 ----a-w- C:\Windows\SysWow64\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- C:\Windows\SysWow64\XpsPrint.dll
2011-01-20 14:25:25 847360 ----a-w- C:\Windows\SysWow64\OpcServices.dll
2011-01-20 14:24:26 135680 ----a-w- C:\Windows\SysWow64\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- C:\Windows\SysWow64\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- C:\Windows\SysWow64\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- C:\Windows\SysWow64\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- C:\Windows\SysWow64\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- C:\Windows\SysWow64\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- C:\Windows\SysWow64\d3d10level9.dll
2011-01-20 14:06:15 834048 ----a-w- C:\Windows\System32\d2d1.dll
2011-01-20 13:47:51 683008 ----a-w- C:\Windows\SysWow64\d2d1.dll
2011-01-08 09:03:01 48128 ----a-w- C:\Windows\System32\atmlib.dll
2011-01-08 08:47:50 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2011-01-08 06:45:51 367104 ----a-w- C:\Windows\System32\atmfd.dll
2011-01-08 06:28:49 292352 ----a-w- C:\Windows\SysWow64\atmfd.dll
2010-12-31 14:16:41 2757632 ----a-w- C:\Windows\System32\win32k.sys
2010-12-28 16:08:18 466944 ----a-w- C:\Windows\System32\odbc32.dll
2010-12-28 15:55:03 413696 ----a-w- C:\Windows\SysWow64\odbc32.dll
.
============= FINISH: 19:14:01.29 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:11:35 PM

Posted 02 April 2011 - 01:16 PM

Hi The Joy, and welcome to Bleeping Computer.

Firstly,
Quoting from our tutorial (Remove Windows Recovery (Uninstall Guide)):

This infection family will also hide all the files on your computer from being seen. To make your files visible again, please download the following program to your Desktop:

Unhide.exe (by Grinler)

Once the program has been downloaded, double-click on the Unhide.exe icon on your Desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

Secondly,
Download OTL.exe by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe.
  • In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:

    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Click Run Scan and let the program run uninterrupted.
  • When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Post both logs in this thread.
  • You may need to use two posts to get it all.

c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#3 The Joy

The Joy
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 03 April 2011 - 04:51 AM

OTL logfile created on: 03/04/2011 10:37:51 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Bobby\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19019)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 43.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 67.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 465.76 Gb Total Space | 196.28 Gb Free Space | 42.14% Space Free | Partition Type: NTFS

Computer Name: BOBBY-PC | User Name: Bobby | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/03 10:23:39 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Bobby\Desktop\OTL.exe
PRC - [2011/04/03 01:51:13 | 002,860,800 | ---- | M] (Emsi Software GmbH) -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
PRC - [2010/09/30 10:53:18 | 000,361,904 | ---- | M] (DSGi) -- C:\Program Files (x86)\Advent\AIO\Center\ADAIOHostService.exe
PRC - [2010/06/28 21:57:18 | 002,837,864 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/06/28 21:57:15 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/03/22 22:31:37 | 000,524,632 | ---- | M] (Lavasoft) -- C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2008/07/07 09:42:06 | 002,156,368 | RHS- | M] (Safer Networking Limited) -- C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe


========== Modules (SafeList) ==========

MOD - [2011/04/03 10:23:39 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Bobby\Desktop\OTL.exe
MOD - [2011/03/16 16:24:44 | 000,213,160 | ---- | M] (Emsi Software GmbH) -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll
MOD - [2010/08/31 16:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2010/06/28 21:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV:64bit: - [2010/06/28 21:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV:64bit: - [2010/06/28 21:57:15 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV:64bit: - [2008/01/19 09:06:50 | 000,383,544 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2011/04/03 01:51:13 | 002,860,800 | ---- | M] (Emsi Software GmbH) [Auto | Running] -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe -- (a2AntiMalware)
SRV - [2010/09/30 10:53:18 | 000,361,904 | ---- | M] (DSGi) [Auto | Running] -- C:\Program Files (x86)\Advent\AIO\Center\ADAIOHostService.exe -- (Advent AIO Network Discovery Service)
SRV - [2010/03/28 18:59:26 | 000,332,720 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/03/22 22:31:32 | 001,029,456 | ---- | M] (Lavasoft) [Auto | Stopped] -- C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/03/30 05:42:14 | 000,066,368 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/04/07 10:17:30 | 000,430,592 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2010/06/28 21:33:00 | 000,061,008 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV:64bit: - [2009/10/01 01:51:42 | 000,046,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\wpdusb.sys -- (WpdUsb)
DRV:64bit: - [2009/04/27 21:51:50 | 000,068,640 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\Windows\SysNative\DRIVERS\Lbd.sys -- (Lbd)
DRV:64bit: - [2009/04/11 06:39:37 | 000,032,768 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\usbser.sys -- (usbser)
DRV:64bit: - [2008/05/13 19:02:43 | 000,868,848 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\Drivers\sptd.sys -- (sptd)
DRV:64bit: - [2008/05/02 10:59:08 | 000,008,704 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\usbser_lowerfltx64j.sys -- (UsbserFilt)
DRV:64bit: - [2008/05/02 10:58:50 | 000,008,704 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\usbser_lowerfltx64.sys -- (upperdev)
DRV:64bit: - [2008/05/02 10:58:48 | 000,023,552 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ccdcmbox64.sys -- (nmwcdcx64)
DRV:64bit: - [2008/05/02 10:58:48 | 000,018,432 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ccdcmbx64.sys -- (nmwcdx64)
DRV:64bit: - [2008/02/13 09:20:16 | 000,017,920 | ---- | M] (A4Tech Co.,Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\Amusbx64.sys -- (Amusbprt)
DRV:64bit: - [2007/10/15 04:37:22 | 000,012,288 | ---- | M] ((Standard mouse types)) [Kernel | System | Running] -- C:\Windows\SysNative\DRIVERS\Amfltx64.sys -- (Amfilter)
DRV:64bit: - [2007/09/17 16:53:34 | 000,029,184 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\pccsmcfdx64.sys -- (pccsmcfd)
DRV:64bit: - [2007/07/03 18:04:44 | 000,142,504 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\sscdmdm.sys -- (sscdmdm)
DRV:64bit: - [2007/07/03 18:04:16 | 000,016,040 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\sscdmdfl.sys -- (sscdmdfl)
DRV:64bit: - [2007/07/03 18:02:12 | 000,105,128 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\sscdbus.sys -- (sscdbus) SAMSUNG USB Composite Device driver (WDM)
DRV:64bit: - [2006/10/04 02:45:36 | 000,273,408 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\yk60x64.sys -- (yukonx64)
DRV:64bit: - [2006/09/18 22:36:24 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\Wbem\ntfs.mof -- (Ntfs)
DRV - [2011/02/20 21:30:06 | 000,085,800 | ---- | M] (Emsi Software GmbH) [File_System | On_Demand | Running] -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2accx64.sys -- (a2acc)
DRV - [2010/09/05 12:25:22 | 000,048,216 | ---- | M] (Emsi Software GmbH) [File_System | System | Running] -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2dix64.sys -- (a2injectiondriver)
DRV - [2010/05/05 09:40:54 | 000,014,720 | ---- | M] (Emsi Software GmbH) [Kernel | System | Running] -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2util64.sys -- (a2util)
DRV - [2009/04/07 10:39:44 | 000,016,392 | ---- | M] (Teruten Inc) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\TFsExDisk.Sys -- (TFsExDisk)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 76 A7 76 F2 BB 00 CB 01 [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/03/23 23:55:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2011/03/23 23:55:04 | 000,000,000 | ---D | M]

[2009/02/10 20:25:36 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Bobby\AppData\Roaming\Mozilla\Extensions
[2011/04/03 02:02:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Bobby\AppData\Roaming\Mozilla\Firefox\Profiles\ip7u7l07.default\extensions
[2010/06/30 17:37:52 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Bobby\AppData\Roaming\Mozilla\Firefox\Profiles\ip7u7l07.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/03/26 19:20:05 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2010/04/21 19:08:30 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/08/15 11:07:14 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/11/28 22:17:40 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2010/12/29 14:20:56 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/03/26 19:20:05 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/02/02 22:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/03/18 20:28:47 | 000,001,538 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/03/18 20:28:48 | 000,000,947 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/03/18 20:28:48 | 000,000,769 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/03/18 20:28:48 | 000,001,135 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2006/09/18 22:37:24 | 000,000,736 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [0150421301089913mcinstcleanup] File not found
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
O4 - HKLM..\Run: [Conime] C:\Windows\SysWOW64\conime.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NPSStartup] File not found
O4 - HKCU..\Run: [CollaborationHost] File not found
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E19F9331-3110-11d4-991C-005004D3B3DB} http://java.sun.com/products/plugin/1.3.0_02/jinstall-130_02-win.cab (Java Plug-in 1.3.0_02)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.138
O18:64bit: - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18:64bit: - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Bobby\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Bobby\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{2b8e4fd2-62a2-11df-8f8d-00508db055b2}\Shell\AutoRun\command - "" = E:\InstallTomTomHOME.exe
O33 - MountPoints2\{5384c79d-d26d-11dc-b014-00508db055b2}\Shell\AutoRun\command - "" = F:\InstallTomTomHOME.exe
O33 - MountPoints2\{bd99d580-dc1a-11dd-b67f-00508db055b2}\Shell\AutoRun\command - "" = WDSetup.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*


Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32:64bit: VIDC.XFR1 - xfcodec64.dll ()
Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011/04/03 10:23:23 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\Bobby\Desktop\OTL.exe
[2011/03/27 09:35:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab Setup Files
[2011/03/27 09:27:19 | 119,045,240 | ---- | C] (Kaspersky Lab) -- C:\Users\Bobby\Desktop\kis11.0.2.556en_gb.exe
[2011/03/27 09:26:54 | 118,649,736 | ---- | C] (Kaspersky Lab) -- C:\Users\Bobby\Desktop\kav11.0.2.556en_gb.exe
[2011/03/26 19:28:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware
[2011/03/26 19:28:41 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Emsisoft Anti-Malware
[2011/03/26 19:28:41 | 000,000,000 | ---D | C] -- C:\Users\Bobby\Documents\Anti-Malware
[2011/03/26 19:20:03 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaws.exe
[2011/03/26 19:20:03 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaw.exe
[2011/03/26 19:20:03 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\java.exe
[2011/03/26 14:15:21 | 000,000,000 | ---D | C] -- C:\Users\Bobby\AppData\Roaming\Malwarebytes
[2011/03/26 14:15:16 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2011/03/26 14:15:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/03/26 14:15:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/03/26 14:15:13 | 000,024,152 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2011/03/26 14:15:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2011/03/25 23:02:30 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
[2011/03/25 22:18:51 | 000,000,000 | ---D | C] -- C:\Users\Bobby\AppData\Roaming\SiteAdvisor
[2011/03/24 20:00:07 | 000,000,000 | ---D | C] -- C:\Users\Bobby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Recovery
[2011/03/23 12:25:45 | 001,555,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\DWrite.dll
[2011/03/23 12:25:45 | 001,068,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\DWrite.dll
[2011/03/23 12:25:45 | 000,479,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\XpsGdiConverter.dll
[2011/03/23 12:25:45 | 000,288,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\XpsGdiConverter.dll
[2011/03/21 19:36:54 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\advent
[2011/03/21 19:33:27 | 000,000,000 | ---D | C] -- C:\Users\Bobby\AppData\Local\DSGi
[2011/03/21 19:33:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advent
[2011/03/21 19:32:16 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\advent
[2011/03/21 19:29:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Advent
[2011/03/21 19:28:19 | 000,000,000 | ---D | C] -- C:\Users\Bobby\AppData\Roaming\Temp
[2011/03/21 19:28:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Advent
[2011/03/09 15:43:01 | 002,425,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mstscax.dll
[2011/03/09 15:43:01 | 002,067,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mstscax.dll
[2011/03/09 15:43:01 | 000,731,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mstsc.exe
[2011/03/09 15:43:01 | 000,677,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mstsc.exe
[2011/03/09 15:42:58 | 000,559,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\EncDec.dll
[2011/03/09 15:42:58 | 000,429,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\EncDec.dll
[2011/03/09 15:42:58 | 000,416,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\sbe.dll
[2011/03/09 15:42:57 | 000,322,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\sbe.dll
[2011/03/09 15:42:57 | 000,226,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mpg2splt.ax
[2011/03/09 15:42:57 | 000,210,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\sbeio.dll
[2011/03/09 15:42:57 | 000,177,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mpg2splt.ax
[2011/03/09 15:42:57 | 000,153,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\sbeio.dll
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/03 10:23:39 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Bobby\Desktop\OTL.exe
[2011/04/03 10:23:00 | 000,504,657 | ---- | M] () -- C:\Users\Bobby\Desktop\unhide.exe
[2011/04/03 10:13:18 | 000,715,876 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/04/03 10:13:18 | 000,617,088 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/04/03 10:13:18 | 000,111,958 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/04/03 10:08:50 | 000,000,054 | ---- | M] () -- C:\Windows\SysWow64\rp_stats.dat
[2011/04/03 10:08:50 | 000,000,039 | ---- | M] () -- C:\Windows\SysWow64\rp_rules.dat
[2011/04/03 10:08:18 | 000,034,895 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2011/04/03 10:08:18 | 000,034,895 | ---- | M] () -- C:\ProgramData\nvModes.001
[2011/04/03 10:08:09 | 000,004,176 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/04/03 10:08:09 | 000,004,176 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/04/03 10:07:55 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/04/03 10:07:51 | 2145,902,592 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/03 01:48:31 | 000,000,418 | ---- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{C8B8A8BF-8C59-46DA-A5AC-3ABCAC9183E5}.job
[2011/03/27 19:16:29 | 000,293,019 | ---- | M] () -- C:\Users\Bobby\Desktop\gmer.zip
[2011/03/27 19:08:51 | 000,625,664 | ---- | M] () -- C:\Users\Bobby\Desktop\dds.scr
[2011/03/27 19:04:16 | 000,000,020 | ---- | M] () -- C:\Users\Bobby\defogger_reenable
[2011/03/27 19:03:35 | 000,050,477 | ---- | M] () -- C:\Users\Bobby\Desktop\Defogger.exe
[2011/03/27 09:31:59 | 118,649,736 | ---- | M] (Kaspersky Lab) -- C:\Users\Bobby\Desktop\kav11.0.2.556en_gb.exe
[2011/03/27 09:31:42 | 119,045,240 | ---- | M] (Kaspersky Lab) -- C:\Users\Bobby\Desktop\kis11.0.2.556en_gb.exe
[2011/03/26 14:09:57 | 001,006,778 | ---- | M] () -- C:\Users\Bobby\Desktop\iExplore.exe
[2011/03/25 23:01:04 | 000,013,824 | ---- | M] () -- C:\Users\Bobby\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/03/25 22:56:00 | 000,000,224 | ---- | M] () -- C:\Windows\tasks\McDefragTask.job
[2011/03/25 21:27:16 | 000,000,120 | ---- | M] () -- C:\ProgramData\~47439624r
[2011/03/25 21:27:16 | 000,000,080 | ---- | M] () -- C:\ProgramData\~47439624
[2011/03/25 13:27:56 | 000,001,796 | ---- | M] () -- C:\Users\Bobby\Desktop\Mozilla Firefox.lnk
[2011/03/24 20:00:06 | 000,000,344 | ---- | M] () -- C:\ProgramData\47439624
[2011/03/21 22:24:30 | 000,000,496 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2011/03/21 21:35:54 | 000,019,447 | ---- | M] () -- C:\Users\Bobby\Desktop\TMA01 - Q1.xmcd
[2011/03/21 20:26:45 | 000,073,501 | ---- | M] () -- C:\Users\Bobby\Desktop\TMA01 - Q6.xmcd
[2011/03/20 23:45:59 | 000,055,028 | ---- | M] () -- C:\Users\Bobby\Desktop\Desktop.rar
[2011/03/20 23:45:48 | 000,008,440 | ---- | M] () -- C:\Users\Bobby\Desktop\MC Q1.jpg
[2011/03/20 23:44:24 | 000,012,220 | ---- | M] () -- C:\Users\Bobby\Desktop\MC Q6b.jpg
[2011/03/20 23:44:14 | 000,022,772 | ---- | M] () -- C:\Users\Bobby\Desktop\MC Q6a.jpg
[2011/03/20 17:07:56 | 000,301,568 | ---- | M] () -- C:\Users\Bobby\Desktop\gmer.exe
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/03 10:22:51 | 000,504,657 | ---- | C] () -- C:\Users\Bobby\Desktop\unhide.exe
[2011/03/27 19:16:40 | 000,301,568 | ---- | C] () -- C:\Users\Bobby\Desktop\gmer.exe
[2011/03/27 19:16:24 | 000,293,019 | ---- | C] () -- C:\Users\Bobby\Desktop\gmer.zip
[2011/03/27 19:08:40 | 000,625,664 | ---- | C] () -- C:\Users\Bobby\Desktop\dds.scr
[2011/03/27 19:04:16 | 000,000,020 | ---- | C] () -- C:\Users\Bobby\defogger_reenable
[2011/03/27 19:03:34 | 000,050,477 | ---- | C] () -- C:\Users\Bobby\Desktop\Defogger.exe
[2011/03/26 14:09:37 | 001,006,778 | ---- | C] () -- C:\Users\Bobby\Desktop\iExplore.exe
[2011/03/25 21:36:51 | 000,001,808 | ---- | C] () -- C:\Windows\SysWow64\subst.inf
[2011/03/25 21:36:36 | 000,000,224 | ---- | C] () -- C:\Windows\tasks\McDefragTask.job
[2011/03/25 18:27:02 | 000,000,054 | ---- | C] () -- C:\Windows\SysWow64\rp_stats.dat
[2011/03/25 18:27:02 | 000,000,039 | ---- | C] () -- C:\Windows\SysWow64\rp_rules.dat
[2011/03/25 13:27:56 | 000,001,796 | ---- | C] () -- C:\Users\Bobby\Desktop\Mozilla Firefox.lnk
[2011/03/24 20:00:09 | 000,000,120 | ---- | C] () -- C:\ProgramData\~47439624r
[2011/03/24 20:00:08 | 000,000,080 | ---- | C] () -- C:\ProgramData\~47439624
[2011/03/24 20:00:06 | 000,000,344 | ---- | C] () -- C:\ProgramData\47439624
[2011/03/20 23:45:59 | 000,055,028 | ---- | C] () -- C:\Users\Bobby\Desktop\Desktop.rar
[2011/03/20 23:45:48 | 000,008,440 | ---- | C] () -- C:\Users\Bobby\Desktop\MC Q1.jpg
[2011/03/20 23:44:24 | 000,012,220 | ---- | C] () -- C:\Users\Bobby\Desktop\MC Q6b.jpg
[2011/03/20 23:44:14 | 000,022,772 | ---- | C] () -- C:\Users\Bobby\Desktop\MC Q6a.jpg
[2011/03/20 19:20:47 | 000,073,501 | ---- | C] () -- C:\Users\Bobby\Desktop\TMA01 - Q6.xmcd
[2011/03/20 19:19:23 | 000,019,447 | ---- | C] () -- C:\Users\Bobby\Desktop\TMA01 - Q1.xmcd
[2010/10/09 14:43:02 | 000,327,630 | ---- | C] () -- C:\Windows\SysWow64\Ou32p45.dll
[2010/10/09 14:43:02 | 000,285,734 | ---- | C] () -- C:\Windows\SysWow64\ow32p45.dll
[2010/06/06 12:22:51 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2010/03/19 00:12:04 | 000,034,895 | ---- | C] () -- C:\ProgramData\nvModes.001
[2010/03/19 00:01:59 | 000,034,895 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2009/08/18 19:47:30 | 000,117,248 | ---- | C] () -- C:\Windows\SysWow64\EhStorAuthn.dll
[2009/08/18 19:46:57 | 000,107,612 | ---- | C] () -- C:\Windows\SysWow64\StructuredQuerySchema.bin
[2009/08/18 19:46:27 | 000,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2008/12/11 19:20:26 | 000,000,056 | ---- | C] () -- C:\ProgramData\ezsidmv.dat
[2008/10/07 10:13:30 | 000,197,912 | ---- | C] () -- C:\Windows\SysWow64\physxcudart_20.dll
[2008/10/07 10:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelTraditionalChinese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSwedish.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSpanish.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSimplifiedChinese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelPortugese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelKorean.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelJapanese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelGerman.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelFrench.dll
[2008/08/27 07:46:01 | 000,018,904 | ---- | C] () -- C:\Windows\SysWow64\StructuredQuerySchemaTrivial.bin
[2008/06/06 21:28:46 | 000,060,124 | ---- | C] () -- C:\Windows\SysWow64\tcpmon.ini
[2008/02/25 19:25:10 | 000,000,093 | ---- | C] () -- C:\Users\Bobby\AppData\Local\fusioncache.dat
[2008/02/25 19:17:35 | 000,726,298 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2008/01/26 18:32:41 | 000,026,311 | ---- | C] () -- C:\Users\Bobby\AppData\Roaming\UserTile.png
[2008/01/24 20:14:29 | 000,000,032 | ---- | C] () -- C:\ProgramData\ezsid.dat
[2008/01/10 20:55:30 | 000,000,037 | ---- | C] () -- C:\Windows\settings.ini
[2007/12/15 17:04:33 | 000,000,025 | ---- | C] () -- C:\Windows\cdplayer.ini
[2007/12/15 16:55:26 | 000,013,824 | ---- | C] () -- C:\Users\Bobby\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/12/14 21:58:58 | 000,000,680 | ---- | C] () -- C:\Users\Bobby\AppData\Local\d3d9caps.dat
[2007/12/14 19:40:35 | 000,000,552 | ---- | C] () -- C:\Users\Bobby\AppData\Local\d3d8caps.dat
[2007/12/14 19:26:58 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2007/12/14 19:19:40 | 000,000,732 | ---- | C] () -- C:\Users\Bobby\AppData\Local\d3d9caps64.dat
[2007/10/25 18:26:10 | 000,005,632 | ---- | C] () -- C:\Windows\SysWow64\drivers\StarOpen.sys
[2006/11/02 16:37:05 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 13:37:14 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2006/11/02 13:24:17 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2006/11/02 13:18:17 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2006/11/02 10:47:54 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\SysWow64\OUTLPERF.INI

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2011/04/03 10:07:50 | 000,231,612 | ---- | M] () -- C:\aaw7boot.log
[2009/04/11 07:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr
[2007/12/15 11:11:15 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
[2011/04/03 10:07:51 | 2145,902,592 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/03 10:07:50 | 2459,652,096 | -HS- | M] () -- C:\pagefile.sys
[2011/03/26 23:13:41 | 000,000,446 | ---- | M] () -- C:\rkill.log

< %systemroot%\*. /mp /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >

< End of report >

OTL Extras logfile created on: 03/04/2011 10:37:51 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Bobby\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19019)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 43.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 67.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 465.76 Gb Total Space | 196.28 Gb Free Space | 42.14% Space Free | Partition Type: NTFS

Computer Name: BOBBY-PC | User Name: Bobby | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l File not found
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = 86 D9 22 CD C7 C8 C8 01 [binary data]
"VistaSp2" = 0F 59 D4 EF F4 C6 CA 01 [binary data]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"oobe_av" = 1

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0315D4DB-BAA2-4172-950D-4ABB90B36124}" = lport=554 | protocol=6 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{04C83498-2B56-49F9-AC8F-E37DB119EA49}" = rport=10244 | protocol=6 | dir=out | app=system |
"{06724D44-1DA0-4E20-9D90-3404D79142C6}" = lport=554 | protocol=6 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{0E452A25-D74B-47B2-811B-3E565709A5EA}" = rport=5722 | protocol=6 | dir=out | svc=dfsr | app=%systemroot%\system32\dfsr.exe |
"{0FF53E7B-78E1-4D18-A44B-DB82DF2A60DF}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{11F89D99-3588-4B9B-B96F-43CDAC9BD1DE}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{13DF12B2-5E1F-4654-B136-2E04B539FE45}" = lport=5358 | protocol=6 | dir=in | app=system |
"{1528C912-694E-4E4B-AA1E-6ED2B8FF18AF}" = lport=10244 | protocol=6 | dir=in | app=system |
"{1614F563-9903-4267-9F5C-7B442034D985}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{1B9A0AF2-508B-4081-83DF-3E07111F36C5}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{1C1CB69E-0DAA-4D1A-B65A-740390EB1C62}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{2187AE16-7DA2-46CF-B017-548672C7A512}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{2A7A4B15-BFFC-42F6-A566-64C1293AEB5A}" = rport=3702 | protocol=17 | dir=out | app=%systemroot%\system32\netproj.exe |
"{2CB4E75E-A05B-44D4-BDCA-187C7329F805}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{2D7EEF18-6C62-44E2-A5DB-40A1181B22D1}" = lport=5353 | protocol=17 | dir=in | name=bonjour port 5353 |
"{33AA3770-CAAB-46B0-B567-AA7EDE460FF4}" = rport=5722 | protocol=6 | dir=out | svc=dfsr | app=%systemroot%\system32\dfsr.exe |
"{33AF3207-5728-4246-823A-E8F48A8E773A}" = lport=9333 | protocol=6 | dir=in | name=addiscovery |
"{380AFBEC-35AE-481C-A478-6D8E8DD43772}" = rport=3540 | protocol=17 | dir=out | svc=pnrpsvc | app=%systemroot%\system32\svchost.exe |
"{3A29E259-7560-4FC5-ABD8-CA3578BEDCC3}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{3D83B9DD-C3E8-40D4-B2C3-D292DE4C953D}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{3DEE28C1-36BA-4AEE-AD67-AB5192F0AAB1}" = rport=5358 | protocol=6 | dir=out | app=system |
"{4819365C-25EE-4579-9EF0-DB0407740801}" = lport=3390 | protocol=6 | dir=in | app=system |
"{49482F23-96E1-4B69-969E-DF3354EDB19F}" = rport=5357 | protocol=6 | dir=out | app=system |
"{4A0BB274-FCB8-4E8E-8F78-1CF94606425A}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{4B51D603-D30C-45AE-A7FB-C5071359442F}" = lport=9333 | protocol=6 | dir=in | name=addiscovery |
"{4BAF265C-3D98-41B7-A015-4B57196D0CEB}" = lport=7777 | protocol=17 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{4E841944-0547-47A6-AE43-4BBA3E54F7EE}" = lport=3540 | protocol=17 | dir=in | svc=pnrpsvc | app=%systemroot%\system32\svchost.exe |
"{4EF4008A-90D4-41F5-A148-AE627079645B}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{529A9AD4-74AD-4A22-80B7-015F16C713B5}" = lport=3702 | protocol=17 | dir=in | app=%systemroot%\system32\p2phost.exe |
"{5585BD3B-5674-4409-914A-5898A6F95EC3}" = lport=5722 | protocol=6 | dir=in | svc=dfsr | app=%systemroot%\system32\dfsr.exe |
"{569540FC-2FE8-4452-B83D-042FC7CED775}" = lport=3702 | protocol=17 | dir=in | app=%systemroot%\system32\netproj.exe |
"{57CB24A1-6563-4803-A98E-7750AC611F85}" = rport=3702 | protocol=17 | dir=out | app=%systemroot%\system32\p2phost.exe |
"{68BDC7EF-309F-4628-944E-CD7C6B1C348B}" = lport=3390 | protocol=6 | dir=in | app=system |
"{68CF2CDA-E685-45E7-ADE8-D58F34EE3FD8}" = lport=2869 | protocol=6 | dir=in | app=system |
"{6CEE0A2E-67F1-47C5-AB32-A0E2EECAB2CA}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{7472DF62-2E7D-4672-8DCE-DCBD3CACDA6B}" = lport=10243 | protocol=6 | dir=in | app=system |
"{74ED3329-17BB-464D-B1CF-17FB4C894EAC}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{7C97840A-2BC5-49E0-9A25-03DB168B5EAD}" = lport=5357 | protocol=6 | dir=in | app=system |
"{7CF1A69A-53FE-4602-A47A-A724AD5285D1}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{7F705976-0DBA-4765-B3E2-50F4A5AEFF60}" = lport=3702 | protocol=17 | dir=in | app=%systemroot%\system32\p2phost.exe |
"{8074144C-FFD5-445D-9B42-ABA0C1E797F8}" = lport=5353 | protocol=17 | dir=in | name=bonjour port 5353 |
"{80BE306D-60CE-4162-B017-A490DF08DF30}" = lport=3587 | protocol=6 | dir=in | svc=p2psvc | app=%systemroot%\system32\svchost.exe |
"{825E2280-9704-4000-A503-EB2D172E34AE}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{8548A0E9-8E2F-402D-A09C-1CB625FF29D2}" = lport=5722 | protocol=6 | dir=in | svc=dfsr | app=%systemroot%\system32\dfsr.exe |
"{8D0C1F08-F7AE-4EE3-A8E0-EEBCF972EA24}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{912A5A7B-998D-4B01-AA31-88D48FCAC20B}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |
"{96014CEA-8974-4181-8551-EBA65CEFA025}" = lport=3587 | protocol=6 | dir=in | svc=p2psvc | app=%systemroot%\system32\svchost.exe |
"{9B5EAD6C-9E4F-4020-9306-C3AF13CFDBD3}" = rport=3702 | protocol=17 | dir=out | app=%systemroot%\system32\p2phost.exe |
"{A4909769-BA64-43AF-AFD9-660F60FC8955}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{A4A9BBA3-19EF-4AB3-83FC-E4EF3599AEF9}" = rport=10244 | protocol=6 | dir=out | app=system |
"{A4D68836-4C31-48C7-AE22-2FEBCB37C8CD}" = lport=3702 | protocol=17 | dir=in | app=%systemroot%\system32\netproj.exe |
"{A7837580-C42E-4DA8-9D41-02720E293812}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{B34A71F4-B8FC-4A84-A77E-CB4FC812C7CE}" = rport=10243 | protocol=6 | dir=out | app=system |
"{B46EF5B1-263D-4F1A-BD05-DB38BC4B01C3}" = lport=3540 | protocol=17 | dir=in | svc=pnrpsvc | app=%systemroot%\system32\svchost.exe |
"{B9802383-7555-4B33-98BD-8263837129C4}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
"{BAB2FB7A-1380-4B8C-B55E-7E94CFC2DF93}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{C1AD6DC2-E534-4E4B-9417-A323CCC9B468}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{C5402239-24FD-4724-BAA0-9B1BE3ABDA94}" = lport=10244 | protocol=6 | dir=in | app=system |
"{C9CD4F0D-8F63-4F39-8D77-192E5DDC70E1}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{CA6C5C63-DCD1-4EDD-A1FF-19BD1C10E5F5}" = lport=7777 | protocol=17 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{CED5EE37-E97E-41B2-88A9-DD8E6A03E6E5}" = rport=3587 | protocol=6 | dir=out | svc=p2psvc | app=%systemroot%\system32\svchost.exe |
"{D060D90C-01AC-4613-880A-B76D0B8E7A6F}" = rport=3587 | protocol=6 | dir=out | svc=p2psvc | app=%systemroot%\system32\svchost.exe |
"{E1750F87-3703-4DD4-B986-65A81EDADA24}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{E342489A-79F5-4DE2-81BC-25124F2665C4}" = rport=3540 | protocol=17 | dir=out | svc=pnrpsvc | app=%systemroot%\system32\svchost.exe |
"{F744BBAB-62CF-4321-BB14-913BD6B37A06}" = rport=3702 | protocol=17 | dir=out | app=%systemroot%\system32\netproj.exe |
"{F8A85C1C-9809-48D2-BC53-AC43DC265A34}" = lport=2869 | protocol=6 | dir=in | app=system |
"{FFF9C29B-4D5D-429F-AC58-E2184E21204B}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{02003D04-F148-4F1D-85F3-158263D6C8DA}" = protocol=6 | dir=in | app=c:\program files (x86)\samsung\samsung new pc studio\npsasvr.exe |
"{04E5ED7B-53BF-4ED9-A629-5C833611EBE0}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{0C7F9C47-BACA-494E-8BE1-4DC11A06A9BB}" = protocol=17 | dir=in | app=c:\program files (x86)\kontiki\kservice.exe |
"{13D5CCA0-5217-42BD-BC9C-4C698330088C}" = protocol=17 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{148F86E5-7FAE-44AA-99C9-849AC208FA90}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{1498EC16-42F6-4618-928E-C718695F0794}" = protocol=6 | dir=in | app=c:\program files (x86)\electronic arts\the lord of the rings, the rise of the witch-king\game.dat |
"{19376CF0-092D-4CD3-814C-764D2FBA377B}" = protocol=6 | dir=in | app=c:\program files (x86)\ea games\the battle for middle-earth ™\game.dat |
"{1C5B966E-4CE3-4B68-AAF0-9002F1906FA0}" = protocol=17 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{33D02C5C-5DD4-4032-AFB8-9EC87BEB7763}" = protocol=17 | dir=in | app=c:\program files (x86)\samsung\samsung new pc studio\npsvsvr.exe |
"{34AB2ABD-EC9E-44C2-9854-24207672AB97}" = protocol=6 | dir=in | app=%systemroot%\system32\netproj.exe |
"{36D38351-6ACF-454E-A2D7-AFCDF71CD01C}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{3B4375F9-25DE-4AD2-858D-D818D58AC15D}" = protocol=6 | dir=in | app=c:\program files (x86)\limewire\limewire.exe |
"{3CB9727B-AB77-4566-9806-A2A826367D73}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\medieval ii total war\launcher.exe |
"{3E1F9E73-A9E8-488F-8F9C-A7F0FA6E79AA}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\insaniquarium deluxe\insaniquarium.exe |
"{4456CB16-1865-47FA-BCBC-787C2DDD7235}" = protocol=6 | dir=in | app=c:\program files (x86)\electronic arts\the battle for middle-earth ™ ii\game.dat |
"{472EF364-327A-4497-8D9F-63F1691CDFD7}" = protocol=6 | dir=out | app=%systemroot%\ehome\mcx2prov.exe |
"{4A5DB265-E404-4661-9DE4-3685C544D233}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{4AE7F33C-92AC-4889-BEB7-69BD97812987}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{532310A0-D357-44DB-A1C0-27C6E565C284}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{586A39B0-175C-4B6B-B4DD-29ACD365AEA1}" = protocol=17 | dir=in | app=c:\program files (x86)\electronic arts\the battle for middle-earth ™ ii\game.dat |
"{58F7A445-0E0A-4AE8-8E3A-27F7840FD6D3}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{5D9E0AD7-3F95-48EE-B18F-60B8AD911B11}" = protocol=6 | dir=out | svc=mcx2svc | app=%systemroot%\system32\svchost.exe |
"{60A4BECD-8BFD-494F-B945-A6FE8BADD441}" = protocol=6 | dir=out | app=%systemroot%\system32\p2phost.exe |
"{6179368D-9F6C-4405-B6B4-1356E226A6D6}" = protocol=6 | dir=in | app=%systemroot%\system32\p2phost.exe |
"{6190AFEB-9E35-458B-88A4-89F7F2BB7493}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{61C2A58B-EE74-4A7D-871B-4C47A658E625}" = protocol=17 | dir=in | app=c:\program files (x86)\electronic arts\the lord of the rings, the rise of the witch-king\game.dat |
"{6920E185-60CB-4AF5-9606-B0998912116A}" = protocol=17 | dir=in | app=c:\program files (x86)\common files\mcafee\mna\mcnasvc.exe |
"{6A36D8C8-75C7-4BE3-8991-81CDFA7E2F9F}" = protocol=6 | dir=out | svc=mcx2svc | app=%systemroot%\system32\svchost.exe |
"{6D88536C-E7EE-4058-AD5A-2566C0B3A863}" = protocol=6 | dir=in | app=%programfiles%\windows collaboration\wincollab.exe |
"{6F2994ED-82BF-46B8-B574-A569973A3B99}" = protocol=6 | dir=in | app=c:\program files (x86)\electronic arts\the battle for middle-earth ™ ii\game.dat |
"{707890B4-8FD7-46CB-A400-D336C99DB1D5}" = protocol=17 | dir=in | app=c:\program files (x86)\electronic arts\the battle for middle-earth ™ ii\game.dat |
"{7342E42B-A762-4F5C-BD81-D4F44566294A}" = protocol=6 | dir=in | app=c:\program files (x86)\samsung\samsung new pc studio\npsvsvr.exe |
"{73A957DD-7E1E-497A-9D32-EF3CA53E4B3C}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{73D194B2-FC5C-4757-8154-9233A56C613A}" = protocol=17 | dir=in | app=c:\program files (x86)\samsung\samsung new pc studio\npsasvr.exe |
"{7878EF70-4323-419F-8502-75BD7CEFD231}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\insaniquarium deluxe\insaniquarium.exe |
"{79411B36-D4A2-4B53-AA6A-90C79EBDF86C}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{855FF934-FC2B-496A-9056-AFBF6BDBC6CF}" = protocol=6 | dir=out | app=%programfiles%\windows collaboration\wincollab.exe |
"{8E3CD724-FB66-4244-A652-BFE5B49EF0CB}" = protocol=17 | dir=out | app=%programfiles%\windows collaboration\wincollab.exe |
"{99FE7F1E-0D05-4B8E-B0F9-CDFAECE9D51F}" = protocol=6 | dir=in | app=c:\program files (x86)\kontiki\kservice.exe |
"{A08C387F-DC9D-498F-A7D6-5B686D43B346}" = protocol=17 | dir=in | app=c:\program files (x86)\kontiki\kservice.exe |
"{A303E701-B48B-4ADC-9471-3CB0B69B704E}" = protocol=17 | dir=in | app=%programfiles%\windows collaboration\wincollab.exe |
"{A64EDC4B-51A6-4931-BF66-F38884E6C8C9}" = protocol=6 | dir=in | app=c:\program files (x86)\common files\mcafee\mna\mcnasvc.exe |
"{AA04074F-5DCC-464B-9E3A-FC758D92FABF}" = protocol=17 | dir=in | app=c:\program files (x86)\electronic arts\the lord of the rings, the rise of the witch-king\game.dat |
"{B8B8255F-492C-4194-BEF7-C43433D68F0D}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{B9276B29-FB8A-4B19-9599-77F844607FB1}" = protocol=6 | dir=out | app=%systemroot%\ehome\mcx2prov.exe |
"{BA218F44-7FE1-42AC-83DA-7BD981683574}" = dir=in | app=c:\program files (x86)\windows live\contacts\wlcomm.exe |
"{BAB69B4E-74A3-4B6E-9D9B-E1604EA0750C}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{BCA89B24-CFA6-4F31-80D5-DB294283BED0}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{BFC60C7E-DCD2-4916-BADE-A329389DD153}" = protocol=6 | dir=in | app=%systemroot%\system32\p2phost.exe |
"{BFE3665F-ED48-4A2E-BE5B-FE9E2CC66BDD}" = protocol=6 | dir=in | app=c:\program files (x86)\electronic arts\the lord of the rings, the rise of the witch-king\game.dat |
"{C055ADF8-BADF-4B36-A9C9-62CE9FEBC6A8}" = protocol=17 | dir=in | app=c:\program files (x86)\ea games\the battle for middle-earth ™\game.dat |
"{C5604CDC-7B66-4D44-B73E-F35BB0BF185D}" = protocol=6 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{C8F6ECC7-550D-411E-8584-6871BE813115}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\peggle extreme\peggleextreme.exe |
"{CE6293AB-A2CB-4671-8A59-DAB52FE435C0}" = protocol=6 | dir=in | app=c:\program files (x86)\kontiki\kservice.exe |
"{D0C2A94A-7827-4722-BD50-19BAC22A1945}" = protocol=6 | dir=out | app=system |
"{D406CF54-859D-48BA-A0D5-3783437524D4}" = protocol=6 | dir=out | app=%programfiles%\windows collaboration\wincollab.exe |
"{D4C937B9-68A3-4EF2-BDEA-0178F8834023}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{D641D2CE-06CF-4B85-BFFC-D2E869F5C617}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{DB3677B5-C7C0-4D95-B1D2-DA14E2C0E731}" = protocol=6 | dir=out | app=%systemroot%\system32\p2phost.exe |
"{DB40059C-C718-43E3-A69F-C9609BC282B7}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{DFDD2D20-CC47-482D-B419-50A6D70A3818}" = protocol=6 | dir=in | app=%programfiles%\windows collaboration\wincollab.exe |
"{E02F0700-0384-4F68-9236-FC556FFC0D8F}" = protocol=6 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{E20786C7-61C2-43D2-B7CF-25A01242E5A8}" = dir=in | app=c:\program files (x86)\windows live\messenger\msnmsgr.exe |
"{E735A548-F335-4687-9A1C-87D7EDFDFF44}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\peggle extreme\peggleextreme.exe |
"{E8D31823-94E2-45AE-917B-E231D5202D1C}" = protocol=17 | dir=out | app=%programfiles%\windows collaboration\wincollab.exe |
"{F1A7072C-4F17-4884-AEE5-AC6EF6F4CF00}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{F20BFFF4-AE56-4D6E-8C0F-E4119E27A838}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{F3B645F9-3D2D-4655-8CD0-7BB6FFD40DE1}" = protocol=17 | dir=in | app=%programfiles%\windows collaboration\wincollab.exe |
"{F52E3B32-2B7B-4932-91D4-127D1D66A5E9}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\medieval ii total war\launcher.exe |
"{FA09E4E3-CF51-4E9D-9D37-968CD41D57D4}" = protocol=6 | dir=out | app=%systemroot%\system32\netproj.exe |
"{FA9E6878-0D55-4A33-8313-9061EAA2F722}" = protocol=17 | dir=in | app=c:\program files (x86)\limewire\limewire.exe |
"TCP Query User{04B84F03-2706-4CBC-ABF6-F1C530F666C0}C:\program files (x86)\steam\steamapps\common\medieval ii total war\medieval2.exe" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\medieval ii total war\medieval2.exe |
"TCP Query User{082E75C7-6CCC-42FB-9EA3-BFA8F8A7FED0}C:\westwood\ra2\gamemd.exe" = protocol=6 | dir=in | app=c:\westwood\ra2\gamemd.exe |
"TCP Query User{0CF6AA09-E7B8-419E-A173-69FEC17082DD}C:\users\bobby\appdata\locallow\garagegames\iaplayer\products\7000\install\zap.exe" = protocol=6 | dir=in | app=c:\users\bobby\appdata\locallow\garagegames\iaplayer\products\7000\install\zap.exe |
"TCP Query User{1423380E-9801-4C12-A3FA-C2BF50C07832}C:\program files (x86)\xfire\xfire.exe" = protocol=6 | dir=in | app=c:\program files (x86)\xfire\xfire.exe |
"TCP Query User{1625258D-C9D9-4107-BDC0-81BC8C2F2262}C:\program files (x86)\steam\steamapps\spartacus1986\counter-strike source\hl2.exe" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\spartacus1986\counter-strike source\hl2.exe |
"TCP Query User{19F8FF96-B20F-49F6-805C-FB9A062A05AD}C:\program files (x86)\steam\steamapps\spartacus1986\team fortress 2\hl2.exe" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\spartacus1986\team fortress 2\hl2.exe |
"TCP Query User{2D5F1E21-AD8F-4E51-8F6E-B7CA0D708E47}C:\program files (x86)\spotify\spotify.exe" = protocol=6 | dir=in | app=c:\program files (x86)\spotify\spotify.exe |
"TCP Query User{32700B52-411F-4738-9E22-541A1E819E03}C:\program files (x86)\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files (x86)\mozilla firefox\firefox.exe |
"TCP Query User{5408B2E6-14E9-47BE-AA38-22C17E69E5D7}C:\program files (x86)\skype\phone\skype.exe" = protocol=6 | dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"TCP Query User{5BCF25CB-6FD5-4507-8B02-86A9696287E6}C:\program files (x86)\kontiki\khost.exe" = protocol=6 | dir=in | app=c:\program files (x86)\kontiki\khost.exe |
"TCP Query User{609CE3FD-BCE1-46EC-8016-4C4EC2F78937}C:\program files (x86)\electronic arts\red alert 3\data\ra3_1.3.game" = protocol=6 | dir=in | app=c:\program files (x86)\electronic arts\red alert 3\data\ra3_1.3.game |
"TCP Query User{645D89AF-BA9C-45D7-BC6A-86BFF5F712FD}C:\program files (x86)\electronic arts\eadm\core.exe" = protocol=6 | dir=in | app=c:\program files (x86)\electronic arts\eadm\core.exe |
"TCP Query User{7D35038F-AA08-41B3-99DD-FB217B02ACD2}C:\program files (x86)\mirc\mirc.exe" = protocol=6 | dir=in | app=c:\program files (x86)\mirc\mirc.exe |
"TCP Query User{8AD91699-53D7-4D55-BC2E-BE8D3DC1591B}C:\program files (x86)\xfire\xfire.exe" = protocol=6 | dir=in | app=c:\program files (x86)\xfire\xfire.exe |
"TCP Query User{9AB74FA5-610A-4044-82D3-D7E54464C072}C:\program files (x86)\azureus\azureus.exe" = protocol=6 | dir=in | app=c:\program files (x86)\azureus\azureus.exe |
"TCP Query User{A34EAABA-A645-4D9D-BE06-C89A92B56FDC}C:\program files (x86)\skype\phone\skype.exe" = protocol=6 | dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"TCP Query User{A4FF1EAB-A581-46D2-AD62-863CCC5E6A4E}C:\program files (x86)\steam\steamapps\spartacus1986\zombie panic! source\hl2.exe" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\spartacus1986\zombie panic! source\hl2.exe |
"TCP Query User{A5B13012-183A-43D8-B478-243AA27BA26A}C:\program files (x86)\electronic arts\eadm\core.exe" = protocol=6 | dir=in | app=c:\program files (x86)\electronic arts\eadm\core.exe |
"TCP Query User{A9834CFF-1A5B-4B7D-9BAA-E6A42BC73984}C:\program files (x86)\electronic arts\the lord of the rings, the rise of the witch-king\patchget.dat" = protocol=6 | dir=in | app=c:\program files (x86)\electronic arts\the lord of the rings, the rise of the witch-king\patchget.dat |
"TCP Query User{CF7B55FB-2DDF-404E-B5F7-107922C55368}C:\program files (x86)\electronic arts\the battle for middle-earth ™ ii\patchget.dat" = protocol=6 | dir=in | app=c:\program files (x86)\electronic arts\the battle for middle-earth ™ ii\patchget.dat |
"TCP Query User{D66911E4-25D5-4F7A-94D4-00BDE85F222D}C:\program files (x86)\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files (x86)\mozilla firefox\firefox.exe |
"TCP Query User{E0FC417D-91F6-4B57-9688-5E243FBEF4D8}C:\program files (x86)\azureus\azureus.exe" = protocol=6 | dir=in | app=c:\program files (x86)\azureus\azureus.exe |
"TCP Query User{E6BAFF5E-39A6-4BD0-88EC-D041DBF162E1}C:\program files (x86)\turbine\the lord of the rings online\lotroclient.exe" = protocol=6 | dir=in | app=c:\program files (x86)\turbine\the lord of the rings online\lotroclient.exe |
"TCP Query User{E866FA9B-485B-4129-A901-3B207C8C2961}C:\program files (x86)\spotify\spotify.exe" = protocol=6 | dir=in | app=c:\program files (x86)\spotify\spotify.exe |
"TCP Query User{EDDD4421-F089-41AF-AE96-F7F25453E0E4}C:\program files (x86)\electronic arts\red alert 3\data\ra3_1.4.game" = protocol=6 | dir=in | app=c:\program files (x86)\electronic arts\red alert 3\data\ra3_1.4.game |
"TCP Query User{F336B530-8CE7-4349-B035-462F70CCF429}C:\program files (x86)\limewire\limewire.exe" = protocol=6 | dir=in | app=c:\program files (x86)\limewire\limewire.exe |
"TCP Query User{FCC6FAFF-0155-4788-88CD-2E9204D26197}C:\program files (x86)\microsoft games\age of empires iii\age3.exe" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft games\age of empires iii\age3.exe |
"UDP Query User{25D05E98-F26A-472D-896D-1D541557DCD7}C:\program files (x86)\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files (x86)\mozilla firefox\firefox.exe |
"UDP Query User{26AB50FE-1633-4460-90FB-5F8C605F0C47}C:\program files (x86)\steam\steamapps\common\medieval ii total war\medieval2.exe" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\medieval ii total war\medieval2.exe |
"UDP Query User{277A0B07-38F4-4D0B-B657-269D84F90251}C:\program files (x86)\spotify\spotify.exe" = protocol=17 | dir=in | app=c:\program files (x86)\spotify\spotify.exe |
"UDP Query User{3BD8E88C-4257-46F2-BECE-59E6FCC6FA8C}C:\program files (x86)\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files (x86)\mozilla firefox\firefox.exe |
"UDP Query User{42D300F1-8202-419C-BA07-B7FDCCF68582}C:\program files (x86)\mirc\mirc.exe" = protocol=17 | dir=in | app=c:\program files (x86)\mirc\mirc.exe |
"UDP Query User{526912D8-62C1-4B87-82AB-328F943A1C5C}C:\program files (x86)\azureus\azureus.exe" = protocol=17 | dir=in | app=c:\program files (x86)\azureus\azureus.exe |
"UDP Query User{72C9E871-99E4-4674-8CE3-DBF549A8FE53}C:\program files (x86)\microsoft games\age of empires iii\age3.exe" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft games\age of empires iii\age3.exe |
"UDP Query User{7EFCD3F9-4597-4C80-85EC-F5E67583459A}C:\program files (x86)\steam\steamapps\spartacus1986\zombie panic! source\hl2.exe" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\spartacus1986\zombie panic! source\hl2.exe |
"UDP Query User{7F0273C4-848C-4596-A69B-EA81B4C4AC68}C:\program files (x86)\electronic arts\the lord of the rings, the rise of the witch-king\patchget.dat" = protocol=17 | dir=in | app=c:\program files (x86)\electronic arts\the lord of the rings, the rise of the witch-king\patchget.dat |
"UDP Query User{88B0004D-1D9B-49E1-9538-A1124C491CB3}C:\program files (x86)\spotify\spotify.exe" = protocol=17 | dir=in | app=c:\program files (x86)\spotify\spotify.exe |
"UDP Query User{8CB9F103-73A8-4DBB-B910-C6793EE1F0B7}C:\program files (x86)\xfire\xfire.exe" = protocol=17 | dir=in | app=c:\program files (x86)\xfire\xfire.exe |
"UDP Query User{95EFDDAF-A2B9-4B3A-BEA8-EE0867635C08}C:\program files (x86)\turbine\the lord of the rings online\lotroclient.exe" = protocol=17 | dir=in | app=c:\program files (x86)\turbine\the lord of the rings online\lotroclient.exe |
"UDP Query User{9BB75FD0-9E36-40E2-A080-34E7C374D5EA}C:\program files (x86)\electronic arts\red alert 3\data\ra3_1.4.game" = protocol=17 | dir=in | app=c:\program files (x86)\electronic arts\red alert 3\data\ra3_1.4.game |
"UDP Query User{9DCD7B51-35E6-4CBC-BBAF-370C60AE6811}C:\program files (x86)\electronic arts\eadm\core.exe" = protocol=17 | dir=in | app=c:\program files (x86)\electronic arts\eadm\core.exe |
"UDP Query User{A758D125-D83B-4776-929D-D14F5E68AEA4}C:\program files (x86)\electronic arts\eadm\core.exe" = protocol=17 | dir=in | app=c:\program files (x86)\electronic arts\eadm\core.exe |
"UDP Query User{B69C940E-1D2E-485A-9AC3-25F0827D39DB}C:\westwood\ra2\gamemd.exe" = protocol=17 | dir=in | app=c:\westwood\ra2\gamemd.exe |
"UDP Query User{B6DC803A-9EB5-4255-8B13-9D4E87C9B250}C:\program files (x86)\electronic arts\red alert 3\data\ra3_1.3.game" = protocol=17 | dir=in | app=c:\program files (x86)\electronic arts\red alert 3\data\ra3_1.3.game |
"UDP Query User{BA1EBA3A-AFB0-4A4A-9347-9B2BAEAA17FE}C:\program files (x86)\skype\phone\skype.exe" = protocol=17 | dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"UDP Query User{BDC4C919-BD68-4357-AADC-CF2EFD9E83B8}C:\users\bobby\appdata\locallow\garagegames\iaplayer\products\7000\install\zap.exe" = protocol=17 | dir=in | app=c:\users\bobby\appdata\locallow\garagegames\iaplayer\products\7000\install\zap.exe |
"UDP Query User{CF67CF3D-9F8C-49FA-B440-29769F248161}C:\program files (x86)\steam\steamapps\spartacus1986\team fortress 2\hl2.exe" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\spartacus1986\team fortress 2\hl2.exe |
"UDP Query User{D537F707-3DE2-44A4-B3B2-AA06BE851C03}C:\program files (x86)\kontiki\khost.exe" = protocol=17 | dir=in | app=c:\program files (x86)\kontiki\khost.exe |
"UDP Query User{D89530FD-F794-4F86-BBEB-0C8FC39ABAF1}C:\program files (x86)\skype\phone\skype.exe" = protocol=17 | dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"UDP Query User{DB9A01FB-18A0-4C06-A210-F4EB5A740DFA}C:\program files (x86)\steam\steamapps\spartacus1986\counter-strike source\hl2.exe" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\spartacus1986\counter-strike source\hl2.exe |
"UDP Query User{E5E7FB39-E711-470F-AB00-15A044E5D439}C:\program files (x86)\xfire\xfire.exe" = protocol=17 | dir=in | app=c:\program files (x86)\xfire\xfire.exe |
"UDP Query User{E790C7F1-ADCF-4D12-AFF7-DE1CE6DBB516}C:\program files (x86)\limewire\limewire.exe" = protocol=17 | dir=in | app=c:\program files (x86)\limewire\limewire.exe |
"UDP Query User{E8B1896A-9612-4643-9AEE-CFEBB4C992DC}C:\program files (x86)\azureus\azureus.exe" = protocol=17 | dir=in | app=c:\program files (x86)\azureus\azureus.exe |
"UDP Query User{EB773AE0-33C0-49DE-BE59-E198B96D5E86}C:\program files (x86)\electronic arts\the battle for middle-earth ™ ii\patchget.dat" = protocol=17 | dir=in | app=c:\program files (x86)\electronic arts\the battle for middle-earth ™ ii\patchget.dat |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1B8ABA62-74F0-47ED-B18C-A43128E591B8}" = Windows Live ID Sign-in Assistant
"{1CA75E08-616B-4F3C-A8E6-5E4BDC04E398}" = Advent AIO Printer
"{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll
"{5EB6F3CB-46F4-451F-A028-7F6D8D35D7D0}" = Windows Live Language Selector
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{BC4AE628-81A4-4FC6-863A-7A9BA2E2531F}" = Nokia Connectivity Cable Driver
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D8CE69B0-9274-4b8c-BA49-0FF6A20A3C65}" = SAMSUNG SYMBIAN USB Download Driver
"{EE936C7A-EA40-31D5-9B65-8E3E089C3828}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148
"{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}" = Ventrilo Client for Windows x64
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"BC15EA930074932BB2C4B4493C9FD4EA95087D1A" = Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"SAMSUNG Mobile Composite Device" = SAMSUNG Mobile Composite Device Software
"SAMSUNG Mobile Modem" = SAMSUNG Mobile Modem Driver Set
"Samsung Mobile Modem Device" = Samsung Mobile Modem Device Software
"Samsung Mobile phone USB driver" = Samsung Mobile phone USB driver Software
"SAMSUNG Mobile USB Modem" = SAMSUNG Mobile USB Modem Software
"SAMSUNG Mobile USB Modem 1.0" = SAMSUNG Mobile USB Modem 1.0 Software
"SAMSUNG USB Mobile Device" = SAMSUNG USB Mobile Device Software

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{136BB0FD-7E70-40F5-B17E-5FB91F229463}" = AdC4USelfUpdater
"{1BAE8AB6-4533-4CB1-94D6-A5F401ED468C}" = aioscnnr
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{205ACCD7-5342-4694-91F3-3A99E4FD5AA6}" = Mathcad 14.0 M020 Help
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 24
"{27B5D9DE-D57D-48ee-A4F1-DC3D9DA0DF57}" = ADVENT AIO Printer
"{296D8550-CB06-48E4-9A8B-E5034FB64715}" = Command & Conquer™ Red Alert™ 3
"{2A9F95AB-65A3-432c-8631-B8BC5BF7477A}" = The Battle for Middle-earth ™ II
"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{341201D4-4F61-4ADB-987E-9CCE4D83A58D}" = Windows Live Toolbar Extension (Windows Live Toolbar)
"{3F290582-3F4E-4B96-009C-E0BABAA40C42}" = The Battle for Middle-earth ™
"{4973FC3B-FF66-4610-B9ED-2DDEFBF4D2D7}" = PreReq
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CBABDFD-49F8-47FD-BE7D-ECDE7270525A}" = Windows Live PIMT Platform
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.8
"{5DD4FCBD-A3C1-4155-9E17-4161C70AAABA}" = Segoe UI
"{61381690-7DDA-44F6-B3F0-6529FB8B6E5D}" = Advent Essentials
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6A05FEDF-662E-46BF-8A25-010E3F1C9C69}" = Windows Live UX Platform Language Pack
"{7745B7A9-F323-4BB9-9811-01BF57A028DA}" = Map Button (Windows Live Toolbar)
"{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}" = Windows Live Favorites for Windows Live Toolbar
"{7E84FAC8-C518-40F9-9807-7455301D6D25}" = SamsungConnectivityCableDriver
"{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger
"{8796E14E-2031-463F-8A9A-31062B2652B4}" = Mathcad 14.0 M020
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C3727F2-8E37-49E4-820C-03B1677F53B6}" = Stronghold Crusader
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{95120000-003F-0409-0000-0000000FF1CE}" = Microsoft Office Excel Viewer
"{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}" = Highlight Viewer (Windows Live Toolbar)
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AC599724-5755-48C1-ABE7-ABB857652930}" = PC Connectivity Solution
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{B931FB80-537A-4600-00AD-AC5DEDB6C25B}" = The Lord of the Rings, The Rise of the Witch-king
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE325D55-FCAF-4273-BB79-069BB8747270}" = TomTom HOME
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{CFF8B8E8-E086-4DE0-935F-FE22CAB54F80}" = Microsoft Search Enhancement Pack
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{D6D5CFB3-7095-4073-B6B7-B7E909838C57}" = Razer Copperhead
"{DD1865F0-AD73-40FB-B23E-1822E02396FF}" = NVIDIA PhysX
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E0D51394-1D45-460A-B62D-383BC4F8B335}" = QuickTime
"{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
"{EBD38AE9-D52D-448D-9DB4-4D5F66E1DAFC}" = Mathcad 14.0 M020 Resource Center
"{F084395C-40FB-4DB3-981C-B51E74E1E83D}" = Smart Menus (Windows Live Toolbar)
"{F193FC0E-9E18-40FC-A974-509A1BDD240A}" = Samsung New PC Studio
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Audacity_is1" = Audacity 1.2.6
"avast5" = avast! Free Antivirus
"Azureus Vuze" = Azureus Vuze
"Emsisoft Anti-Malware_is1" = Emsisoft Anti-Malware 5.1
"Guild Wars" = Guild Wars
"InstallShield_{F193FC0E-9E18-40FC-A974-509A1BDD240A}" = Samsung New PC Studio
"JRE 1.3.0_02" = Java 2 Runtime Environment Standard Edition v1.3.0_02
"LimeWire" = LimeWire 4.16.7
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"mIRC" = mIRC
"Mozilla Firefox (3.6.16)" = Mozilla Firefox (3.6.16)
"MST121 and MS221 Software" = MST121 and MS221 Software
"Mumble" = Mumble and Murmur
"PowerISO" = PowerISO
"RealPlayer 6.0" = RealPlayer
"Spotify" = Spotify
"Steam App 220" = Half-Life 2
"Steam App 240" = Counter-Strike: Source
"Steam App 3320" = Insaniquarium Deluxe
"Steam App 3480" = Peggle Deluxe
"Steam App 3483" = Peggle Extreme
"Steam App 400" = Portal
"Steam App 4000" = Garry's Mod
"Steam App 420" = Half-Life 2: Episode Two
"Steam App 440" = Team Fortress 2
"Steam App 4700" = Medieval II: Total War
"Steam App 4780" = Medieval II: Total War Kingdoms
"SystemRequirementsLab" = System Requirements Lab
"T173" = T173
"VLC media player" = VideoLAN VLC media player 0.8.6d
"WinLiveSuite" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 19/03/2010 19:52:03 | Computer Name = Bobby-PC | Source = avast! | ID = 33554522
Description =

Error - 26/03/2010 04:20:40 | Computer Name = Bobby-PC | Source = avast! | ID = 33554522
Description =

Error - 29/03/2010 04:00:09 | Computer Name = Bobby-PC | Source = avast! | ID = 33554522
Description =

Error - 30/03/2010 04:10:32 | Computer Name = Bobby-PC | Source = avast! | ID = 33554522
Description =

Error - 30/03/2010 17:39:35 | Computer Name = Bobby-PC | Source = avast! | ID = 33554522
Description =

Error - 07/04/2010 16:00:31 | Computer Name = Bobby-PC | Source = avast! | ID = 33554522
Description =

Error - 22/04/2010 04:13:24 | Computer Name = Bobby-PC | Source = avast! | ID = 33554522
Description =

Error - 23/06/2010 11:35:43 | Computer Name = Bobby-PC | Source = avast! | ID = 33554522
Description =

Error - 01/07/2010 18:18:15 | Computer Name = Bobby-PC | Source = avast! | ID = 33554522
Description =

Error - 07/07/2010 18:59:59 | Computer Name = Bobby-PC | Source = avast! | ID = 33554522
Description =

[ Application Events ]
Error - 18/03/2010 15:34:43 | Computer Name = Bobby-PC | Source = Application Error | ID = 1000
Description = Faulting application game.dat, version 2.1.2614.37001, time stamp
0x460da09e, faulting module ntdll.dll, version 6.0.6001.18000, time stamp 0x4791a783,
exception code 0xc0000005, fault offset 0x000625c8, process id 0x850, application
start time 0x01cac6d1f1619bd4.

Error - 18/03/2010 19:45:39 | Computer Name = Bobby-PC | Source = ESENT | ID = 215
Description = WinMail (4044) WindowsMail0: The backup has been stopped because it
was halted by the client or the connection with the client failed.

Error - 18/03/2010 19:45:42 | Computer Name = Bobby-PC | Source = ESENT | ID = 215
Description = WinMail (2304) WindowsMail0: The backup has been stopped because it
was halted by the client or the connection with the client failed.

Error - 18/03/2010 19:52:19 | Computer Name = Bobby-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 18/03/2010 19:52:27 | Computer Name = Bobby-PC | Source = Application Error | ID = 1000
Description = Faulting application game.dat, version 2.1.2614.37001, time stamp
0x460da09e, faulting module ntdll.dll, version 6.0.6002.18005, time stamp 0x49e03824,
exception code 0xc0000005, fault offset 0x00062790, process id 0xd98, application
start time 0x01cac6f5f32cb88d.

Error - 19/03/2010 15:20:57 | Computer Name = Bobby-PC | Source = MsiInstaller | ID = 11905
Description =

Error - 19/03/2010 15:46:02 | Computer Name = Bobby-PC | Source = Application Error | ID = 1000
Description = Faulting application game.dat, version 2.1.2614.37001, time stamp
0x460da09e, faulting module ntdll.dll, version 6.0.6002.18005, time stamp 0x49e03824,
exception code 0xc0000005, fault offset 0x00060897, process id 0x460, application
start time 0x01cac79cb2ee4eee.

Error - 28/03/2010 14:22:18 | Computer Name = Bobby-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 02/04/2010 14:56:55 | Computer Name = Bobby-PC | Source = Application Hang | ID = 1002
Description = The program Steam.exe version 1.0.778.935 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: c3c Start Time: 01cad28e2f9cd487 Termination Time: 66

Error - 03/04/2010 05:08:18 | Computer Name = Bobby-PC | Source = Application Hang | ID = 1002
Description = The program Steam.exe version 1.0.778.935 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: 8cc Start Time: 01cad2b2e2ecf5d0 Termination Time: 78

[ Media Center Events ]
Error - 25/11/2008 16:28:40 | Computer Name = Bobby-PC | Source = Mcx2Dvcs | ID = 401
Description =

Error - 02/01/2009 21:03:32 | Computer Name = Bobby-PC | Source = McrMgr | ID = 109
Description =

Error - 09/01/2009 18:31:38 | Computer Name = Bobby-PC | Source = McrMgr | ID = 109
Description =

[ System Events ]
Error - 25/03/2011 16:40:49 | Computer Name = Bobby-PC | Source = Service Control Manager | ID = 7030
Description =

Error - 25/03/2011 17:19:34 | Computer Name = Bobby-PC | Source = Microsoft-Windows-Firewall | ID = 6400
Description =

Error - 25/03/2011 17:24:15 | Computer Name = Bobby-PC | Source = Service Control Manager | ID = 7009
Description =

Error - 25/03/2011 17:24:15 | Computer Name = Bobby-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 25/03/2011 17:27:20 | Computer Name = Bobby-PC | Source = Service Control Manager | ID = 7030
Description =

Error - 25/03/2011 17:27:36 | Computer Name = Bobby-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 25/03/2011 17:34:08 | Computer Name = Bobby-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 26/03/2011 16:34:24 | Computer Name = Bobby-PC | Source = Service Control Manager | ID = 7009
Description =

Error - 26/03/2011 16:34:24 | Computer Name = Bobby-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 26/03/2011 16:58:54 | Computer Name = Bobby-PC | Source = Service Control Manager | ID = 7011
Description =


< End of report >

I ran unhide and it has returned everything back to 'normal'. OTL downloaded and ran without any problems too.

#4 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:11:35 PM

Posted 03 April 2011 - 04:21 PM

Hi again The Joy!!.. :)

I ran unhide and it has returned everything back to 'normal'. OTL downloaded and ran without any problems too.

Good!.. :thumbup2:

I'll check the logs tomorrow, thanks for your patience!!..
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#5 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:11:35 PM

Posted 04 April 2011 - 06:15 AM

Hi again The Joy!!.. :)

Log looks ok - the script below will remove some leftovers only...

Firstly,
Please run OTL.exe.
  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
    O4 - HKLM..\Run: [0150421301089913mcinstcleanup] File not found
    O4 - HKLM..\Run: [NPSStartup] File not found
    O4 - HKCU..\Run: [CollaborationHost] File not found
    O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
    [2011/03/24 20:00:07 | 000,000,000 | ---D | C] -- C:\Users\Bobby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Recovery
    [2011/03/25 21:27:16 | 000,000,120 | ---- | M] () -- C:\ProgramData\~47439624r
    [2011/03/25 21:27:16 | 000,000,080 | ---- | M] () -- C:\ProgramData\~47439624
    [2011/03/24 20:00:06 | 000,000,344 | ---- | M] () -- C:\ProgramData\47439624
    :Commands
    [EmptyTemp]
    [EMPTYFLASH]

  • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Secondly,
Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer (32 bit version - Start --> All programs --> Internet Explorer) for this scan. Internet Explorer must be run as administrator - right click and choose: Run as administrator.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files (x86)\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#6 The Joy

The Joy
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 10 April 2011 - 11:46 AM

Hi, apologies for the long wait. I ran OTL again and it all came back completed and fine, all residual files now seem to have gone;

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{0BF43445-2F28-4351-9252-17FE6E806AA0} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BF43445-2F28-4351-9252-17FE6E806AA0}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\0150421301089913mcinstcleanup not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\NPSStartup not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\CollaborationHost not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msdaipp\ not found.
File Protocol\Handler\msdaipp - No CLSID value found not found.
Folder C:\Users\Bobby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Recovery\ not found.
File C:\ProgramData\~47439624r not found.
File C:\ProgramData\~47439624 not found.
File C:\ProgramData\47439624 not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Bobby
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 443430626 bytes
->Java cache emptied: 85647162 bytes
->FireFox cache emptied: 108104994 bytes
->Flash cache emptied: 3115538 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Mcx1
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 18427660 bytes
->Flash cache emptied: 405 bytes

User: Mcx2
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 42290 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 1386496 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 69871636 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 476835564 bytes

Total Files Cleaned = 1,151.00 mb


[EMPTYFLASH]

User: All Users

User: Bobby
->Flash cache emptied: 0 bytes

User: Default

User: Default User

User: Mcx1
->Flash cache emptied: 0 bytes

User: Mcx2

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 04042011_213854

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

I also ran ETEL as suggested and got the following log;

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=565817b88ba7074b85687fda9e203d40
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-04-04 10:04:03
# local_time=2011-04-04 11:04:03 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=9
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=770 16774141 100 0 0 0 0 0
# compatibility_mode=5892 16776573 100 56 0 139477338 0 0
# compatibility_mode=8192 67108863 100 0 196 196 0 0
# scanned=62281
# found=0
# cleaned=0
# scan_time=1210
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=565817b88ba7074b85687fda9e203d40
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-04-10 11:44:38
# local_time=2011-04-10 12:44:38 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=9
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=770 16774141 100 0 0 0 0 0
# compatibility_mode=5892 16776573 100 56 177811 139956058 0 0
# compatibility_mode=8192 67108863 100 0 478916 478916 0 0
# scanned=190820
# found=0
# cleaned=0
# scan_time=3725

Again, everything came back fine and dandy.

#7 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:11:35 PM

Posted 10 April 2011 - 04:38 PM

Hi again The Joy!!.. :)

Again, everything came back fine and dandy.

I'm glad to see that!!.. :thumbup2:

A few words about your protection software (basing on your OTL logfile posted earlier): one antivirus running in resident mode + a few antispyware programs running their real-time protection:
- Avast's antispyware module,
- Spybot's TeaTimer,
- Ad-Aware's Ad-Watch,
- Windows Defender...

That's way too much! It can cause conflicts and/or slow your computer down... A basic rule: one program of the same type running in resident mode... That's why I recommend you disable other programs' real-time antispyware protection, leaving only one program running in resident mode... Since Avast! runs all the time as an antivirus, I suggest disabling Spybot's TeaTimer and Ad-Aware's Ad-Watch... You can also disable Windows Defender if you wish, though, I know there should be no conflicts between it and Avast!... For help on disabling the tools, see here: How to disable your security applications

We need to update outdated programs (with security vulnerabilities) on your machine:

- Adobe Acrobat Reader:

You're using an old version of Adobe Acrobat Reader, this can leave your PC open to vulnerabilities, you can update it here (uninstall version 8.1.2 first):
Adobe Reader X

Note: I suggest you uncheck an optional, third-party download (eg. McAfee Security Scan Plus).

After successfully installing Adobe Reader X, see this article on how to make this program more secure: Adobe Reader X secures itself by playing in the sandbox.

- Java

Go to Start -> Control Panel -> Programs and Features, highlight a program to see the available option on the toolbar for it. Choose Uninstall for:
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7


Leaving only Java 6 Update 24 installed (that's the latest, secure version)...

- Adobe Flash Player:

To make sure you have the latest version of Adobe Flash Player installed:
1. To uninstall an older version, download this file to your Desktop: uninstall_flash_player.exe
2. Quit ALL running applications, including all Internet Explorer or other browser windows, and messenger applications (like AOL Instant Messenger, Yahoo Messenger, MSN Messenger.
3. Double-click on the file you've downloaded to uninstall Flash.
4. If uninstalled successfully, go to this site: Install Adobe Flash Player, and choose Agree and install now. This will install the newest version of Flash for your browser (note: Flash plugins for IE and Firefox must be installed separately).
Note: I recommend you uncheck an optional install (Free McAfee Security Scan or Free Google Toolbar).

- Skype™ 3.8 - that's a very old version, unsecure and buggy... I suggest upgrading: Skype 5.3

- Avast! 5 - if you wish, you can upgrade to the version 6 (a few additional features): Free Antivirus 6


If no problem remains, please do the following:

Firstly,
To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.
  • Click the CleanUp button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Secondly,
Please set a new Restore Point to prevent infection from any previous Restore Points.
The easiest and safest way to do this is:
  • Open Control Panel (Start --> Control Panel) and double-click the System icon.
  • Click on the System Protection link on the left. If an UAC (User Account Control) prompt appears, click Continue. Close the System window.
  • Make sure that you have System Protection turned on for your System drive (usually C:\):
    • In Windows 7: On under Protection,
    • In Windows Vista: a box on the left will be checked.
  • Click on the Create button. Give the restore point a name, and click Create. Wait till the new system restore point is created, and click Close.
  • Then go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
  • Click "OK" to select the partition or drive you desire (usually C:\).
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one. More details and screenshots for Disk Cleanup in Windows Vista can be found here and for Windows 7 here.

Please check my site - snemelk.hekko.pl:

Also, I recommend you to read Grinler's excellent article: How did I get infected?, With steps so it does not happen again!
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#8 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:11:35 PM

Posted 21 April 2011 - 06:43 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, just send me a PM (Send message from my profile) with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users