Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Security Protection Virus along with TDSS and Google keeps redirecting


  • This topic is locked This topic is locked
13 replies to this topic

#1 mdntokr

mdntokr

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 01 September 2011 - 03:44 PM

I was following the "Remove Security Protection (Uninstall Guide)", and I made it through Step 4 where I installed TDSSKiller and ran it in "Safe Mode with Networking." TDSSKiller did not detect anything, but google keeps redirecting. The Uninstall Guide then suggests that I should post a virus removal request rather than continuing with the guide.

I ran DDS, which I'm including, but I did not create a GMER log because I have a 64-bit version of Windows (the preparation guide said I can only run this if I have a 32-bit version of windows).

I would appreciate any help you can give me. Also, please tell me if there's any more info that you need from me. I haven't run MBAM yet because that step comes later in the Uninstall Guide . . . please tell me if you would like me to run that yet. Thanks so much.
.
DDS (Ver_2011-08-26.01) - NTFSAMD64 NETWORK
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_23
Run by Rob at 16:12:57 on 2011-09-01
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4090.3224 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AWSC.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=2&o=vp64&d=1208&m=p-7805u&c=BB
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=2&o=vp64&d=1208&m=p-7805u&c=BB
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "C:\Users\Rob\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Gateway\traybar.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
StartupFolder: C:\Users\Rob\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1 68.237.161.12
TCP: Interfaces\{0B3F27C9-B9D9-42D6-9893-4D145E057DD2} : DhcpNameServer = 68.87.69.150 68.87.85.102
TCP: Interfaces\{43A86402-F5FB-487B-AB19-A46F94CFC834} : DhcpNameServer = 192.168.1.1 68.237.161.12
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
mRun-x64: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Gateway\traybar.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Rob\AppData\Roaming\Mozilla\Firefox\Profiles\ayxlhdyq.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Users\Rob\AppData\Local\Google\Update\1.3.21.68\npGoogleUpdate3.dll
FF - plugin: C:\Users\Rob\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\Rob\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;C:\Windows\system32\DRIVERS\Lbd.sys --> C:\Windows\system32\DRIVERS\Lbd.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2011-7-21 2151640]
R3 NETw5v64;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 64 Bit ;C:\Windows\system32\DRIVERS\NETw5v64.sys --> C:\Windows\system32\DRIVERS\NETw5v64.sys [?]
R3 O2MDRDR;O2MDRDR;C:\Windows\system32\DRIVERS\o2mdx64.sys --> C:\Windows\system32\DRIVERS\o2mdx64.sys [?]
R3 O2SDRDR;O2SDRDR;C:\Windows\system32\DRIVERS\o2sdx64.sys --> C:\Windows\system32\DRIVERS\o2sdx64.sys [?]
R3 Point64;Microsoft IntelliPoint Filter Driver;C:\Windows\system32\DRIVERS\point64k.sys --> C:\Windows\system32\DRIVERS\point64k.sys [?]
R3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x64.sys --> C:\Windows\system32\DRIVERS\yk60x64.sys [?]
S1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
S1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
S2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
S2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
S2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-9-16 42184]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 ETService;Empowering Technology Service;C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [2008-12-15 24576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-3-14 135664]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;C:\Program Files (x86)\PostgreSQL\8.3\bin\pg_ctl.exe [2008-9-19 65536]
S2 postgresql-8.4;PostgreSQL Server 8.4;C:/Program Files (x86)/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N "postgresql-8.4" -D "C:/Program Files (x86)/PostgreSQL/8.4/data" -w --> C:/Program Files (x86)/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 [?]
S2 TeamViewer5;TeamViewer 5;C:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe [2010-9-24 1960744]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx64coinst,serviceStartProc --> RUNDLL32.EXE ykx64coinst,serviceStartProc [?]
S3 B-Service;B-Service;C:\Users\Rob\AppData\Roaming\Mikogo\B-Service.exe [2010-10-25 185640]
S3 CAXHWAZL;CAXHWAZL;C:\Windows\system32\DRIVERS\CAXHWAZL.sys --> C:\Windows\system32\DRIVERS\CAXHWAZL.sys [?]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-3-14 135664]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-8-6 93184]
.
=============== Created Last 30 ================
.
2011-08-30 03:16:15 -------- d-----we C:\Windows\system64
2011-08-16 18:56:36 16432 ----a-w- C:\Windows\System32\lsdelete.exe
2011-08-16 15:11:28 55384 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2011-08-16 15:08:55 69376 ----a-w- C:\Windows\System32\drivers\Lbd.sys
2011-08-14 16:06:29 -------- d-----w- C:\Users\Rob\.thumbnails
2011-08-12 21:18:04 -------- d-----w- C:\Users\Rob\.gimp-2.6
2011-08-12 21:17:40 -------- d-----w- C:\Program Files (x86)\GIMP-2.0
2011-08-10 22:46:34 274432 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-08-05 16:11:10 600920 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
.
==================== Find3M ====================
.
2011-07-06 23:52:42 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-06 23:52:42 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-07-04 11:43:53 40112 ----a-w- C:\Windows\avastSS.scr
2011-07-04 11:32:24 64856 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
.
============= FINISH: 16:14:17.46 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 PM

Posted 06 September 2011 - 03:45 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/417049 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:51 PM

Posted 07 September 2011 - 07:20 AM

Hi,

:step1: Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

:step2: We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#4 mdntokr

mdntokr
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 07 September 2011 - 05:17 PM

Thank you very much for your time. I pasted all three logs you asked for. First is aswMBR.txt, next is OTL.txt, and last is Extras.txt. Please let me know if there are any problems, and what you need me to do next.

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-09-07 17:45:18
-----------------------------
17:45:18.524 OS Version: Windows x64 6.0.6001 Service Pack 1
17:45:18.524 Number of processors: 2 586 0x1706
17:45:18.524 ComputerName: ROB-PC UserName: Rob
17:45:19.953 Initialize success
17:45:20.909 AVAST engine defs: 11090101
17:45:37.419 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
17:45:37.421 Disk 0 Vendor: WDC_WD32 11.0 Size: 305245MB BusType: 3
17:45:37.432 Disk 0 MBR read successfully
17:45:37.434 Disk 0 MBR scan
17:45:37.937 Disk 0 unknown MBR code
17:45:37.940 Service scanning
17:45:40.096 Modules scanning
17:45:40.099 Disk 0 trace - called modules:
17:45:40.127 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
17:45:40.130 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8005987760]
17:45:40.133 3 CLASSPNP.SYS[fffffa6000fc9b3a] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004bb1050]
17:45:43.258 AVAST engine scan C:\Windows
17:45:49.980 AVAST engine scan C:\Windows\system32
17:47:02.490 AVAST engine scan C:\Windows\system32\drivers
17:47:10.646 AVAST engine scan C:\Users\Rob
17:53:56.320 AVAST engine scan C:\ProgramData
17:56:31.509 Scan finished successfully
17:57:19.946 Disk 0 MBR has been saved successfully to "C:\Users\Rob\Desktop\MBR.dat"
17:57:19.950 The log file has been saved successfully to "C:\Users\Rob\Desktop\aswMBR.txt"



OTL logfile created on: 9/7/2011 6:00:22 PM - Run 1
OTL by OldTimer - Version 3.2.27.0 Folder = C:\Users\Rob\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.99 Gb Total Physical Memory | 2.82 Gb Available Physical Memory | 70.55% Memory free
8.16 Gb Paging File | 7.22 Gb Available in Paging File | 88.50% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 288.32 Gb Total Space | 142.99 Gb Free Space | 49.59% Space Free | Partition Type: NTFS

Computer Name: ROB-PC | User Name: Rob | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/09/07 17:58:02 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\Users\Rob\Desktop\OTL.exe
PRC - [2011/09/07 17:43:30 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2011/09/02 09:29:30 | 002,152,152 | ---- | M] (Lavasoft Limited) -- C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2011/08/15 09:49:50 | 001,191,216 | ---- | M] (Lavasoft Limited) -- C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2011/07/21 14:59:08 | 001,101,960 | ---- | M] () -- C:\Program Files (x86)\Lavasoft\Ad-Aware\AWSC.exe


========== Modules (No Company Name) ==========

MOD - [2011/09/07 17:43:30 | 001,846,232 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
MOD - [2009/07/17 23:21:00 | 003,883,424 | ---- | M] () -- C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
MOD - [2008/01/20 22:48:39 | 000,223,232 | ---- | M] () -- \\?\globalroot\systemroot\syswow64\mswsock.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2011/07/04 07:43:51 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV:64bit: - [2008/06/11 15:18:30 | 000,024,576 | ---- | M] () [Auto | Stopped] -- C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe -- (ETService)
SRV:64bit: - [2008/01/20 22:47:32 | 000,383,544 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2007/10/18 18:37:22 | 000,412,672 | ---- | M] () [Auto | Stopped] -- C:\Windows\SysNative\DRIVERS\xaudio64.exe -- (XAudioService)
SRV:64bit: - [2006/11/02 07:16:05 | 000,046,592 | ---- | M] () [Auto | Stopped] -- C:\Windows\SysNative\rundll32.exe -- (yksvc)
SRV - [2011/09/02 09:29:30 | 002,152,152 | ---- | M] (Lavasoft Limited) [Auto | Running] -- C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/10/25 11:46:45 | 000,185,640 | ---- | M] () [On_Demand | Stopped] -- C:\Users\Rob\AppData\Roaming\Mikogo\B-Service.exe -- (B-Service)
SRV - [2010/09/24 09:36:58 | 001,960,744 | ---- | M] (TeamViewer GmbH) [Auto | Stopped] -- C:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe -- (TeamViewer5)
SRV - [2010/08/23 20:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/09/08 03:48:55 | 000,066,048 | ---- | M] (PostgreSQL Global Development Group) [Auto | Stopped] -- C:\Program Files (x86)\PostgreSQL\8.4\bin\pg_ctl.exe -- (postgresql-8.4)
SRV - [2008/09/19 04:03:58 | 000,065,536 | ---- | M] (PostgreSQL Global Development Group) [Auto | Stopped] -- C:\Program Files (x86)\PostgreSQL\8.3\bin\pg_ctl.exe -- (pgsql-8.3)
SRV - [2008/07/27 14:03:13 | 000,069,632 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/05/05 18:25:46 | 000,165,416 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Gateway Games\Gateway Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2008/04/15 20:54:42 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2007/02/12 04:43:44 | 000,065,536 | ---- | M] (O2Micro International) [Auto | Stopped] -- C:\Program Files (x86)\O2Micro Flash Memory Card Driver\o2flash.exe -- (o2flash)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/07/21 14:59:08 | 000,069,376 | ---- | M] () [File_System | Boot | Running] -- C:\Windows\SysNative\DRIVERS\Lbd.sys -- (Lbd)
DRV:64bit: - [2011/07/04 07:36:56 | 000,600,920 | ---- | M] () [File_System | System | Stopped] -- C:\Windows\SysNative\drivers\aswSnx.sys -- (aswSnx)
DRV:64bit: - [2011/07/04 07:36:54 | 000,288,088 | ---- | M] () [Kernel | System | Stopped] -- C:\Windows\SysNative\drivers\aswSP.sys -- (aswSP)
DRV:64bit: - [2011/07/04 07:35:28 | 000,045,400 | ---- | M] () [Kernel | System | Stopped] -- C:\Windows\SysNative\drivers\aswTdi.sys -- (aswTdi)
DRV:64bit: - [2011/07/04 07:32:35 | 000,031,064 | ---- | M] () [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswRdr.sys -- (aswRdr)
DRV:64bit: - [2011/07/04 07:32:24 | 000,064,856 | ---- | M] () [File_System | Auto | Stopped] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV:64bit: - [2011/07/04 07:32:14 | 000,022,360 | ---- | M] () [File_System | Auto | Stopped] -- C:\Windows\SysNative\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV:64bit: - [2009/05/18 13:17:08 | 000,034,152 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/05/09 01:14:20 | 000,015,752 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\NuidFltr.sys -- (NuidFltr)
DRV:64bit: - [2008/09/24 17:39:48 | 000,058,912 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA)
DRV:64bit: - [2008/07/24 13:03:00 | 000,392,192 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\yk60x64.sys -- (yukonx64)
DRV:64bit: - [2008/06/26 20:24:20 | 000,020,520 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\UVCFTR_S.SYS -- (UVCFTR)
DRV:64bit: - [2008/06/11 21:29:30 | 000,051,800 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\o2sdx64.sys -- (O2SDRDR)
DRV:64bit: - [2008/06/10 14:04:28 | 000,036,424 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\point64k.sys -- (Point64)
DRV:64bit: - [2008/06/02 03:50:04 | 000,264,192 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CHDRT64.sys -- (CnxtHdAudService)
DRV:64bit: - [2008/05/13 00:48:38 | 000,062,424 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\o2mdx64.sys -- (O2MDRDR)
DRV:64bit: - [2008/04/27 18:38:12 | 004,730,368 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\NETw5v64.sys -- (NETw5v64) Intel®
DRV:64bit: - [2008/04/15 20:54:16 | 000,388,120 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\DRIVERS\iaStor.sys -- (iaStor)
DRV:64bit: - [2008/03/25 19:51:16 | 001,487,872 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\CAX_DPV.sys -- (HSF_DPV)
DRV:64bit: - [2008/03/25 19:47:06 | 000,294,400 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\CAXHWAZL.sys -- (CAXHWAZL)
DRV:64bit: - [2008/03/25 19:45:44 | 000,740,864 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\CAX_CNXT.sys -- (winachsf)
DRV:64bit: - [2008/01/20 22:46:57 | 000,286,720 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\VSTAZL6.SYS -- (HSFHWAZL)
DRV:64bit: - [2008/01/20 22:46:55 | 000,111,104 | ---- | M] () [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\DRIVERS\sdbus.sys -- (sdbus)
DRV:64bit: - [2008/01/17 23:31:30 | 000,320,560 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\SynTP.sys -- (SynTP)
DRV:64bit: - [2007/10/18 18:37:10 | 000,010,240 | ---- | M] () [Kernel | Auto | Stopped] -- C:\Windows\SysNative\DRIVERS\xaudio64.sys -- (XAudio)
DRV:64bit: - [2007/07/26 06:00:00 | 000,053,488 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\Drivers\PxHlpa64.sys -- (PxHlpa64)
DRV:64bit: - [2006/06/19 01:27:24 | 000,017,024 | ---- | M] () [Kernel | Auto | Stopped] -- C:\Windows\SysNative\DRIVERS\mdmxsdk.sys -- (mdmxsdk)
DRV - [2008/06/11 15:13:24 | 000,017,952 | ---- | M] (Acer, Inc.) [Kernel | Auto | Stopped] -- C:\Windows\SysWOW64\drivers\int15_64.sys -- (int15)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=2&o=vp64&d=1208&m=p-7805u&c=BB
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=2&o=vp64&d=1208&m=p-7805u&c=BB


IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2623628525-4019330213-2971170232-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-2623628525-4019330213-2971170232-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=2&o=vp64&d=1208&m=p-7805u&c=BB
IE - HKU\S-1-5-21-2623628525-4019330213-2971170232-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2623628525-4019330213-2971170232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2623628525-4019330213-2971170232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..keyword.URL: "http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p="

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Users\Rob\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Users\Rob\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Rob\AppData\Local\Google\Update\1.3.21.68\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Rob\AppData\Local\Google\Update\1.3.21.68\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/09/07 17:43:31 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2011/03/26 12:10:00 | 000,000,000 | ---D | M]

[2009/01/23 02:51:14 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Rob\AppData\Roaming\Mozilla\Extensions
[2011/08/12 16:13:54 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Rob\AppData\Roaming\Mozilla\Firefox\Profiles\ayxlhdyq.default\extensions
[2009/09/02 20:01:46 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Rob\AppData\Roaming\Mozilla\Firefox\Profiles\ayxlhdyq.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/08/09 16:13:51 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2011/08/09 16:13:51 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2010/12/09 22:32:04 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
() (No name found) -- C:\USERS\ROB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\AYXLHDYQ.DEFAULT\EXTENSIONS\FIREBUG@SOFTWARE.JOEHEWITT.COM.XPI
[2011/09/07 17:43:31 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2010/12/09 22:31:42 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2006/09/18 17:37:24 | 000,000,761 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2:64bit: - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg64.dll (Google Inc.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3:64bit: - HKU\S-1-5-21-2623628525-4019330213-2971170232-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O4:64bit: - HKLM..\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [NvCplDaemon] C:\Windows\SysNative\NvCpl.dll ()
O4:64bit: - HKLM..\Run: [NvMediaCenter] C:\Windows\SysNative\NvMcTray.dll ()
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Camera Assistant Software] C:\Program Files\Camera Assistant Software for Gateway\traybar.exe (Chicony)
O4 - Startup: C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2623628525-4019330213-2971170232-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2623628525-4019330213-2971170232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8:64bit: - Extra context menu item: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll (Google Inc.)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll (Google Inc.)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O15 - HKU\S-1-5-21-2623628525-4019330213-2971170232-1000\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O15 - HKU\S-1-5-21-2623628525-4019330213-2971170232-1000\..Trusted Domains: real.com ([rhap-app-4-0] https in Trusted sites)
O15 - HKU\S-1-5-21-2623628525-4019330213-2971170232-1000\..Trusted Domains: real.com ([rhapreg] https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 68.237.161.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0B3F27C9-B9D9-42D6-9893-4D145E057DD2}: DhcpNameServer = 68.87.69.150 68.87.85.102
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{43A86402-F5FB-487B-AB19-A46F94CFC834}: DhcpNameServer = 192.168.1.1 68.237.161.12
O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - Reg Error: Key error. File not found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O28:64bit: - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/09/07 17:58:02 | 000,581,120 | ---- | C] (OldTimer Tools) -- C:\Users\Rob\Desktop\OTL.exe
[2011/09/07 17:45:01 | 001,916,416 | ---- | C] (AVAST Software) -- C:\Users\Rob\Desktop\aswMBR.exe
[2011/09/01 14:55:45 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\Rob\Desktop\dds.scr
[2011/09/01 14:32:31 | 001,406,768 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Rob\Desktop\123.com
[2011/08/29 23:16:15 | 000,000,000 | ---D | C] -- C:\Windows\system64
[2011/08/29 17:12:13 | 000,000,000 | ---D | C] -- C:\Users\Rob\Desktop\hospital
[2011/08/23 14:38:02 | 000,000,000 | ---D | C] -- C:\Users\Rob\Desktop\8.23 bp
[2011/08/22 10:31:06 | 000,000,000 | ---D | C] -- C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
[2011/08/16 11:08:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lavasoft
[2011/08/14 12:06:43 | 000,000,000 | ---D | C] -- C:\Users\Rob\AppData\Roaming\gtk-2.0
[2011/08/14 12:06:29 | 000,000,000 | ---D | C] -- C:\Users\Rob\.thumbnails
[2011/08/12 17:18:04 | 000,000,000 | ---D | C] -- C:\Users\Rob\Documents\gegl-0.0
[2011/08/12 17:18:04 | 000,000,000 | ---D | C] -- C:\Users\Rob\.gimp-2.6
[2011/08/12 17:17:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GIMP
[2011/08/12 17:17:40 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\GIMP-2.0
[2011/08/12 00:31:27 | 000,000,000 | ---D | C] -- C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
[2011/08/12 00:31:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
[2011/08/12 00:31:24 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2011/08/09 16:19:42 | 000,000,000 | --SD | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenOffice.org 3.3
[2011/08/09 16:13:49 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaws.exe
[2011/08/09 16:13:49 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaw.exe
[2011/08/09 16:13:48 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\java.exe
[2011/08/09 16:11:13 | 000,000,000 | ---D | C] -- C:\Users\Rob\Desktop\OpenOffice.org 3.3 (en-US) Installation Files

========== Files - Modified Within 30 Days ==========

[2011/09/07 17:58:02 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\Users\Rob\Desktop\OTL.exe
[2011/09/07 17:57:19 | 000,000,512 | ---- | M] () -- C:\Users\Rob\Desktop\MBR.dat
[2011/09/07 17:45:08 | 000,703,388 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/09/07 17:45:08 | 000,603,516 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/09/07 17:45:08 | 000,103,586 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/09/07 17:45:02 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Users\Rob\Desktop\aswMBR.exe
[2011/09/07 17:44:20 | 000,000,408 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2011/09/07 17:44:08 | 000,000,064 | ---- | M] () -- C:\Windows\SysWow64\rp_stats.dat
[2011/09/07 17:44:08 | 000,000,044 | ---- | M] () -- C:\Windows\SysWow64\rp_rules.dat
[2011/09/07 17:40:20 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/09/07 17:27:12 | 000,000,000 | ---- | M] () -- C:\Windows\SysNative\LogConfigTemp.xml
[2011/09/07 17:27:09 | 000,003,216 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/09/07 17:27:08 | 000,003,216 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/09/07 17:27:06 | 000,175,181 | ---- | M] () -- C:\ProgramData\nvModes.001
[2011/09/01 15:45:53 | 000,000,900 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2623628525-4019330213-2971170232-1000UA.job
[2011/09/01 15:17:17 | 000,175,181 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2011/09/01 15:16:26 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/09/01 14:55:45 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\Rob\Desktop\dds.scr
[2011/09/01 14:32:31 | 001,406,768 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Rob\Desktop\123.com
[2011/09/01 14:21:12 | 000,000,898 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/08/30 22:41:27 | 000,002,034 | ---- | M] () -- C:\Users\Rob\Desktop\Google Chrome.lnk
[2011/08/30 22:41:27 | 000,001,996 | ---- | M] () -- C:\Users\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/08/29 23:14:53 | 000,000,591 | ---- | M] () -- C:\Users\Public\Desktop\Security Protection.lnk
[2011/08/29 13:17:55 | 000,007,334 | ---- | M] () -- C:\Users\Rob\Desktop\New OpenDocument Text.odt
[2011/08/25 10:40:00 | 000,000,848 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2623628525-4019330213-2971170232-1000Core.job
[2011/08/23 20:53:19 | 000,002,255 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2011/08/23 01:21:55 | 000,046,576 | ---- | M] () -- C:\Users\Rob\.recently-used.xbel
[2011/08/22 23:48:09 | 056,204,136 | ---- | M] () -- C:\Users\Rob\Documents\old work.zip
[2011/08/19 10:43:09 | 000,000,680 | ---- | M] () -- C:\Users\Rob\AppData\Local\d3d9caps.dat
[2011/08/16 11:11:28 | 000,055,384 | ---- | M] () -- C:\Windows\SysNative\drivers\SBREDrv.sys
[2011/08/16 11:11:27 | 000,016,432 | ---- | M] () -- C:\Windows\SysNative\lsdelete.exe
[2011/08/16 11:08:57 | 000,000,969 | ---- | M] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2011/08/11 11:02:33 | 000,337,520 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2011/08/09 16:22:51 | 000,001,072 | ---- | M] () -- C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
[2011/08/09 16:19:43 | 000,001,027 | ---- | M] () -- C:\Users\Public\Desktop\OpenOffice.org 3.3.lnk

========== Files Created - No Company Name ==========

[2011/09/07 17:57:19 | 000,000,512 | ---- | C] () -- C:\Users\Rob\Desktop\MBR.dat
[2011/08/29 23:14:53 | 000,000,591 | ---- | C] () -- C:\Users\Public\Desktop\Security Protection.lnk
[2011/08/29 13:17:55 | 000,007,334 | ---- | C] () -- C:\Users\Rob\Desktop\New OpenDocument Text.odt
[2011/08/29 13:16:46 | 000,000,408 | ---- | C] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2011/08/23 01:21:55 | 000,046,576 | ---- | C] () -- C:\Users\Rob\.recently-used.xbel
[2011/08/22 10:31:10 | 000,002,034 | ---- | C] () -- C:\Users\Rob\Desktop\Google Chrome.lnk
[2011/08/22 10:31:10 | 000,001,996 | ---- | C] () -- C:\Users\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/08/19 11:11:04 | 000,000,064 | ---- | C] () -- C:\Windows\SysWow64\rp_stats.dat
[2011/08/19 11:11:04 | 000,000,044 | ---- | C] () -- C:\Windows\SysWow64\rp_rules.dat
[2011/08/16 14:56:36 | 000,016,432 | ---- | C] () -- C:\Windows\SysNative\lsdelete.exe
[2011/08/16 11:11:28 | 000,055,384 | ---- | C] () -- C:\Windows\SysNative\drivers\SBREDrv.sys
[2011/08/16 11:08:57 | 000,000,969 | ---- | C] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2011/08/16 11:08:55 | 000,069,376 | ---- | C] () -- C:\Windows\SysNative\drivers\Lbd.sys
[2011/08/10 18:46:34 | 000,274,432 | ---- | C] () -- C:\Windows\SysNative\drivers\mrxsmb10.sys
[2011/08/09 16:22:51 | 000,001,072 | ---- | C] () -- C:\Users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
[2011/08/09 16:19:43 | 000,001,027 | ---- | C] () -- C:\Users\Public\Desktop\OpenOffice.org 3.3.lnk
[2010/12/15 21:24:47 | 000,000,323 | ---- | C] () -- C:\Windows\cdplayer.ini
[2010/09/15 18:23:35 | 000,000,056 | -H-- | C] () -- C:\Windows\SysWow64\ezsidmv.dat
[2010/05/31 20:35:48 | 000,000,000 | ---- | C] () -- C:\Windows\HMHud.INI
[2010/04/15 17:59:13 | 000,005,086 | ---- | C] () -- C:\ProgramData\bltofzsb.qlf
[2010/02/12 20:43:00 | 000,000,045 | ---- | C] () -- C:\Users\Rob\AppData\Local\machpro.dat
[2010/01/14 16:12:50 | 000,008,412 | ---- | C] () -- C:\Users\Rob\AppData\Local\d3d9caps64.dat
[2009/11/25 18:18:35 | 000,000,680 | ---- | C] () -- C:\Users\Rob\AppData\Local\d3d9caps.dat
[2009/11/16 23:16:04 | 000,000,621 | ---- | C] () -- C:\Windows\SysWow64\StarsPlanner-v0.04.ini
[2009/07/09 01:35:08 | 000,004,924 | ---- | C] () -- C:\ProgramData\ojvzdisj.xda
[2009/04/13 14:47:09 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2009/01/24 02:06:05 | 000,076,288 | ---- | C] () -- C:\Users\Rob\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/23 02:51:14 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2008/12/15 21:36:45 | 000,175,181 | ---- | C] () -- C:\ProgramData\nvModes.001
[2008/12/15 21:24:35 | 000,175,181 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2008/12/15 20:55:26 | 000,106,605 | ---- | C] () -- C:\Windows\SysWow64\StructuredQuerySchema.bin
[2008/12/15 20:55:26 | 000,018,904 | ---- | C] () -- C:\Windows\SysWow64\StructuredQuerySchemaTrivial.bin
[2008/01/20 22:50:05 | 000,060,124 | ---- | C] () -- C:\Windows\SysWow64\tcpmon.ini
[2008/01/20 22:49:49 | 000,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2006/11/02 11:37:05 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 08:37:14 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2006/11/02 08:24:17 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2006/11/02 08:18:17 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2006/11/02 05:47:54 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin

========== Alternate Data Streams ==========

@Alternate Data Stream - 848 bytes -> C:\ProgramData\TEMP:35E5AF34
@Alternate Data Stream - 145 bytes -> C:\ProgramData\TEMP:8CEFE51A

< End of report >

OTL Extras logfile created on: 9/7/2011 6:00:22 PM - Run 1
OTL by OldTimer - Version 3.2.27.0 Folder = C:\Users\Rob\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.99 Gb Total Physical Memory | 2.82 Gb Available Physical Memory | 70.55% Memory free
8.16 Gb Paging File | 7.22 Gb Available in Paging File | 88.50% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 288.32 Gb Total Space | 142.99 Gb Free Space | 49.59% Space Free | Partition Type: NTFS

Computer Name: ROB-PC | User Name: Rob | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-2623628525-4019330213-2971170232-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 ()
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
InternetShortcut [print] -- rundll32.exe C:\Windows\system32\mshtml.dll,PrintHTML "%1" ()
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = 9F 9E 16 8C DC 5B C8 01 [binary data]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"oobe_av" = 1

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{16848516-BECB-4E88-BB4C-C8386965DF94}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{2A5C0EE6-C2A8-4C2B-8F61-4372EED048F3}" = rport=80 | protocol=6 | dir=out | app=c:\program files (x86)\common files\intuit\update service\intuitupdater.exe |
"{44F971C7-51E9-4223-95B5-A232C4232FA1}" = lport=5432 | protocol=6 | dir=in | name=postgres |
"{C1D974A1-18DF-4E0F-9710-B0D58CBBE20D}" = rport=80 | protocol=6 | dir=out | app=c:\program files (x86)\common files\intuit\update service\intuitupdateservice.exe |
"{C6A74456-81B0-4BE2-9D01-4B5A6D86CE0F}" = lport=2869 | protocol=6 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{00EE3072-39F3-4B9D-934F-B91D9439B6DE}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{010C31E9-77BD-48CD-811A-10CCBC05AC7F}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{01168CD8-E853-43C6-8C3C-D15E1E533C68}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{01A84FFF-017B-4119-9F4D-3EBCB2FB24DD}" = protocol=6 | dir=in | app=c:\users\rob\appdata\local\google\google talk plugin\googletalkplugin.exe |
"{02846526-A669-4CD6-BBCB-2595D03069DE}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{02C3E7F3-D793-4247-A81F-1D8D9E203F0A}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{057F5094-8279-44CA-8DF7-30386342E386}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{06EE8F49-1250-4107-BFC3-DB313A3BD1D9}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{089219A2-EBEE-499C-B050-9F1F7557F475}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{0906E193-1BE0-4D25-AF3F-A8649EACE9C8}" = protocol=17 | dir=in | app=c:\program files\hp\hp deskjet 1050 j410 series\bin\usbsetup.exe |
"{0939CF44-B573-4A8D-97D4-AE9833088093}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{0B07F745-7D03-472C-A4DD-4842AD99473F}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{0C0E9A49-BB0B-4F06-A879-28A1029A25EA}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{0CD74143-5C55-4389-ABF1-5C9259349C3F}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{1377AB07-3806-479C-B297-AD6BD2E5588E}" = protocol=6 | dir=in | app=c:\program files (x86)\teamviewer\version5\teamviewer.exe |
"{14DF6930-9E60-4442-B2BE-171474691C59}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{150209DA-E1AA-4035-AF33-7C9661ABC58F}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{15915A8F-8147-46EE-9FB5-4ECFC45F35F0}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{15A616EE-15AE-4107-927E-DAAF2BA83241}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{18248DC9-27B7-4260-8920-2A74A44FE5C2}" = protocol=6 | dir=in | app=c:\users\rob\appdata\local\google\google talk plugin\googletalkplugin.exe |
"{1934F9C8-E61E-4F2A-BC76-CFBF096B5730}" = protocol=6 | dir=in | app=c:\users\rob\appdata\local\google\google talk plugin\googletalkplugin.dll |
"{19B98A85-AEC6-4762-9C51-EAB5269923AA}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{1C5FCB37-B754-48A6-9E36-2502E1F865D0}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{1D02C4BD-2957-4C39-B9EA-7694A37B3B29}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{1D18A73A-B3F9-425E-B4C7-F5BE835BB10D}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{1D9E0FA2-FAE2-4C63-8D6C-380BDDE7D0C0}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{1DAEECB5-20F4-4606-823C-AA9F5E633AF5}" = dir=in | app=c:\program files (x86)\windows live\messenger\wlcsdk.exe |
"{203C05CB-165D-4B2B-A59F-2ECD48CD84EF}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{20505064-B1B0-4BD1-B400-282DA1B9C617}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{25E3810A-0BBD-4442-A4E0-9A73669845FC}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{26916588-AAA6-4DC9-A439-A90086AB6C84}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{273F5A49-D525-4A8C-AE95-4E3679A112AC}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{28C2844D-71CD-4181-836A-43381D9A4A87}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{290C9DA2-7B01-48AF-90A9-2EDB0D5C25F6}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{29EE9E02-F8A3-4F70-8963-E4679A118CEE}" = protocol=17 | dir=in | app=c:\users\rob\appdata\local\google\google talk plugin\googletalkplugin.dll |
"{2B03258D-E766-4424-AC39-BA9611693C22}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{2C067AB6-7AC9-4CAD-8C45-603262DCDEAA}" = protocol=17 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{2CA34977-C392-44B3-8F20-E2EA60734034}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{2D4A790F-1E8E-420E-85EA-C58778D237B8}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{2F9F3451-903E-48ED-AC2F-87B8E891831B}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{2FA74EF9-E630-4008-8497-4408048709AB}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{3196EC94-A051-4D7F-9F0D-044CF0D835C8}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{321F73F5-0823-40D0-BD83-63E085EFB915}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{32CAD6E7-419E-48F9-B0D2-80B708F69397}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{3499491D-1890-438D-A901-DD05FB38F2CC}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{372D4805-DC5E-48CC-A8A5-DF0AB800B6AC}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{3E2E6C91-9A67-4057-8E6E-A445E045F51B}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{4038F709-7FE0-4F5F-9D12-67388868A7CB}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{4081EE65-1D42-4469-AD83-658F52030954}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{451A7600-69C5-4A94-A6DF-3F97C5AB141B}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{46BB031A-CF4E-460F-927E-345CB0D5AA70}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe |
"{49DE9E62-9C2E-493C-93A0-655654D49F45}" = protocol=17 | dir=in | app=c:\users\rob\appdata\local\google\google talk plugin\googletalkplugin.exe |
"{49E10DCE-FB1E-4D91-BDA3-6EAD09A9F26E}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{4B4F9E29-73F4-43C6-82B6-3F3DBC16D986}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{547BD110-2BD2-43FE-9385-F972B1E1971F}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{563537A7-870A-4136-A8A8-DE32F5FA996E}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{57115A54-ADF2-4CDF-8E81-84A1E9944BE1}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{57D17E48-FCAB-4686-8E3B-E2E4FDE6C07C}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{5D7438E5-80A6-4097-9493-D66F78AD32AF}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{5E5144C9-0721-4730-BDC7-507E884C6F58}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{5EDE2AE1-B653-41FE-B57E-14584C36DDA9}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{61347E70-4468-4750-85EF-C4B79331D905}" = protocol=17 | dir=in | app=c:\users\rob\appdata\local\google\google talk plugin\googletalkplugin.exe |
"{637157EE-9605-459A-94D0-0C12809244C1}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{6527398A-A1B3-48AA-A221-497A8A5880B7}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{67F5964A-DB94-4B72-A829-ADE46EAE06C9}" = protocol=6 | dir=in | app=c:\program files\hp\hp deskjet 1050 j410 series\bin\usbsetup.exe |
"{6B5DE23D-13C6-46EF-8F7A-276CF8CBC981}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{6BD4C9B8-564E-4FAB-8C18-DC6008E7DD49}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{6CDA6D61-1E8B-4DA9-89D0-59998D3CEFD2}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{6FA38262-D653-4ED5-9450-BD42956B7104}" = dir=in | app=c:\program files (x86)\windows live\messenger\msnmsgr.exe |
"{78A553AD-A4DC-4115-942E-DE7C56FF03B1}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{7AC9BD19-2EA4-4FFE-9B29-808A7DD71BE1}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{835F5A40-F9D8-4339-AF1C-6135C1FE6B92}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{8449D0DA-A8B6-4438-B82D-74B1E6B883F1}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{8904951B-798A-46E9-B7DA-2E384BF59255}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{8A967F7D-20F6-4E0D-B60E-7A5DBD1A24CC}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{8C08AD18-94BD-43C7-9460-BFB3E09EF78E}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{8DD3DF39-218F-4AE2-8865-F8FDC89B95CF}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{93FFF019-6957-4559-879C-3BF338DBD7EB}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{9599296E-50D6-4C8D-85EC-2FC459A088FA}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{95FE1E6F-7C6A-43A3-B6B1-D726BA054349}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{98AF1B13-47D7-4C52-8923-FE2A168540D4}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{9A6D85BC-E4B9-4EE1-B56F-1EDE93698CE2}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{9CDB83F6-1319-4AF1-B7B2-AD9DC60282B4}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{A2AFB2A0-4314-4B34-ADD5-50B95F8BC3F1}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{A2EA221F-3098-4CB0-AB9D-1629C8F95C3D}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{A2FF2EBF-3F7F-4562-B26B-D595E4449708}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{A3C22B60-29BA-46C7-B471-A5F6B5763412}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{A69F1223-B861-4479-80F7-6473B6689CA3}" = protocol=6 | dir=in | app=c:\program files (x86)\teamviewer\version5\teamviewer_service.exe |
"{A72C49C5-B12E-4575-AC90-10B4549B945D}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{A8A29C1E-1598-442F-8140-442276BAADFB}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{A8BCAF7E-7853-43AF-9031-476D213D4358}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{ABDCDFD5-C7C4-44B2-9750-ECD6D094E3E3}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{ADD307D7-94EE-48AF-8586-37BB62E993D6}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{B3BA6E49-9A93-4AE6-836D-85B80209F527}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{B4BD9969-D826-4F40-BF90-6C521842E98F}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{B5D7EF87-F2C8-46B0-A60A-81D60246C290}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{B7ED8580-1F84-4FFE-9A2D-7787A3934284}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{B8145186-1407-4FB3-ABF6-BEDF6B3C0767}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{B8FB97C4-C5D7-404A-B393-14BB5957A6AA}" = protocol=17 | dir=in | app=c:\program files (x86)\teamviewer\version5\teamviewer_service.exe |
"{B96D62C0-A6D0-4D2F-84C0-90CDA69E1EF2}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{B994CE97-314E-406C-AF33-902B8487454F}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{BB3B722D-247D-40BD-B322-60844DDE130F}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{BCF929EA-38EB-4162-8BC8-83DFE5B69B5B}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{BD19609C-5B38-4C0F-958F-4C3C129979CB}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{BDFCA283-10EF-4BE4-960A-C0CE737A6149}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{BE11102D-829F-484C-859B-38FF62661940}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{BED01AB4-47C3-479F-A052-9CA2CED0C6B0}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{C26B4A66-B80D-4EBD-B0EC-52EA0A9B5AFF}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{C38FADCC-254E-4539-B2B5-ED4290838A49}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{C4AA65E7-89CA-4DEF-B9A4-2E0DF06B2A4E}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{C657AF85-9B3D-45B7-AC5F-B2DC38468B48}" = dir=in | app=c:\program files (x86)\skype\plugin manager\skypepm.exe |
"{C686E3B6-24D2-47EB-B81D-E71F2DDCD264}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{C8A78BA0-0375-4B58-A308-9CAF22285761}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{CAAAC66E-A425-4C5C-8240-AF0AC596C005}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{CB82D605-8940-4C3D-BEDE-4B19210FF9EE}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{CFB2E4FE-4BEC-4DF9-8EA1-2ED00A099C28}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{CFB3406A-F4E8-4635-815D-2FD34CF3A1A5}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{D14BCEF0-41E9-4B98-9EFF-9C128D1EDC7B}" = dir=in | app=c:\program files (x86)\itunes\itunes.exe |
"{D1BEA8FD-B5B5-41B1-9EA1-0D59F8A0036C}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{D282EE16-95FA-4BA4-93C7-AAC6BAE9B09A}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{D291B165-B5F4-40CF-8513-692F5EF06935}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{D477C482-6E91-42E5-A310-7E78029831C0}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{D7B162E8-432E-48A0-B02F-61F2D559FF84}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{DC8569A2-D2BC-4758-901B-85616F4F35A9}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{DCA24BC5-0A25-414B-A96A-90A3249EDB09}" = protocol=17 | dir=in | app=c:\program files (x86)\teamviewer\version5\teamviewer.exe |
"{DFC4571B-8CE6-4DC8-9AF1-651C451FCB9E}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{E12DD154-FE93-4EE0-9F02-B6327A3C5218}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{E60EF06F-84C3-44A2-8FD7-AD2D3936B0D3}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{EA2E6F99-1775-4B2E-A418-2B948C6495BC}" = protocol=6 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{ED63535D-2DAF-4547-A37A-ED73B2B05421}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{ED96F452-7094-425C-91CE-22C7DFE29A8A}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{F0413839-FF9B-4CEE-BABC-DF34889D7A89}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{F566203E-EBD6-4DD7-B961-D654D67B4314}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{F5761796-0F4B-4FD2-B259-303B9E59CC30}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{F6409813-27C7-420F-BE9E-0988E6587731}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{F7CC2E56-D0A1-40C5-A07A-90B7AF9E5A45}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{F88CCF6B-2052-4944-A3A8-9E355232A3CA}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{FA737B76-D0B9-4DA6-A2EB-74A824F48B31}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{FA9C60A2-E1EE-451F-9036-85D2284873DE}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe |
"{FAEF6C89-EA2A-4146-977B-BBCE5A0905FB}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{FB8FCCDD-24C6-43C7-8B77-8440EE1BC54D}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{FBA2F71D-E9C0-4C73-92DE-FD863874D058}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"TCP Query User{C0D84329-80FA-4A9B-A9D8-74F032CBA2C0}C:\program files (x86)\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files (x86)\mozilla firefox\firefox.exe |
"UDP Query User{0D47221E-56C0-4CEA-B101-AD738CCF5096}C:\program files (x86)\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files (x86)\mozilla firefox\firefox.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{33EB1061-ABF1-4470-A540-32E97A610536}" = Apple Mobile Device Support
"{4268BF51-DFDF-4178-8B8D-5D5752FCAA58}" = HP Deskjet 1050 J410 series Basic Device Software
"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
"{5254156F-AA77-499A-B7C1-D5581D44E788}" = Marvell Miniport Driver
"{5F02C14D-A630-4771-8409-0BA89FCCA8D6}" = iTunes
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{8338783A-0968-3B85-AFC7-BAAE0A63DC50}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007
"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{aac9fcc4-dd9e-4add-901c-b5496a07ab2e}" = Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175
"{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
"{B91110FB-33B4-468B-90C2-4D5E8AE3FAE1}" = Bonjour
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2A0CBEE-8949-474E-9D2B-539726D20531}" = Microsoft IntelliPoint 6.3
"{E3015C78-C196-4039-A279-9959940083DE}" = O2Micro Flash Memory Card Reader Driver (x64)
"{EE936C7A-EA40-31D5-9B65-8E3E089C3828}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"CNXT_AUDIO_HDA" = Conexant HD Audio
"CNXT_MODEM_HDA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"NVIDIA Drivers" = NVIDIA Drivers
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"WinRAR archiver" = WinRAR 4.01 (64-bit)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{021C4C4F-C93C-4425-BFFD-C2D16776BFAE}" = Visual C++ 8.0 Runtime Setup Package (x64)
"{03DF638A-D61C-4893-B8B9-845900C03163}" = TurboTax 2010 wnyiper
"{052B4734-CD9B-468F-B25D-D1E136B2C95A}" = Ad-Aware
"{05BDC796-3451-4F81-B91D-E98F7ADA76C2}" = TurboTax 2010 WinPerTaxSupport
"{0B82D6C6-9ECC-4710-97AB-5CE482E72852}_is1" = TableScan Turbo v0.40c (BETA)
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216022F0}" = Java™ 6 Update 22
"{26A24AE4-039D-4CA4-87B4-2F83216023FF}" = Java™ 6 Update 23
"{3782EC09-4000-475E-8A59-9CABD6F03B4C}" = TurboTax 2010 WinPerFedFormset
"{39098402-3F7A-4257-A4AE-FC1181D1B40B}" = Camera Assistant Software for Gateway
"{3E171899-0175-47CC-84C4-562ACDD4C021}" = OpenOffice.org 3.3
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4F2FCCCF-29F3-44B9-886F-6D16F8417522}" = TurboTax 2010 wrapper
"{5049FE6D-46A4-4BA4-B9A9-6406AFAAB60D}" = TableNinja
"{5C90D8CF-F12A-41C6-9007-3B651A1F0D78}" = HP Deskjet 1050 J410 series Help
"{5F00DF7E-418B-4CD9-8EC5-781156BCC49E}" = Microsoft Money Shared Libraries
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D0C6BE4-F674-43D2-96BC-3509345108C9}_is1" = PokerStove version 1.23
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7F811A54-5A09-4579-90E1-C93498E230D9}" = Gateway Recovery Management
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}" = Napster Burn Engine
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002A-0000-1000-0000000FF1CE}_HOMESTUDENTR_{E64BA721-2310-4B55-BE5A-2925F9706192}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-002A-0409-1000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0116-0409-1000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A525E00B-6609-442E-9DCD-64453C233E8D}" = TurboTax 2010 WinPerReleaseEngine
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A89DEBCA-F743-3412-97F6-B2E489194551}" = Google Talk Plugin
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X (10.0.1)
"{B823632F-3B72-4514-8861-B961CE263224}" = PostgreSQL 8.3
"{BBBCAE4B-B416-4182-A6F2-438180894A81}" = Napster
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = CyberLink LabelPrint
"{CA19AEA3-B949-41DA-AFBA-692356230F6E}" = TurboTax 2010 wnjiper
"{CDEC7286-5D39-4910-9D9D-245CE01BF4EE}" = StoxEV
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D4AFC7AD-F637-4EDD-BC76-767E4AF78CE1}" = OverDrive Media Console
"{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}" = Full Tilt Poker
"{DAEAFD68-BB4A-4507-A241-C8804D2EA66D}" = Apple Application Support
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{EB900AF8-CC61-4E15-871B-98D1EA3E8025}" = QuickTime
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AutoHotkey" = AutoHotkey 1.0.47.06
"avast" = avast! Free Antivirus
"Catan Online Welt" = Catan Online World
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"ESET Online Scanner" = ESET Online Scanner v3
"HoldemManager" = Holdem Manager
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"Internet Scrabble Club_is1" = WordBiz version 1.8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.1.1800
"Mikogo" = Mikogo
"Money2007b" = Microsoft Money Essentials
"Mozilla Firefox 6.0.1 (x86 en-US)" = Mozilla Firefox 6.0.1 (x86 en-US)
"Notepad++" = Notepad++
"PokerTracker3" = PokerTracker 3 (remove only)
"PostgreSQL 8.4" = PostgreSQL 8.4
"Rhapsody" = Rhapsody
"Savings Bond Wizard" = Savings Bond Wizard
"SitNGoWizard" = SitNGo Wizard
"SnG Power Tools_is1" = SnG Power Tools v1.24
"TeamViewer 5" = TeamViewer 5
"TurboTax 2010" = TurboTax 2010
"WildTangent gateway Master Uninstall" = Gateway Games
"WinGimp-2.0_is1" = GIMP 2.6.11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR 4.01 (32-bit)

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2623628525-4019330213-2971170232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/10/2011 8:12:43 PM | Computer Name = Rob-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 13284780

Error - 5/10/2011 8:12:43 PM | Computer Name = Rob-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 13284780

Error - 5/10/2011 8:12:44 PM | Computer Name = Rob-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 5/10/2011 8:12:44 PM | Computer Name = Rob-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 13287120

Error - 5/10/2011 8:12:44 PM | Computer Name = Rob-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 13287120

Error - 5/10/2011 8:12:45 PM | Computer Name = Rob-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 5/10/2011 8:12:45 PM | Computer Name = Rob-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 13288181

Error - 5/10/2011 8:12:45 PM | Computer Name = Rob-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 13288181

Error - 5/10/2011 8:12:46 PM | Computer Name = Rob-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 5/10/2011 8:12:46 PM | Computer Name = Rob-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 13289397

[ SitNGoWizard Events ]
Error - 5/30/2010 8:08:36 AM | Computer Name = Rob-PC | Source = SitNGoWizard | ID = 1
Description = Invoke or BeginInvoke cannot be called on a control until the window
handle has been created.

[ System Events ]
Error - 9/7/2011 5:40:32 PM | Computer Name = Rob-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 9/7/2011 5:40:32 PM | Computer Name = Rob-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 9/7/2011 5:40:32 PM | Computer Name = Rob-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 9/7/2011 5:40:32 PM | Computer Name = Rob-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 9/7/2011 5:41:10 PM | Computer Name = Rob-PC | Source = DCOM | ID = 10005
Description =

Error - 9/7/2011 5:41:21 PM | Computer Name = Rob-PC | Source = DCOM | ID = 10005
Description =

Error - 9/7/2011 5:41:23 PM | Computer Name = Rob-PC | Source = DCOM | ID = 10005
Description =

Error - 9/7/2011 5:41:27 PM | Computer Name = Rob-PC | Source = DCOM | ID = 10005
Description =

Error - 9/7/2011 5:41:29 PM | Computer Name = Rob-PC | Source = DCOM | ID = 10005
Description =

Error - 9/7/2011 5:59:15 PM | Computer Name = Rob-PC | Source = DCOM | ID = 10005
Description =


< End of report >

#5 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:51 PM

Posted 08 September 2011 - 12:38 PM

Hi,

:step1: Please visit the online Jotti Virus Scanner Posted Image<--link
  • Browse to the following filepath:

    C:\Users\Rob\Desktop\MBR.dat
  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

:step2: Download and run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you are prompted to install the Recovery Console, then please do so.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: If you have trouble running ComboFix, then please rename ComboFix.exe to Caseyboy.exe and re-run.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#6 mdntokr

mdntokr
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 08 September 2011 - 05:04 PM

Hi. I'm pasting the results to Jotti's malware scan first (I didn't see a window labeled "results box" but I'm pretty sure this is what you want). After that I'm pasting log.txt from ComboFix. Let me know if there's anything wrong with the ComboFix log. I'm not sure why, but after it was running for a while, maybe 20-30 min (maybe a little longer), my computer restarted. I then restarted again into safe mode, and ComboFix automatically opened up again and said something along the lines of "creating scan log". I'm not sure if this negatively effected the ComboFix scan. Just let me know if I need to run it again.

Oh and another thing I almost forgot. When I first tried to run ComboFix I got a pop up box telling me that I had Ad-Aware Ad Watch Live running. I then checked the program (Lavasoft Ad-Aware) and it said that Ad Watch Live was off. I decided to try and just delete Ad-Aware for the time being, but it wouldn't uninstall when I tried to run the uninstall program file (maybe because I'm in Safe Mode with Networking). I wound up just deleting the whole Lavasoft Ad-Aware File from my Program Files folder . . . but even after restarting in Safe Mode, Ad Aware still showed up on the bottom right of the screen (I think that's called the system tray). I decided to try to run ComboFix again, and did not receive the notification about Ad-Aware Live again . . . but I just wanted to make you aware of it . . . in case I messed something up. I'm new to all of this, so I'm really sorry if I made anything harder for you. Thanks again for all of your time.

Filename: MBR.dat
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Thu 8 Sep 2011 20:49:28 (CET) Permalink

ComboFix 11-09-08.03 - Rob 09/08/2011 17:19:59.2.2 - x64 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4090.3214 [GMT -4:00]
Running from: c:\users\Rob\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Public\Desktop\Security Protection.lnk
c:\users\Rob\AppData\Roaming\3M
c:\users\Rob\AppData\Roaming\3M\PDNotes\patch.exe
c:\users\Rob\AppData\Roaming\3M\PDNotes\PDNDB
c:\users\Rob\AppData\Roaming\3M\PDNotes\PDNDB4_4_0028
c:\users\Rob\AppData\Roaming\3M\PDNotes\Subscriptions.config
c:\windows\system32\consrv.dll
c:\windows\System64
.
.
((((((((((((((((((((((((( Files Created from 2011-08-08 to 2011-09-08 )))))))))))))))))))))))))))))))
.
.
2011-09-08 21:31 . 2011-09-08 21:36 -------- d-----w- c:\users\Rob\AppData\Local\temp
2011-09-08 21:31 . 2011-09-08 21:31 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-09-08 21:31 . 2011-09-08 21:31 -------- d-----w- c:\users\postgres\AppData\Local\temp
2011-09-08 21:31 . 2011-09-08 21:31 -------- d-----w- c:\users\postgres.Rob-PC\AppData\Local\temp
2011-09-08 21:31 . 2011-09-08 21:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-08-16 18:56 . 2011-08-16 15:11 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-08-16 15:11 . 2011-08-16 15:11 55384 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-08-16 15:08 . 2011-07-21 18:59 69376 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-08-14 16:06 . 2011-08-23 05:21 -------- d-----w- c:\users\Rob\AppData\Roaming\gtk-2.0
2011-08-14 16:06 . 2011-08-14 16:06 -------- d-----w- c:\users\Rob\.thumbnails
2011-08-12 21:18 . 2011-08-23 05:48 -------- d-----w- c:\users\Rob\.gimp-2.6
2011-08-12 21:17 . 2011-08-12 21:17 -------- d-----w- c:\program files (x86)\GIMP-2.0
2011-08-10 22:46 . 2011-07-06 15:18 274432 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-06 23:52 . 2010-12-08 22:20 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2010-12-08 22:20 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-04 11:43 . 2010-09-17 02:07 40112 ----a-w- c:\windows\avastSS.scr
2011-07-04 11:43 . 2010-09-17 02:07 199304 ----a-w- c:\windows\SysWow64\aswBoot.exe
2011-07-04 11:43 . 2011-08-05 16:11 253888 ----a-w- c:\windows\system32\aswBoot.exe
2011-07-04 11:36 . 2011-08-05 16:11 600920 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-07-04 11:36 . 2010-09-17 02:08 288088 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-07-04 11:35 . 2010-09-17 02:08 45400 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-07-04 11:32 . 2010-09-17 02:08 31064 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-07-04 11:32 . 2010-09-17 02:08 64856 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-07-04 11:32 . 2010-09-17 02:08 22360 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-22 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Gateway\traybar.exe" [2008-03-29 638976]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
R1 aswSnx;aswSnx; [x]
R1 aswSP;aswSP; [x]
R2 aswFsBlk;aswFsBlk; [x]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 ETService;Empowering Technology Service;c:\program files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [2008-06-11 24576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-03-14 135664]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files (x86)\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
R2 postgresql-8.4;PostgreSQL Server 8.4;C:/Program Files (x86)/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 -D C:/Program Files (x86)/PostgreSQL/8.4/data -w [x]
R2 TeamViewer5;TeamViewer 5;c:\program files (x86)\TeamViewer\Version5\TeamViewer_Service.exe [2010-09-24 1960744]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx64coinst,serviceStartProc [x]
R3 B-Service;B-Service;c:\users\Rob\AppData\Roaming\Mikogo\B-Service.exe [2010-10-25 185640]
R3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-03-14 135664]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [2011-08-16 17152]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64k.sys [x]
R3 WisINT15;WisINT15;c:\windows\System32\OEM\factory\WisINT15.SYS [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2011-09-02 2152152]
S3 NETw5v64;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 64 Bit ;c:\windows\system32\DRIVERS\NETw5v64.sys [x]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2mdx64.sys [x]
S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sdx64.sys [x]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk60x64.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-07-21 07:40]
.
2011-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-03-14 06:17]
.
2011-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-03-14 06:17]
.
2011-08-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2623628525-4019330213-2971170232-1000Core.job
- c:\users\Rob\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-09 19:09]
.
2011-09-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2623628525-4019330213-2971170232-1000UA.job
- c:\users\Rob\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-09 19:09]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 134384 ----a-w- c:\program files\Alwil Software\Avast5\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1220392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-17 15880736]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-17 82464]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 2206280]
"combofix"="c:\combofix\CF6258.3XE" [2008-01-21 363008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"combofix"="c:\combofix\CF6258.3XE" [2008-01-21 363008]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=2&o=vp64&d=1208&m=p-7805u&c=BB
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=2&o=vp64&d=1208&m=p-7805u&c=BB
mLocal Page = %SystemRoot%\system32\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
TCP: DhcpNameServer = 192.168.1.1 68.237.161.12
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Rob\AppData\Roaming\Mozilla\Firefox\Profiles\ayxlhdyq.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\postgresql-8.4]
"ImagePath"="C:/Program Files (x86)/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files (x86)/PostgreSQL/8.4/data\" -w"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\postgresql-8.4]
"ImagePath"="C:/Program Files (x86)/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files (x86)/PostgreSQL/8.4/data\" -w"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@SACL=
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control]
@SACL=
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage]
@SACL=
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories]
@SACL=
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@SACL=
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@SACL=
@="ShockwaveFlash.ShockwaveFlash.9"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable]
@SACL=
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@SACL=
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@SACL=
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@SACL=
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@SACL=
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control]
@SACL=
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@SACL=
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable]
@SACL=
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@SACL=
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@SACL=
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@SACL=
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}]
@Denied: (A 2) (Everyone)
@SACL=
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil9f.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\Elevation]
@SACL=
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\LocalServer32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil9f.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\TypeLib]
@SACL=
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}]
@Denied: (A 2) (Everyone)
@SACL=
@="IFlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid32]
@SACL=
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib]
@SACL=
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@SACL=
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@SACL=
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@SACL=
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@SACL=
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Lavasoft\Ad-Aware\AWSC.exe
c:\program files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2011-09-08 17:42:29 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-08 21:42
ComboFix2.txt 2010-12-09 20:17
.
Pre-Run: 153,876,697,088 bytes free
Post-Run: 153,753,976,832 bytes free
.
- - End Of File - - 948529242A90C6B1A35D320FE67137A5

#7 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:51 PM

Posted 09 September 2011 - 02:45 PM

Hi again,

:exclame: Backdoor Trojan warning (ZeroAccess Rootkit)

I hate to give you bad news, but one or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community (myself included) believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards unless you reformat and reinstall. Let me know what you decide to do.

Casey

Edited by Casey_boy, 09 September 2011 - 02:46 PM.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#8 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:51 PM

Posted 12 September 2011 - 07:52 AM

Hi,

This is a 3 day bump.

Hopefully you're still with us but please be aware that if there is no reply within two days, then this topic will be closed as stale.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#9 mdntokr

mdntokr
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 12 September 2011 - 08:55 PM

Hey, sorry for taking so long to get back to you . . . I guess I'm just processing the bad news. I've been pretty busy, but I guess my only real option is to start from scratch and reinstall everything. A few quick questions. As long as I'm not connected to the internet, is it safe for me to get some files off of the computer (such as my resume which is a Word document), then put them back when I reformat the computer? Is there a chance that this virus could have infected healthy Word files?

Also, I've been keeping an eye on all my banks/credit card accounts. If this happened to you, how far would you go as far as contacting financial institutions? I don't think that I have a ton of financial info saved on my computer, but I can't be 100% sure. I mean I pay bills online, so I input credit card info into websites pretty often, but I don't know if that could be compromised. I guess I'm a little overwhelmed as to how far I should go with any safety precautions.

Thanks so much for all of your help.

#10 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:51 PM

Posted 13 September 2011 - 07:53 AM

Hi,

No problem, I understand :)

is it safe for me to get some files off of the computer (such as my resume which is a Word document), then put them back when I reformat the computer? Is there a chance that this virus could have infected healthy Word files?


This isn't a file infector, so it shouldn't have infected your personal files. However, you can often transfer viruses from one PC to another (accidentally). The best way to stop that is:

On a clean PC

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

You can now use this USB drive to transfer files from your infected PC to a clean (or reformatted) PC.

If this happened to you, how far would you go as far as contacting financial institutions? I don't think that I have a ton of financial info saved on my computer, but I can't be 100% sure.


When on a clean PC (or reformmated) simply change your passwords - doing so will render any previous stolen passwords useless. I would probably only contact the institutions if you noticed something wrong in your statements etc. To be extra safe, and if it were not too much hassle, then I might consider ordering new cards (i.e. debit/credit cards).

Casey

Edited by Casey_boy, 13 September 2011 - 07:54 AM.
spelling

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#11 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:51 PM

Posted 16 September 2011 - 08:01 AM

Hi,

This is a 3 day bump.

Hopefully you're still with us but please be aware that if there is no reply within two days, then this topic will be closed as stale.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#12 mdntokr

mdntokr
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 16 September 2011 - 10:31 AM

I'm going to reformat, reinstall everything on my computer. I'll probably save some of my important files onto an external hard drive. Then when I go to put those files back on my computer, I'll use the file disinfecter before I actually put any of the files back on my computer. I'm going out of town for the weekend, so I'll have to do all of this next week or the week after. Thanks so much for your help. I think we're all set . . . if you have any words of wisdom to leave me with, please do, but if not I think we can close the thread. Thanks again.

One last thing . . . if I click on the link to this thread sometime next week, will it still be here. I'll just want to come back and link to the disinfector and some other things. Thanks.

#13 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:51 PM

Posted 16 September 2011 - 10:34 AM

Hi,

Make sure you do the disinfector before you copy the files from your infected PC to your hard drive (not after).

Yes, the link will still work - it'll just be closed :)

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#14 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:51 PM

Posted 16 September 2011 - 10:34 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users